Login | Register

Identification of Malicious Android Applications using Kernel Level System Calls


Identification of Malicious Android Applications using Kernel Level System Calls

Jariwala, Dhruv (2014) Identification of Malicious Android Applications using Kernel Level System Calls. Masters thesis, Concordia University.

[thumbnail of Jariwala_MASc_S2015.pdf]
Text (application/pdf)
Jariwala_MASc_S2015.pdf - Accepted Version


With the advancement of technology, smartphones are gaining popularity by increasing their computational power and incorporating a large variety of new sensors and features that can be utilized by application developers in order to improve the user experience. On the other hand, this widespread use of smartphones and their increased capabilities have also attracted the attention of malware writers who shifted their focus from the desktop environment and started creating malware applications dedicated to smartphones. With about 1.5 million Android device activations per day and billions of application installation from the official Android market (Google Play), Android is becoming one of the most widely used operating systems for smartphones and tablets. Most of the threats for Android come from applications installed from third-party markets which lack proper mechanisms to detect malicious applications that can leak users' private information, send SMS to premium numbers, or get root access to the system.

In this thesis, our work is divided into two main components. In the first one, we provide a framework to perform off-line analysis of Android applications using static and dynamic analysis approaches. In the static analysis phase, we perform de-compilation of the analyzed application and extract the permissions from its ‘AndroidManifest’ file. Whereas in dynamic analysis, we execute the target application on an Android emulator where the ‘starce’ tool is used to hook the system calls on the ‘zygote’ process and record all the calls invoked by the application. The extracted features from both the static and dynamic analysis modules are then used to classify the tested applications using a variety of classification algorithms.

In the second part, our aim is to provide real time monitoring for the behavior of Android application and alert users to these applications that violate a predefined security policy by trying to access private information such as GPS locations and SMS related information. In order to achieve this, we use a loadable kernel module for tracking the kernel level system calls.

The effectiveness of the developed prototypes is confirmed by testing them on popular applications collected from F-Droid, and malware samples obtained from third party and the Android Malware Genome Project dataset.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:Jariwala, Dhruv
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:23 October 2014
Thesis Supervisor(s):Youssef, Amr
ID Code:979140
Deposited On:13 Jul 2015 13:21
Last Modified:18 Jan 2018 17:48
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top