MobSec: Malware and Security in the Mobile Age

Lead Research Organisation: King's College London
Department Name: Informatics

Abstract

With more than 1 billion of activations reported on Sep 2013, Android mobile devices have become ubiquitous with trends showing that such a pace is unlikely slowing down. Android devices are extremely appealing: powerful, with a functional and easy-to-use user interface to access sensitive user and enterprise data, they can easily replace traditional computing devices, especially when information is consumed rather than produced. Application marketplaces, such as Google Play, drive the entire economy of mobile applications. For instance, with more than 1 million installed apps and a share of 35%, Google Play has generated revenues exceeding 9 billion USD. Such a wealthy and quite unique ecosystem with high turnovers and access to sensitive data has unfortunately also attracted the interests of cybercriminals, with malware now hit- ting Android devices at an alarmingly rising pace. Privacy breaches (e.g., access to address book and GPS coordinates), monetization through premium SMS and calls, and colluding malware to bypass 2-factor authentication schemes have become real threats. Recent studies report how mobile marketplaces have been abused to host malware or seemingly legitimate applications embedding malicious components. This clearly reflects the shift from an environment in which malware was developed for fun, to the current situation, where malware is spread for financial profit.

Given the limitations of the state-of-the-art just outlined and according to the security roadmap provided by the European Network of Excellence SysSec, it is clear that "[...] more research focused on the development of defensive tools and techniques that can be deployed to the current smartphone systems to detect and prevent attacks against the device and its applications is needed". MobSec wants to fill this gap with a well-rounded practical research proposal.

The goal of MobSec is to improve the security of mobile devices by reducing the risk from installing and using third party applications.

Our research objectives build on each other to achieve this goal: First, we will develop dynamic analyses to automatically, faithfully and comprehensively construct models of application behavior. We will address the problem of incompleteness in dynamic analysis by replaying human interaction traces and complementing them with systematic exploration using symbolic execution. Once we are able to build models containing the interesting behavioral traits of mobile malware, we focus on detecting and containing malicious behavior. We initially target information leakage by investigating evasion-resistant information leakage detection techniques and later generalize to distinguish malicious from benign apps. To handle cases in which detection is not possible, we contain potential threats by decomposing apps in logical components: this enables the enforcement of security policies and characterization of per-component behaviors, which, being more specific, allow us to detect behavior of malicious components embedded in seemingly legitimate apps. Finally, MobSec aims at exploring virtualization extensions of CPUs to open up the possibility of in-device implementation of the aforementioned analyses.

Planned Impact

The goal of MobSec is to improve the security of mobile devices by
reducing the risk from installing and using third party applications.

We aim at publishing the results of MobSec in top or well-known venues
and to organize a two-day workshop on the subject of mobile security.
The workshop aims at bringing together all the project collaborators,
academic researchers and industry practitioners with interest MobSec's
topic and research objectives. The goal of the workshop is to narrow
the gap that nowadays exists between security research carried out in
academia and industry to face common threats.

We likewise expect MobSec project to generate technologies and tools
that we would deploy in the industry (e.g., at McAfee, MobSec project
partner), and raise the quality of app analysis resulting in the
improved protection for the users---growth of the true positives and
reduction of false positives. The results of the project should also
assist in building better defenses in the future operating systems
(see the statement of support for more details). Moreover, MobSec
results will also be beneficial to a number of institutions and
professional networks interested in research outcomes in the field,
such as Imperial College London, Ruhr University Bochum, FORTH-ICS,
Politecnico di Milano, and National University Singapore, the
EPSRC-funded Network in Internet and Mobile Malicious Software
(NIMBUS), the EU FP7 NoE SysSec, and the EU FP7 CSA CyberROAD aimed at
the development of a cybercrime and cyber-terrorism research roadmap,
with whom we have strong professional and collaborative links.

