CPMDroid: Analysis of Contextualized Permission Usage for Malicious App Detection in Android

Second best poster award

Introduction

Today, Android is confirmed as the most popular operating system, with a market share exceeding 70% and nearly three million applications on the Play StoreTM, which collectively count tens of billions of downloads each year1 . However, on the same store, many malicious apps are also available that attempt to steal users' data from their smartphones without their awareness[1]. These apps, classified as malware with malicious goals targeting sensitive data, are installed unintentionally by users directly from the Official Google Play StoreTM. Users are unconscious of the malicious behaviors that these apps attempt since they entrust the google security mechanism aimed at unpublish them. According to data, every day in 2019, there were almost 350,000 malware detections, and a new infection was created every seven seconds2 . These findings unequivocally show the damage and danger smartphone users and businesses face. Therefore, it is crucial to have strong defenses against malicious behaviors. On the Google Play StoreTM, 36 new Android apps were infected with malware and adware in 2022. They have around 10 million downloads, and some are still accessible on the store. The apps' secondary objectives in every instance involve hijacking social network accounts, displaying intrusive adverts, enrolling the user in premium services, or, more in general, acquiring user data to profile them. To aim these goals, malicious developers misuse the Android permission model, requesting uncontextualized resource usage [2]. This is because one of the main weaknesses of the permission manager currently in use in Android is that approving a single permission request usually automatically enables to the entire application to inherit that permission globally. That means that once an app is granted access to the camera, it is allowed to access the resource without needing additional further approval in the near future and, potentially, even in background. For example, an application may present itself as a simple SMS manager. However, it exploits the SMS permission group to send messages to third-party sites in the background to secretly subscribe users to premium mobile services using the Android Joker malware. In this paper, we introduce CPMdroid, a tool that helps identify the uses of resources with restricted access. We created a dynamic logging system that tracks user actions and links them to the requested functionality. The objective is to determine whether published applications use the scenario mentioned above. Using our tool, we can collect valuable data for detecting unexpected behaviors. Once the monitored application has launched, CPMdroid can record both system's calls to the access control and validation mechanism and all user activities taken at the interface level (independent of whether they exploit one or more permissions). The tool also takes a screenshot of each of these events, making it easier to identify and reconstruct the various usage scenarios retrospectively. Last but not least, the tool creates two exhaustive logs at the end of the app execution, one listing all usergenerated events and the other listing all permissions accessed by the app, allowing us to determine, using timestamps, which activities led to access to crucial resources.

Related works

Two strategies [3,4] are applied at a high level to perform analysis as part of the malware detection process. The first is a static analysis that examines the app's source code without launching it. This analysis focuses on comprehending the code's structure and functionality [5] it provides. Although this analysis method is effective, it can only identify known malware and cannot offer protection against zero-day risks. Additionally, malware that employs obfuscation cannot be detected using this method, and these tools need preliminary steps to work correctly. They first require APK decompilation and subsequent repackaging (which, of course, is done using a different signature than the original, implying a whole host of significant drawbacks, like the inability to update the application from the official Store directly). An example was given by Yang, that proposed a static analysis tool establishing the malicious behavior by extracting the context related to security-sensitive events[6]. In order to define the behavior of the application and identify malicious features using a classifier based on machine learning methods, W. Wang retrieved static characteristics from the application, such as permissions and API calls [7]. A. Pektaş collected the API call sequences using static analysis tools, and using deep learning methods, they built the detection model [8]. Static analysis can detect the malicious behavior of an application at a low cost. However, in static analysis is challenging to detect applications that use anti-detection techniques to hide malicious behavior, such as malicious dynamic code loading, code obfuscation, and reflection. In addition to restrictions relating to code obfuscation already mentioned, these approaches may be unable to identify any stealth API-sensitive uses (i.e., occurring without first confirming that the program has the appropriate permissions but directly handling any SecurityException with a simple try-catch). Even if permission is denied, the program will still function correctly without crashing or alerting the user to attempt to access sensitive information. In contrast, the dynamic analysis tracks the app's actions as it is being used. Dynamic analysis can also identify unknown malware by collecting data from monitoring. Wang built detection models using characteristics of HTTP packets and TCP flows to analyze the behavior of malicious applications by gathering network traffic while the applications were being executed [9]. However, they only considered permissions and network traffic data as criteria for detecting malware. Malware could violate users' privacy by also acquiring location data, audio records and even performing actions on the device's external storage. Bhatia et al. proposed a dynamic system aimed at detecting the behavior of android applications by analyzing the frequency of system calls made during their runtime [10]. They focus on classifying the behavior of android applications as malicious or non-malicious using the aggregated system calls as a feature set comprising all the applications that may or may not belong to the same family. However, they focused on system call stack trace without tracking user events on the UI, not contextualizing the actions that led to the malicious behavior. In order to identify malware, Li proposed a hybrid analysis technique in which the characteristics are mainly composed of both static data and dynamic runtime traffic queries [11]. This method requires much time and cannot detect malware that has employed anti-detection measures. The drawback of this type of investigation is that it uses many resources, which are typically unsuitable for mobile devices [12]. Unlike the abovementioned approaches, our tool can observe application behaviors without burdening smartphone resources. In addition, an application may not necessarily contain malware, but it may still have malicious behaviors or behaviors outside regular permission usage. This could be due to programming errors or design choices. For example, an instant transcription app might record audio before activating the recording feature to configure the language, or a fitness app might require location before starting a workout. While these are non-malicious behaviors within legitimate apps, they could be malware. Therefore, it would be appropriate to notify the user of the out-of-context use of the resource.

