Abstract

With the advancement of technology, smartphones are gaining popularity by increasing their computational power and incorporating a large variety of new sensors and features that can be utilized by application developers in order to improve the user experience. On the other hand, this widespread use of smartphones and their increased capabilities have also attracted the attention of malware writers who shifted their focus from the desktop environment and started creating malware applications dedicated to smartphones. With about 1.5 million Android device activations per day and billions of application installation from the official Android market (Google Play), Android is becoming one of the most widely used operating systems for smartphones and tablets. Most of the threats for Android come from applications installed from third-party markets which lack proper mechanisms to detect malicious applications that can leak users' private information, send SMS to premium numbers, or get root access to the system.

In this thesis, our work is divided into two main components. In the first one, we provide a framework to perform off-line analysis of Android applications using static and dynamic analysis approaches. In the static analysis phase, we perform de-compilation of the analyzed application and extract the permissions from its ‘AndroidManifest’ file. Whereas in dynamic analysis, we execute the target application on an Android emulator where the ‘starce’ tool is used to hook the system calls on the ‘zygote’ process and record all the calls invoked by the application. The extracted features from both the static and dynamic analysis modules are then used to classify the tested applications using a variety of classification algorithms.

In the second part, our aim is to provide real time monitoring for the behavior of Android application and alert users to these applications that violate a predefined security policy by trying to access private information such as GPS locations and SMS related information. In order to achieve this, we use a loadable kernel module for tracking the kernel level system calls.

The effectiveness of the developed prototypes is confirmed by testing them on popular applications collected from F-Droid, and malware samples obtained from third party and the Android Malware Genome Project dataset.