We plan likewise to open MobSec analyses framework, results, and data
[*] not only to industry and academia, but to the society at large,
offering the opportunity to submit and analyze mobile apps for which a
deeper understanding or behavioral detection model is wanted,
according to the research objectives of MobSec.

In short, we hope that the above outlined links will foster impact in
three ways: it will enable us to promote the results MobSec to
industry, academia, and the society at large; it will provide
real-world valuable data of great importance to evaluate the
effectiveness of MobSec in real-world settings; and it will strengthen
the research collaborative efforts between academia and industry
furthermore to address challenging current and upcoming problems.

[*] for all the non-NDA data.

Publications

10 25 50
publication icon
Bai C (2019) DBank: Predictive Behavioral Analysis of Recent Android Banking Trojans in IEEE Transactions on Dependable and Secure Computing

publication icon
D'Elia D (2020) On the Dissection of Evasive Malware in IEEE Transactions on Information Forensics and Security

publication icon
Pendlebury F. (2019) Tesseract: Eliminating experimental bias in malware classification across space and time in Proceedings of the 28th USENIX Security Symposium

 
Description We have developed a system to perform dynamic analysis of Android apps. The novelty of our research lies in the fact that the code to reconstruct the behavior of such apps is automatically generated and work seamlessly across all vanilla Android versions. The behavioral profiles are then fed to machine learning algorithms to classify Android malware in a family of threats. Initial experiments on concept drift detection, i.e., malicious objects that are too dissimilar to the one observed so far, are properly identified, which opens the possibility of planning proper machine learning retraining strategy. We have been able to understand and detect when ML models start decaying and measure the effect of concept drift in security contexts. The main output has been published in top-tier conferences (e.g., NDSS 2015, USENIX Security 2017 and 2019) or well-known specialized workshops (e.g., AISec).
Exploitation Route The dynamic analysis system we have developed can be integrated by
vendors in Android market to reconstruct apps' actions and identify
dodgy behaviors. Similar reasoning applies to our approach to detect
and measure the effect of concept drift. We have been having fruitful
conversations with Google (Android Security Team), Facebook (Anti-abuse
Team) and Huawei (Cloud Security Europe).

We have further started to explore adversarial ML in the problem space and this has sparkled collaborations with AVAST, TU Braunschweig, Google, Facebook, and Huawei.
Sectors Digital/Communication/Information Technologies (including Software)

URL https://s2lab.kcl.ac.uk
 
Description The findings of this research project helped to understand better the role of ML in computer security contexts and how experimental bias may affect the performance of classifiers. This outcome consolidated research opportunities in academia and industry with the output of this project shared in academia and industry. See https://s2lab.cs.ucl.ac.uk and https://s2lab.cs.ucl.ac.uk/projects/tesseract for further details.
First Year Of Impact 2019
Sector Digital/Communication/Information Technologies (including Software),Education,Other
Impact Types Societal

 
Description AVAST Unrestricted Gift
Amount £50,000 (GBP)
Organisation Avast Software s.r.o 
Sector Private
Country Czech Republic
Start 01/2020 
 
Description AVAST 
Organisation Avast Software s.r.o
Country Czech Republic 
Sector Private 
PI Contribution Adversarial ML in the problem space; robust malware classifiers
Collaborator Contribution AVAST is exploring feature-space adversarial ML attacks and we will be contributing with problem-space constraints. The final goal is to work towards the design of a robust malware classifier.
Impact Unrestricted gift 50,000 GBP
Start Year 2020
 
Description Imperial College & UniBW 
Organisation Bundeswehr University Munich
Country Germany 
Sector Academic/University 
PI Contribution Collaboration with Imperial College London and UniBW on Universal Adversarial Perturbations for Malware thanks to the paper "Intriguing Properties of Adversarial ML Attacks in the Problem Space" IEEE S&P 2020 (https://ieeexplore.ieee.org/document/9152781)
Collaborator Contribution Collaboration with Imperial College London and UniBW on Universal Adversarial Perturbations for Malware thanks to the paper "Intriguing Properties of Adversarial ML Attacks in the Problem Space" IEEE S&P 2020 (https://ieeexplore.ieee.org/document/9152781)
Impact N/A
Start Year 2020
 