Esperimental design

In this paper, we want to assess the effectiveness of adopting the usage context to discriminate between different kinds of access to the same sensitive resource to detect malicious behaviors in malware apps. To this aim, we developed CPMdroid, a tool to monitor the execution of mobile applications using specific device resources that need dangerous permissions to be accessed and support linking resource usage and the access context. We define the usage context as a combination of the feature the app is executing and the actions performed on UI (made by the user or by the app behavior at runtime). CPMdroid Analyzer is thus a dynamic analysis tool that, when installed as an Xposed module on the Android device/emulator, allows obtaining helpful information in identifying the contexts in which permissions have been used, isolating permission usage to the identified contexts. This allows us to identify whether the running application is using permissions that have nothing to do with what is shown on the screen. Once the monitored application is started, CPMdroid Analyzer starts tracking any access to resources that require dangerous permission at the system level (e.g., the camera, microphone, storage, or location) through a dynamic injection mechanism based on hooking and callback techniques. These include all the actions performed by the user at the interface level and any system call to the access control and validation mechanism. Our approach allows the semi-automatic identification and a posteriori analysis of the usage contexts. To execute a completely automatic analysis, without the user interaction, the tool can be configured to execute random UI interactions on apps and observe the app’s Android permission requests. In both cases, CPMdroid automatically associates the observed permission requests and UI actions to categorize each resource used within its own context.

Evaluation

We conducted a preliminary study to determine the feasibility of our method for identifying malicious behaviors based on usage contexts concerning the use of sensitive device features, i.e., those features that require explicit user authorization before being accessed. We analyzed 7 malware apps identified in 2022 and downloadable from the Google Play StoreTM. The malicious behaviors of these apps are well-known, this helped us identify whether CPMdroid could contextualize malicious functionality within these apps. We ran each app on an Android emulator executing the actions on the GUI that would lead to the execution of the malicious functionality. In all apps, the tool allowed us to identify the context in which the malicious behavior was occurring by highlighting the usage number of dangerous permissions. The tool's outcomes have been evaluated by examining the log, screenshots, and screen records of the 7 apps; the details of some identified behaviors are shown below:

• Codice Fiscale 2022 was downloaded in Italy thousands of times without users realizing its danger. It calculates taxes by asking us to access SMS to manage our account, but it hides the Sharkboat banking trojan capable of stealing personal data and SMS. Once downloaded and opened, the app prompts the download of an update, whereby the installation of the malware inside our smartphone takes place. CPMdroid identified uses of permissions to read user data and handle SMS (the latter mainly to track 2FA codes) in contexts where these permissions did not make sense. Finally, the app accesses the Internet to send user data to a remote server.

• With over 100,000 downloads, the apparently harmless and helpful Symoo app generates fake accounts once it is started. This app presents itself as an advanced SMS client for Android. In reality, it hides Android Joker malware that generates fake accounts[13]. The app requires access to send and read SMS messages when installed on any device. The first screen asks the user to provide his or her phone number. This request, at first, does not seem strange because it is a selfproclaimed "easy-to-use" SMS app. In reality, however, this permission starts its fraudulent processes. Then a new screen overlays the previous one, identified by CPMdroid, which generates numerous requests for SMS access. As time passes, despite the procedure's progress, the process is too long. Meanwhile, this allows the malware to send multiple 2FA SMS remotely to create accounts on various services.

