Android kötücül yazılım tespit ve koruma sistemleri

Yıl 2015, Cilt: 31 Sayı: 1, 9 - 16, 01.02.2015

Abdullah Talha Kabakuş İbrahim Alper Doğru Aydın Çetin

Öz

Açık kaynak kodlu ve Linux tabanlı bir mobil işletim sistemi olan Android, son raporlara göre dünyada en çok kullanılan mobil işletim sistemidir. Bu popülarite ve açık kaynak kodlu yapı sonucunda Android, kötücül saldırıların ve saldırganların hedefi haline gelmiştir. Cisco 2014 güvenlik raporuna göre mobil kötücül yazılımların %99'u Android işletim sistemini hedef almaktadır. Android uygulamaları genellikle resmi uygulama marketi olan Play Store'dan temin edilmektedir. Play Store, çeşitli geliştiriciler tarafından yüklenen uygulamaları güvenlik taramasına tabi tutmadan yayınlamaktadır. Bunun yanı sıra kullanıcı bir uygulamayı yükleme girişiminde bulunduğu zaman Android, bu uygulamalar yüklenirken kullanıcılara uygulamanın talep ettiği izinleri sunmakta ve sonrasındaki tüm sorumluluğu kullanıcıya bırakmaktadır. Yapılan çalışmalarda Android kullanıcıların büyük bir çoğunluğunun bu izinlerden habersiz olduğu veya bu izinlerin ne tür etkilerinin olduğunu bilmediği ortaya çıkmaktadır. Bu sebeple, uygulamaların kötücül bir içerik içerip içermediğine dair bir güvenlik taraması yapılmasına ve kullanıcıların bilgilendirilmesine ihtiyaç duyulmaktadır. Bu ihtiyacı karşılamak üzere literatürde çeşitli yaklaşımlar ve yöntemler yer almaktadır. Bu çalışmada literatürdeki çeşitli Android kötücül yazılım tespit/koruma sistemleri statik, dinamik ve imza tabanlı analiz yaklaşımları ile kriptolu veri iletişimi ile koruma olmak üzere dört başlık altında incelenmiştir. Kullanılan yöntemlerin manifest incelemesi, API çağrı izlemesi, imza veritabanı, güvenli veri alışverişi ve makine öğrenmesi özellikleri karşılaştırmalı olarak sunulmuştur.

Anahtar Kelimeler

Android, kötücül yazılım tespiti, akıllı telefon, mobil güvenlik, mobil uygulama güvenliği

Android malware detection and protection systems

Öz

Açık kaAccording to recent reports, Android, an open source and Linux based operating system, is the most used mobile operating system in all over the world. Due to this popularity and being an open source software, Android has become the main target of malwares and malware developers. Cisco Security Report 2014 highlights that Android is the target of 99% of all mobile malwares. Android applications are commonly installed through the official application market – Play Store. Play Store publishes applications uploaded by different developers without putting a security test. Additionally, when a user attempts to install an application, Android displays the permissions that it demands to users and then shifts all responsibility on them. Most studies indicate that majority of Android users are not aware of these permissions or they do not understand consequences of these permissions. Hence, it is needed to analyze applications to highlight whether they contain malicious content or not and to inform users about it. In order to demand this necessity, there are various approaches and methods in the literature. In this study, four approaches; static analysis, dynamic analysis, signature based analysis and data encryption on different Android malware detection/protection systems are investigated, and their feature comparisons based on manifest files, API call tracing, signature database and machine learning are presented.

Anahtar Kelimeler

Android, malware detection, smartphone, mobile security, mobile application security

