Toward a more dependable hybrid analysis of android malware using aspect-oriented programming

The growing threat to user privacy by Android applications (app) has tremendously increased the need for more reliable and accessible analysis techniques. This paper presents AspectDroid1-an offline app-level hybrid analysis system designed to investigate Android applications for possible unwanted activities. It leverages static bytecode instrumentation to weave in analysis routines into an existing application to provide efficient dataflow analysis, detection of resource abuse, and analytics of suspicious behaviors, which are then monitored dynamically at runtime. Unlike operating system or framework dependent approaches, AspectDroid does not require porting from one version of Android to another, nor does it depend on a particular Android runtime, making it a more adaptable and easier to use technique. We evaluate the strength of our dataflow algorithm on 105 apps from the DroidBench corpus, with experimental results demonstrating that AspectDroid can detect tagged data with 94.68% accuracy. Furthermore, we compare and contrast the behavioral patterns in 100 malware samples from the Drebin dataset (Arp et al., 2014) and 100 apps downloaded from Google Play. Our results showed more traces of sensitive data exfiltration, abuse of resources, as well as suspicious use of programming concepts like reflection, native code, and dynamic classes in the malware set than the Google Play apps. In terms of runtime overhead, our experiments indicate AspectDroid can comprehensively log relevant security concerns with an approximate overhead of 1 MB memory and a 5.9% average increase in CPU usage.