Research on the Technology of Malware Behavior Monitoring Based on LKM System Call Hijacking

doi:10.3969/j.issn.1671-1122.2016.04.001

Abstract

Abstract:

Android operating system occupies most of the smart devices and has the largest number of users. But smartphone’s huge market value has also attracted the attention of hackers while bringing convenience to users. The black chain which uses malware as the main attack method can put users’ privacy and their property safety in dangerous situation. Therefore, study of the technology on Android malware detection has a very important theoretical value and practical significance. This paper gives a brief introduction on knowledge of Android malware, and proposes an Android application software dynamic behavior monitoring method based on LKM. This method hijacks and replaces the system call in the Linux kernel layer, and later runs in the form of services. It can monitor sending text messages, making phone calls, getting the phone number, network connections, privilege escalation and et al. Experimental results show that the monitoring accuracy rate of malicious behavior reaches to 93% and its performance overhead is less than 5%. Finally, this paper design and implement the dynamic behavior monitoring system based on the method. So, it has a high practical value.

Key words: behavior monitoring, LKM, malware, Android

CLC Number:

TP309

Yong DING, Wei CAO, Senlin LUO. Research on the Technology of Malware Behavior Monitoring Based on LKM System Call Hijacking[J]. Netinfo Security, 2016, 16(4): 1-8.

Figures/Tables 8

References 13

[1]	腾讯移动安全实验室. 2015年上半年手机安全报告[EB/OL]. , 2016-02-18.
[2]	朱筱赟,胡爱群,邢月秀,等. 基于Android平台的移动办公安全方案综述[J]. 信息网络安全,2015(1):76-83.
[3]	DAI Shuaifu, WEI Tao, ZOU Wei.DroidLogger: Reveal Suspicious Behavior of Android Applications via Instrumentation[C]//IEEE. 7th International Conference on Computing and Convergence Technology, December 3-5, 2012, Seoul. New Jersey: IEEE, 2012: 550-555.
[4]	BATYUK L, HERPICH M, CAMTEPE S A, et al.Using Static Analysis for Automatic Assessment and Mitigation of Unwanted and Malicious Activities within Android Applications[C]//ACM. 6th International Conference on Malicious and Unwanted Software, October 18-19, 2011, Fajardo. New York: ACM, 2011: 66-72.
[5]	XU Rubin, SAÏDI H, ANDERSON R. Aurasium: Practical Policy Enforcement for Android Applications[C]//USENIX. 21st USENIX Conference on Security Symposium, August 8-10, 2012, Bellevue. New York: ACM, 2012: 27.
[6]	PENG Guojun, SHAO Yuru, WANG Taige, et al.Research on Android Malware Detection and Interception Based on Behavior Monitoring[J]. Wuhan University Journal of Natural Sciences, 2012, 17(5): 421-427.
[7]	张磊,陈兴蜀,任益,等. 一种基于VMM的内核级Rootkit检测技术[J]. 信息网络安全,2015(4):56-61.
[8]	ISOHARA T, TAKEMORI K, KUBOTA A.Kernel-based Behavior Analysis for Android Malware Detection[C]//Guangdong University of Technology, Beijing Normal University, Hainan Province Institution of Computing. 7th International Conference on Computational Intelligence and Security, December 3-4, 2011, Hainan. New Jersey: IEEE, 2011: 1011-1015.
[9]	ZHOU Yajin, JIANG Xuxian.Dissecting Android Malware: Characterization and Evolution[C]//IEEE. 2012 IEEE Symposium on Security and Privacy, May 20-23, 2012, San Francisco. New Jersey: IEEE, 2012: 95-109.
[10]	李汶洋. Android操作系统恶意软件检测技术研究[J]. 信息网络安全,2015(9):62-65.
[11]	Google. 官方Android开发文档[EB/OL]. , 2016-2-18.
[12]	DAVIS B, SANDERS B, KHODAVERDIAN A, et al. I-ARM-Droid: A Rewriting Framework for In-App Reference Monitors for Android Applications[EB/OL]. , 2016-1-22.
[13]	赵光泽,李晖,孟杨. Android平台WebView组件安全及应用加固研究[J]. 信息网络安全,2015(10):61-65.

[1]	Liuyang HOU, Senlin LUO, Limin PAN, Ji ZHANG. Multi-feature Android Malware Detection Method [J]. Netinfo Security, 2020, 20(1): 67-74.
[2]	Xin SONG, Kai ZHAO, Linlin ZHANG, Wenbo FANG. Research on Android Malware Detection Based on Random Forest [J]. Netinfo Security, 2019, 19(9): 1-5.
[3]	Yanchen QIAO, Qingshan JIANG, Liang GU, Xiaoming WU. Malware Classification Method Based on Word Vector of Assembly Instruction and CNN [J]. Netinfo Security, 2019, 19(4): 20-28.
[4]	Liping DING, Xuehua LIU, Guangxuan CHEN, Yin LI. Overview of Digital Forensics Technologies of RAM in Android Devices [J]. Netinfo Security, 2019, 19(2): 10-17.
[5]	Xuruirui FENG, Jiayong LIU, Pengsen CHENG. Analyzing Malware Behavior and Capability Related Text Based on Feature Extraction [J]. Netinfo Security, 2019, 19(12): 72-78.
[6]	Jian ZHANG, Bohan CHEN, Liangyi GONG, Zhaojun GU. Research on Malware Detection Technology Based on Image Analysis [J]. Netinfo Security, 2019, 19(10): 24-31.
[7]	Zhongyuan QIN, Junrui ZHANG, Qunfang ZHANG, Zhiyong SONG. Android Terminals Control Technology Based on Inject and Hook [J]. Netinfo Security, 2018, 18(9): 66-73.
[8]	Yunchun LI, Wentao LU, Wei LI. Malware Detection Method Based on Shapelet [J]. Netinfo Security, 2018, 18(3): 70-77.
[9]	Xinlong SONG, Dong ZHENG, Zhonghuang YANG. Mobile Device Management System Based on AOSP and SELinux [J]. Netinfo Security, 2017, 17(9): 103-106.
[10]	Debing LU, Haoliang CUI, Wen ZHANG, Shaozhang NIU. Application Security Reinforcement Scheme Based on Intent Filter [J]. Netinfo Security, 2017, 17(11): 67-73.
[11]	Jiajia LIU, Yan YU, Hengwei HU, Jiashun WU. Research on a Protection Mechanism Based on Virtual Machine Customization [J]. Netinfo Security, 2017, 17(1): 63-67.
[12]	WANG Yi, TANG Yong, LU Zexin, YU Xin. Research on Features Selection in Malware Clustering [J]. 信息网络安全, 2016, 16(9): 64-68.
[13]	ZHANG Jian, WANG Wenxu, NIU Pengfei, GU Zhaojun. Research on Test Evaluation System of Anti-malware Products and Service [J]. 信息网络安全, 2016, 16(9): 113-117.
[14]	LEI Qing, JING Lihua, ZHAO Deming, ZHENG Jilong. Research on the Technology of Gun Detection System for Android APP Videos Based on Deep Learning [J]. 信息网络安全, 2016, 16(9): 149-153.
[15]	CAI Lin, CHEN Tieming. Research Review and Outlook on Android Mobile Malware Detection [J]. 信息网络安全, 2016, 16(9): 218-222.