SpotCheck: On-Device Anomaly Detection for Android

TL;DR

SpotCheck is an on-device anomaly detection system for Android that uses machine learning models like VAE and novel memory dump analysis to identify suspicious apps, enhancing mobile security without continuous monitoring.

Contribution

It introduces a new on-device anomaly detection method using VAEs and memory dumps, reducing the need for continuous app monitoring and improving malware detection capabilities.

Findings

VAE-based SpotCheck achieves effectiveness comparable to network anomaly detection.

Memory dump approach performs well without continuous app monitoring.

The system enhances on-device security by detecting previously unseen malware.

Abstract

In recent years the PC has been replaced by mobile devices for many security sensitive operations, both from a privacy and a financial standpoint. While security mechanisms are deployed at various levels, these are frequently put under strain by previously unseen malware. An additional protection layer capable of novelty detection is therefore needed. In this work we propose SpotCheck, an anomaly detector intended to run on Android devices. It samples app executions and submits suspicious apps to more thorough processing by malware sandboxes. We compare Kernel Principal Component Analysis (KPCA) and Variational Autoencoders (VAE) on app execution representations based on the well-known system call traces, as well as a novel approach based on memory dumps. Results show that when using VAE, SpotCheck attains a level of effectiveness comparable to what has been previously achieved for network anomaly detection. Interestingly this is also true for the memory dump approach, relinquishing the need for continuous app monitoring.