Kaynakça

• S. Bicheno, “Android Captures Record 81 Percent Share of Global Smartphone Shipments in Q3 2013,” Strategy Analytics, 2013. [Web].
• D. Rowinski, “Google Play Hits One Million
• Android Apps,” ReadWrite, 2013. [Web]. Erişim Adresi: http://readwrite.com/2013/07/24/google- play-hits-one-million-android-apps. Tarihi: 10.10.2014]. [Erişim Adresi: 2. _ASR.pdf
• “Mobile Security Threat Report,” Sophos, 2014. [Web]. Erişim center/mobile-security-threat-report.aspx?utm_source=Non- campaign&utm_medium=Cross-link&utm_campaign=CL- CorpBlog. [Erişim Tarihi: 21.09.2014].
• P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in SPSM ’11 Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, 2011, pp. 3–14.
• Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets,” in Proceedings of the 19th Annual Symposium (NDSS), 2012. Distributed System Security
• Barrera, P. C. Van Oorschot, and A. Somayaji, “A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android Categories and Subject Descriptors,” in Proceedings of 17th ACM Conference on Computer and Communications Security, 2010, pp. 73–84.
• P. Felt, K. Greenwood, and D. Wagner, “The effectiveness of application permissions,” in Proceeding of the WebApps’11 Proceedings of the 2nd USENIX conference on Web application development, 2011, p. 7.
• “Android Security Overview,” Google. [Web]. Available: http://source.android.com/devices/tech/security/. Tarihi: 03.04.2014]. [Erişim
• P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, Comprehension, and Behavior,” in Proceedings of the Eighth Symposium on Usable Privacy and Security - SOUPS ’12, 2012, p. 1. permissions: User Attention,
• Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, and C. Glezer, “Google Android: A Comprehensive Security Assessment,” IEEE Secur. Priv. Mag., vol. 8, 2010.
• W. Enck, M. Ongtang, and P. Mcdaniel, “On Lightweight Mobile Phone Application Certification,” in ACM conference on Computer and communications security, 2009, pp. 235–245.
• W. Enck, M. Ongtang, and P. McDaniel, “On lightweight mobile phone application certification,” in Proceedings of the 16th ACM conference on Computer and communications security - CCS ’09, 2009, pp. 235–245.
• P. G. Kelley, S. Consolvo, L. F. Cranor, J. Jung, N. Sadeh, and D. Wetherall, “A Conundrum of Permissions: Installing Applications on an Android Smartphone,” in Financial Cryptography and Data Security, vol. 7398, J. Blyth, S. Dietrich, and L. J. Camp, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 68–79.
• J. King, A. Lampinen, and A. Smolen, “Privacy: is there an app for that?,” in Proceedings of the Seventh Symposium on Usable Privacy and Security - SOUPS ’11, 2011, p. 1.
• “Android Architecture,” tutorialspoint, 2014. [Web]. Erişim Adresi: http://www.tutorialspoint.com/android/android_architecture. htm. [Erişim Tarihi: 10.10.2014].
• S. Mansfield-Devine, “Android architecture: Attacking the weak points,” Netw. Secur., vol. 2012, pp. 5–12, 2012.
• P. Pocatilu, “Android applications security,” Inform. Econ., vol. 15, pp. 163–171. Retrieved from http://revistaie.ase.ro, 2011.
• D.-J. Wu, C.-H. Mao, T.-E. Wei, H.-M. Lee, and K.- P. Wu, “DroidMat: Android Malware Detection through Manifest and API Calls Tracing,” in 2012 Seventh Asia Joint Conference on Information Security, 2012, pp. 62–69.
• T. Vidas, N. Christin, and L. F. Cranor, “Curbing Android Permission Creep,” in In Proceedings of the 2011 Web 2.0 Security and Privacy Workshop (W2SP 2011), 2011.
• D. Arp, M. Spreitzenbarth, H. Malte, H. Gascon, and K. Rieck, “Drebin: Effective and Explainable Detection of Android Malware in Your Pocket,” in Symposium on Network and Distributed System Security (NDSS), 2014, pp. 23–26.
• P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified,” in Proceedings of the 18th ACM conference on Computer and communications security - CCS ’11, 2011, p. 627.
• “Dynamic Analysis vs. Static Analysis,” Intel, 2013. [Web]. https://software.intel.com/sites/products/documentati on/doclib/ Adresi:
• iss/2013/inspector/lin/ug_docs/GUID-E901AB30- 1590-4706-94B1-9CD4736D8D2D.htm Tarihi: 09.10.2014]. [Erişim
• Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid: behavior-based malware detection system for Android,” Science (80-. )., pp. 15–25, 2011.
• V. Rastogi, Y. Chen, and W. Enck, “AppsPlayground : Automatic Applications,” in CODASPY ’13 Proceedings of the third ACM conference on Data and application security and privacy, 2013, pp. 209–220. Smartphone
• Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” in 2012 IEEE Symposium on Security and Privacy, 2012, pp. 95– 109.
• M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang, “RiskRanker: Scalable and Accurate Zero-day Android Malware Detection,” in Proceedings of the 10th international conference on Mobile systems, applications, and services - MobiSys ’12, 2012, pp. 281–294.
• W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting repackaged smartphone applications in third-party android marketplaces,” in Proceedings of the second ACM conference on Data and Application Security and Privacy - CODASKY ’12, 2012, pp. 317–326.
• G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos, “Paranoid Android: Versatile Protection For Smartphones,” in Annual Computer Security Applications Conference (ACSAC), 2010, pp. 347– 356.
• Reina, A. Fattori, and L. Cavallaro, “A System Call
• Centric Analysis and Stimulation Technique to Reconstruct Automatically Behaviors,” in Proceedings of the 6th European Workshop on System Security (EuroSec), 2013.
• M. Guido, J. Ondricek, J. Grover, D. Wilburn, T. Nguyen, and A. Hunt, “Automated identification of installed malicious Android applications,” Digit. Investig., vol. 10, pp. 96–104, 2013.
• G. Dini, F. Martinelli, A. Saracino, and D. Sgandurra, “MADAM: A Multi-level Anomaly Detector for Android Malware,” in Computer Network Security, vol. 7531, I. Kotenko and V. Skormin, Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012, pp. 240– 253.
• T. Vidas and N. Christin, “Sweetening android lemon markets: measuring and combating malware in application marketplaces,” in Proceedings of the third ACM conference on Data and application security and privacy - CODASPY ’13, 2013, p. 197.
• I. Khalil, A. Khreishah, and M. Azeem, “Consolidated
• Identity Management System for secure mobile cloud computing,” Comput. Networks, Mar. 2014.