Description Imperial College & UniBW 
Organisation Imperial College London
Department Department of Computing
Country United Kingdom 
Sector Academic/University 
PI Contribution Collaboration with Imperial College London and UniBW on Universal Adversarial Perturbations for Malware thanks to the paper "Intriguing Properties of Adversarial ML Attacks in the Problem Space" IEEE S&P 2020 (https://ieeexplore.ieee.org/document/9152781)
Collaborator Contribution Collaboration with Imperial College London and UniBW on Universal Adversarial Perturbations for Malware thanks to the paper "Intriguing Properties of Adversarial ML Attacks in the Problem Space" IEEE S&P 2020 (https://ieeexplore.ieee.org/document/9152781)
Impact N/A
Start Year 2020
 
Description UIUC 
Organisation University of Illinois at Urbana-Champaign
Country United States 
Sector Academic/University 
PI Contribution Collaboration with Gang Wang from UIUC thanks to the paper "Intriguing Properties of Adversarial ML Attacks in the Problem Space" IEEE S&P 2020 (https://ieeexplore.ieee.org/document/9152781)
Collaborator Contribution We are exploring backdoor poisoning attacks in the problem space
Impact N/A
Start Year 2020
 
Description WUSTL 
Organisation Washington University in St Louis
Country United States 
Sector Academic/University 
PI Contribution Collaboration with Washington University at St. Louis Robust Features thanks to the paper "Intriguing Properties of Adversarial ML Attacks in the Problem Space" IEEE S&P 2020 (https://ieeexplore.ieee.org/document/9152781)
Collaborator Contribution Collaboration with Washington University at St. Louis Robust Features thanks to the paper "Intriguing Properties of Adversarial ML Attacks in the Problem Space" IEEE S&P 2020 (https://ieeexplore.ieee.org/document/9152781)
Impact N/A
Start Year 2020
 
Description ZJU 
Organisation Zhejiang University
Country China 
Sector Academic/University 
PI Contribution Collaboration with Zhejian University on feature space - problem space mapping thanks to the paper "Intriguing Properties of Adversarial ML Attacks in the Problem Space" IEEE S&P 2020 (https://ieeexplore.ieee.org/document/9152781)
Collaborator Contribution Collaboration with Zhejian University on feature space - problem space mapping thanks to the paper "Intriguing Properties of Adversarial ML Attacks in the Problem Space" IEEE S&P 2020 (https://ieeexplore.ieee.org/document/9152781)
Impact N/A
Start Year 2020
 
Title Intriguing Properties of Adversarial ML Attacks in the Problem Space 
Description Reformulation of adversarial ML attacks in the problem space; end-to-end adversarial examples generation for Android 
Type Of Technology Software 
Year Produced 2020 
Impact Still active; sparkled a collaboration with AVAST (ongoing) 
URL https://s2lab.kcl.ac.uk/projects/intriguing/
 
Title Tesseract: Eliminating Experimental Bias in Malware Classification across Space and Time 
Description See https://s2lab.kcl.ac.uk/projects/tesseract/ 
Type Of Technology Software 
Year Produced 2019 
Open Source License? Yes  
Impact See https://s2lab.kcl.ac.uk/projects/tesseract/ 
URL https://s2lab.kcl.ac.uk/projects/tesseract/
 
Title Transcend - Detection of Concept Drift in Malware Classifiers 
Description See https://s2lab.kcl.ac.uk/papers/files/usenixsec2017.pdf 
Type Of Technology Software 
Year Produced 2017 
Open Source License? Yes  
Impact We have refactored and open-sourced Transcend in 2019