Dexteroid: Detecting Malicious Behaviors in Android Apps Using Reverse-Engineered Life Cycle Models

TL;DR

Dexteroid is a static analysis framework that uses reverse-engineered lifecycle models to detect Android malware behaviors, including information leaks and premium SMS sending, with improved accuracy over existing tools.

Contribution

The paper introduces Dexteroid, a novel static analysis framework that leverages reverse-engineered lifecycle models for more accurate malware detection in Android apps.

Findings

Effective in detecting information leaks and SMS attacks

Outperforms FlowDroid in precision and recall

Efficient in execution time

Abstract

The amount of Android malware has increased greatly during the last few years. Static analysis is widely used in detecting such malware by analyzing the code without execution. The effectiveness of current tools relies on the app model as well as the malware detection algorithm which analyzes the app model. If the model and/or the algorithm is inadequate, then sophisticated attacks that are triggered by specific sequences of events will not be detected. This paper presents a static analysis framework called Dexteroid, which uses reverse-engineered life cycle models to accurately capture the behaviors of Android components. Dexteroid systematically derives event sequences from the models, and uses them to detect attacks launched by specific ordering of events. A prototype implementation of Dexteroid detects two types of attacks: (1) leakage of private information, and (2) sending SMS to premium-rate numbers. A series of experiments are conducted on 1526 Google Play apps, 1259 Genome Malware apps, and a suite of benchmark apps called DroidBench and the results are compared with a state-of-the-art static analysis tool called FlowDroid. The evaluation results show that the proposed framework is effective and efficient in terms of precision, recall, and execution time.