Publications

DroidAuditor: Forensic Analysis of Application-Layer Privilege Escalation Attacks on Android

AuthorHeuser, Stephan; Negro, Marco; Pendyala, Praveen Kumar; Sadeghi, Ahmad-Reza
Date2016
TypeReport
AbstractSmart mobile devices process and store a vast amount of security- and privacy sensitive data. To protect this data from mali- cious applications mobile operating systems, such as Android, adopt fine- grained access control architectures. However, related work has shown that these access control architectures are susceptible to application- layer privilege escalation attacks. Both automated static and dynamic program analysis promise to proactively detect such attacks. Though while state-of-the-art static analysis frameworks cannot adequately ad- dress native and highly obfuscated code, dynamic analysis is vulnerable to malicious applications using logic bombs to avoid early detection. In contrast, the long-term observation of application behavior could help users and security analysts better understand malicious apps. In this pa- per we present the design and implementation of DroidAuditor, which observes application behavior on real Android devices and generates a graph-based representation. It visualizes this behavior graph, which en- ables users to develop an intuitive understanding of application inter- nals. Our solution further allows security analysts to query the behavior graph for malicious patterns. We present the design of the DroidAudi- tor framework and instantiate it using the Android Security Modules (ASM) access control architecture. We evaluate its capability to detect application-layer privilege escalation attacks, such as confused deputy and collusion attacks. In addition, we demonstrate how our architecture can be used to analyze malicious spyware applications.
SerieTechnical Report
PublisherTechnische Universität
Urlhttps://tubiblio.ulb.tu-darmstadt.de/id/eprint/104144