How 1 Million App Calls Can
Tell You a Bit About Malware
By Dimitris Mitropoulos
Malicious applications have different goals than benign applications. However, they try to masquerade their behavior
in order to look like the benign ones. By studying the behavior of malicious apps, researchers can identify distinct
characteristics that may lead to more robust filters and
precise detection rules. In this article, I discuss how my
colleagues and I examined benign and malicious mobile
applications in order to observe how they use POSIX (
Portable Operating System Interface) abstractions, and how we
created a number of rules to single out a malicious app.
Specifically, in our research we measured how and
to what extent traditional POSIX abstractions are being
used in modern operating systems, and whether new
abstractions are taking form, dethroning traditional
ones [ 1]. In one of our experiments, we examined which
POSIX calls are used by both benign Android applications
(approximately 1 million) coming from the Google Play
store, and malicious Android applications ( 1,260) taken
from a well-known dataset [ 2].
POSIX ABS TRAC TIONS AND MALICIOUS APPS
The distribution of POSIX calls between the benign and malicious applications can be seen in Figure 1. An interesting
observation involves outliers illustrating the POSIX interfaces that are popular only for malicious applications. Table
1 presents a set of indicative abstractions that are frequent
among malicious apps and infrequent among benign ones.
Initially, we attempted to create a simple classifier
to determine potentially malicious applications based
on the abstraction frequency depicted in Figure 1. In
particular, we checked if an application uses at least
one of the following abstractions: ptsname, unlockpt
(two pseudo-terminal functions—malicious application
developers are most likely attempting to exploit
interfaces known to be old, poorly maintained, and
buggy), and setsid. We checked our filter against a set of
applications taken from the Google Play store (465,000).
Our initial findings though, were not significant. Our
filter indicated 1,633 applications were suspicious. To
validate our result, we checked these applications against
the 54 antiviruses provided by the Virus Total1 service.
We found 413 ( 25. 29 percent) of them to be potentially
malicious. Furthermore, Figure 2 indicates in most cases
The XRDS blog highlights a range of topics from conference coverage, to security
and privacy, to CS theory. Selected blog posts, edited for print, are featured in
every issue. Please visit xrds.acm.org/blog to read each post in its entirety. If you
are interested in joining as a student blogger, please contact us.