EXTRACTION AND CORRELATION OF MOBILE APP METADATA TO DETECT POTENTIALLY MALICIOUS BEHAVIOUR

Project Summary:

Mobile malware is increasing at a very rapid rate due to the increasing popularity of apps and growing adoption of smartphones worldwide. Android is currently the market leader with over 80% of the global sales share. In addition to sourcing apps from the official Google play app store, users are able to download and use apps from several third-party app stores and other online sources. Unlike the IOS ‘walled garden’ approach, the Android open model has made it the most targeted mobile platform by malware authors. Although Google has introduced an app screening system called Bouncer to stop malicious apps from being uploaded the Play store, numerous third party stores have little or no preventive measures against malware. The current methods of analysis and detection of Android malware are largely based on either static analysis or dynamic analysis.

The static analysis approach involves reverse engineering the app back to Java source or disassembling, and then scrutinizing the resulting code for malicious behaviour. With dynamic analysis, the app is analysed within a sandboxed environment in order to observe real-time behaviours. Whilst these two methods are quite effective, they often do not fully exploit a range of app metadata such as author, app size, number and types of third party libraries used, app category, Android versions supported, source of download, and other information outside of features obtained from sandboxing or reverse engineering the executable files. These artefacts could be a rich source of data which when correlated might be useful in uncovering malware or enhancing the commonly used static and dynamic analysis tools. Such an approach could also potentially be used for rapid triage of an app before applying other resource-intensive and time-consuming methods.

Contact Details:

Prof Sakir Sezer

Email: s.sezer@qub.ac.uk

Telephone: +44 (0)28 9097 1770