CopperDroid: On Reconstructing Android Malware Behaviors

Lorenzo Cavallaro

With more than 500 million of activations reported in Q3 2012, Android mobile devices are becoming ubiquitous and trends confirm this is unlikely to slow down. App stores, such as Google Play, drive the entire economy of mobile applications. Unfortunately, high turnovers and access to sensitive data have soon attracted the interests of cybercriminals too with malware now hitting Android devices at an alarming rising pace.

In this talk I present CopperDroid, an approach built on top of QEMU to automatically perform out-of-the-box dynamic behavioral analysis of Android malware. To this end, CopperDroid presents a unified analysis to characterize low-level OS-specific and high-level Android-specific behaviors. Based on the observation that such behaviors are however achieved through the invocation of system calls, CopperDroid's VM-based dynamic system call-centric analysis is able to faithfully describe the behavior of Android malware whether it is initiated from Java, JNI or native code execution.

We carried out extensive experiments to assess the effectiveness of our analyses on three different Android malware data set: one of more than 1,200 samples belonging to 49 Android malware families (Android Malware Genome Project), one containing about 400 samples over 13 families (Contagio project) and a last one, previously unanalyzed, made of more than 1,300 samples, provided by McAfee. Our experiments show that CopperDroid's unified system call-based analysis faithfully describes OS- and Android-specific behaviors and a proper malware stimulation strategy (e.g., sending SMS, placing calls) successfully discloses additional behaviors on a non-negligible portion of the analyzed malware samples.

Speaker's Bio

Lorenzo "Gigi Sullivan" Cavallaro was raised in a fantastic epoch where information and knowledge was meant for those who were just curious enough. He grew up on pizza, spaghetti, phrack (do "smashing the stack for fun and profit" and "IP spoofing demystified" ring a bell to you?), and TCP/IP Illustrated. Academic and underground research interests followed shortly thereafter and he has never stopped wondering and having fun ever since.

Lorenzo has recently joined the Information Security Group (ISG) at Royal Holloway, University of London as a Lecturer (Assistant Professor) of Information Security. His research interests focus on systems security, and malware analysis and detection. Before joining the ISG, Lorenzo was a Post-Doc at VU Amsterdam working on systems dependability (Prof. A. S. Tanenbaum), malware analysis and memory errors (Prof. H. J. Bos). He was also a Post-Doc at UC Santa Barbara (UCSB), working on botnet analysis and detection (Profs C. Kruegel and G. Vigna). At UCSB, Lorenzo co-authored "Your Botnet is My Botnet: Analysis of a Botnet Takeover", which reports on the team efforts on taking over a real-world botnet (ACM CCS & UCSB CS Outstanding Publication Award). During his PhD, Lorenzo was a long-term visiting PhD scholar at Stony Brook University working on memory errors and taint analysis (Prof. R. Sekar).

Lorenzo is a co-Investigator on the 3.5 years EPSRC- and GCHQ-grant EP/K006266/1 "Cyber Security Cartographies (CySeCa)" (Oct 2012–Mar 2016) and Principal Investigator on the 3 years EPSRC-funded CEReS grant EP/K033344/1 "Mining the Network Behavior of Bots" (Jun 2013–May 2016). He is author and co-author of several papers and has published in top and well-known venues (e.g., RAID, ACM CCS, ACSAC, DIMVA, HotDep, DSN) and served as PC member and reviewer of various conferences and journals. He is Program co-Chair of WISTP 2013, and will deliver "Malicious Software and its Underground Economy: Two Sides to Every Story", a short Coursera course (counting 22,000+ enrolled students) in June 2013.