AnDa: a Dynamic Analysis System for Malicious Code

doi:10.3969/j.issn.1671-1122.2014.08.005

Abstract

Abstract: Recently, mobile terminals have been extended to business applications rapidly, and have been more closely related to user privacy and property. As static monitoring cannot guarantee software security, the analysis of dynamic monitoring sandbox can realize real-time monitoring in a faster, more accurate, safer, and high feasible manner. The problem of privacy leakage exists in Android platform malware, such as accessing user data and exposing them to networks, or intercepting and spying on phone calls and short text messages. Thus, this article proposes a solution system called AnDa, which records sensitive behavior of Android malwares using dynamic detection sandbox. The overall designs and key technologies of the system are described, including real-time monitoring of behaviors such as accessing to phone calls, text messages, location information, SIM card and so on. It has been tested on both virtual machine and physical machine. This work adopted analysis technique on dynamic detection sandbox, to realize the software dynamic monitoring and behavior analysis under Android platform. It can achieve effectively monitoring Java Method Hook for API from Android framework layers and common malware characteristics. The system support devices over Android 4.0. Depending on the information of malicious behavior, AnDa can determine the type of malware and detect new viruses, so that important phone calls and personal data will be protected, and the security will be greatly improved.

Key words: Java Method HOOK, Android malicious code, dynamic sand-box analysis

CLC Number:

TP309

REN Wei, LIU Kun, ZHOU Jin. AnDa: a Dynamic Analysis System for Malicious Code[J]. 信息网络安全, 2014, 14(8): 28-33.

References

[1] CNCERT/CC. CNCERT/CC 2013 年上半年网络安全工作报告[R]. 2014.
[2] YU Peng-yang,HUANG Jun-fei,GONG Yun-zhan. Static Code Analysis of Adroid Applications Information Leakage[J]. Computer engineering & soft ware,2012,33(10):125-129.
[3] GUI Jia-ping, ZHOU Yong-kai, SHEN Jun, et al. Research on Prevention Model of Malicious Coding Smart Phone [J].Computer Technology and Development,2010,(10):169-172.
[4] YANG Chang-gang. Deeply analyze the Android system[M]. Beijing: Publishing House of Electronics industry, 2013.
[5] JIN Tai-yan, SONG Heng-zhou, PIAO Zhi-xun,et al. Inside the Android Framework[M]. WU Chuan-hai. Beijing: Posts &Telecom Press, 2012.
[6] Han Chao. Android core principles and efficient development of system-level applications[M]. Beijing: Electronic Industry Press, 2012.
[7] Zhang Shan-xiang. Parsing java virtual machine development[M]. Beijing:Tsinghua University Press, 2013.
[8] Lu Cheng, Zhnag Miao, Xu Ai-guo. Android application source code for malicious behavior detection model based on static analysis techniques[J]. Chinese scientific papers online, 201111-54.
[9] Xposed Module Repository [EB/OL]. http://repo.xposed.info/,2014-06-14.
[10] Rovo89, Tungstwenty. Xposed [EB/OL]. https://github.com/rovo89,2014-06-14.
[11] The Introduction of Xposed [EB/OL]. http://forum.xda-developers.com/showthread.php? t=1574 401, 2014-06-14.
[12] Luo Sheng-yang. Android system source code Scenario Analysis[M]. Beijing: Publishing House of Electronics Industry, 2012.
[13] Ke Yuan-dan. The profiling of Android kernel[M]. Publishing House of Electronics industry, 2011.
[14] Li-Gang. Crazy handouts of Android[M]. Publishing House of Electronics industry, 2013.
[15] The Items of Xposed [EB/OL]. http://github.com/rovo89,2014-06-14.
[16] Li Bin. Design and implementation of a software-based behavioral analysis system Android sandbox[D]. Beijing: Beijing University of Postand Telecommunication,2013.
[17] Gan Tian. Android mobile phone software testing methods and practice[D]. Beijing: Beijing University of Postand Telecomm unication,2011.