| Abstract | Smart mobile devices process and store a vast amount of
security- and privacy sensitive data. To protect this data from mali-
cious applications mobile operating systems, such as Android, adopt fine-
grained access control architectures. However, related work has shown
that these access control architectures are susceptible to application-
layer privilege escalation attacks. Both automated static and dynamic
program analysis promise to proactively detect such attacks. Though
while state-of-the-art static analysis frameworks cannot adequately ad-
dress native and highly obfuscated code, dynamic analysis is vulnerable
to malicious applications using logic bombs to avoid early detection.
In contrast, the long-term observation of application behavior could help
users and security analysts better understand malicious apps. In this pa-
per we present the design and implementation of DroidAuditor, which
observes application behavior on real Android devices and generates a
graph-based representation. It visualizes this behavior graph, which en-
ables users to develop an intuitive understanding of application inter-
nals. Our solution further allows security analysts to query the behavior
graph for malicious patterns. We present the design of the DroidAudi-
tor framework and instantiate it using the Android Security Modules
(ASM) access control architecture. We evaluate its capability to detect
application-layer privilege escalation attacks, such as confused deputy
and collusion attacks. In addition, we demonstrate how our architecture
can be used to analyze malicious spyware applications. |
|---|