• Another app analyzed was Process Manager. The app tricks the user into granting itself as many as 18 permissions. It can track precise location, record audio from the device, access files, read messages, access the camera, and modify some device settings. CPMdroid allowed us to identify these permissions while the app showed a list of processes on the GUI but simultaneously accessed write permission, recording audio, and accessing the location.

• CLEANit claims to be a junk file cleaner with millions of downloads on the Play StoreTM. The app not only needs a ton of permissions but also advertises services that are frivolous in modern Android devices with powerful hardware. The app in question is supposed to clean and optimize the device. However, via CPMdroid, we detected the use of permissions such as location access, multiple writes and reads to the device's external storage, and internet access (probably to send and download data).

Conclusion and future works

The results confirm that malicious behavior is related to the context of resource use. This allows us to identify malicious apps by observing the relationship between user events on the GUI and uses of sensitive resources. In future work, we plan to conduct a large-scale analysis of the malicious apps published in the Play StoreTM. In addition, while in this work we aimed to analyze what was happening during the execution of an app, in the future, we want to implement a system that can notify the user that the app is accessing a resource in a different context than the one in which the permission was already authorized. In this way, we create a fine-grained system of permission management that would avoid checks by antimalware and limit the use of the app to only lawful functionality.

Bibliography

1) M. Rahman, M. Rahman, B. Carbunar and D. H. Chau, "Search Rank Fraud and Malware Detection in Google Play," in IEEE Transactions on Knowledge and Data Engineering, vol. 29, no. 6, pp. 1329-1342, 1 June 2017, doi: 10.1109/TKDE.2017.2667658.
2) YANG, J., TANG, J., YAN, R. and XIANG, T. (2022), Android Malware Detection Method Based on Permission Complement and API Calls. Chinese Journal of Electronics, 31: 773-785. 2022. doi: https://doi.org/10.1049/cje.2020.00.217
3) Faruki, P.; Bharmal, A.; Laxmi, V.; Ganmoor, V.; Gaur, M.S.; Conti, M.; Rajarajan, M. Android security: A survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutor. 2014, 17, 998–1022. DOI: 10.1109/COMST.2014.2386139
4) Yan, P.; Yan, Z. A survey on dynamic mobile malware detection. Softw. Qual. J. 2018, 26, 891–919. DOI: https://doi.org/10.1007/s11219-017-9368-4
5) Omer, M.A.; Zeebaree, S.R.; Sadeeq, M.A.; Salim, B.W.; Mohsin, S.; Rashid, Z.N.; Haji, L.M. Efficiency of malware detection in android system: A survey. Asian J. Res. Comput. Sci. 2021, 2, 59–69. DOI: 10.9734/ajrcos/2021/v7i430189
6) W. Yang, X. Xiao, B. Andow, et al., “AppContext: Differentiating malicious and benign mobile app behaviors using context,” in Proceedings of IEEE/ACM 37th IEEE International Conference on Software Engineering, Florence, Italy, pp.303–313, 2015.
7) W. Wang, Y. Li, X. Wang, et al., “Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers,” Future Generation Computer Systems, vol.78, pp.987–994, 2018.
8) A. Pektaş and T. Acarman, “Learning to detect Android malware via opcode sequences,” Neurocomputing, vol.396, pp.599–608, 2020.
9) S. Wang, Z. Chen, L. Zhang, et al., “TrafficAV: An effective and explainable detection of mobile malware behavior using network traffic,” in Proceedings of IEEE/ACM 24th International Symposium on Quality of Service (IWQoS), Beijing, China, pp.1–6, 2016.
10) Bhatia, Taniya Kaushal, Rishabh. (2017). Malware detection in android based on dynamic analysis. 1-6. 10.1109/CyberSecPODS.2017.8074847.
11) J. Li, Z. Wang, T. Wang, et al., “An android malware detection system based on feature fusion,” Chinese Journal of Electronics, vol.27, no.6, pp.1206–1213, 2018.
12) Ehsan, Adeel et al. “Detecting Malware by Analyzing App Permissions on Android Platform: A Systematic Literature Review.” Sensors (Basel, Switzerland) vol. 22,20 7928. 18 Oct. 2022, doi:10.3390/s22207928
13) C. Shi, C. C. -C. Cheng and Y. Guan, "Forensic Analysis on Joker Family Android Malware," 2021 17th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), 2021, pp. 403-406, doi: 10.1109/WiMob52687.2021.9606310.