DroidAuditor: Forensic Analysis of Application-Layer Privilege Escalation Attacks on Android

AutorHeuser, Stephan; Negro, Marco; Pendyala, Praveen Kumar; Sadeghi, Ahmad-Reza
AbstraktSmart mobile devices process and store a vast amount of security- and privacy sensitive data. To protect this data from mali- cious applications mobile operating systems, such as Android, adopt fine- grained access control architectures. However, related work has shown that these access control architectures are susceptible to application- layer privilege escalation attacks. Both automated static and dynamic program analysis promise to proactively detect such attacks. Though while state-of-the-art static analysis frameworks cannot adequately ad- dress native and highly obfuscated code, dynamic analysis is vulnerable to malicious applications using logic bombs to avoid early detection. In contrast, the long-term observation of application behavior could help users and security analysts better understand malicious apps. In this pa- per we present the design and implementation of DroidAuditor, which observes application behavior on real Android devices and generates a graph-based representation. It visualizes this behavior graph, which en- ables users to develop an intuitive understanding of application inter- nals. Our solution further allows security analysts to query the behavior graph for malicious patterns. We present the design of the DroidAudi- tor framework and instantiate it using the Android Security Modules (ASM) access control architecture. We evaluate its capability to detect application-layer privilege escalation attacks, such as confused deputy and collusion attacks. In addition, we demonstrate how our architecture can be used to analyze malicious spyware applications.
SerieTechnical Report
PublisherTechnische Universität