ABSTRACT
III
ABSTRACT
3G service has been developing rapidly in China since its launch in 2009. More
users start to use smart terminals along with the widespread of 3G network, meanwhile
Android begins to predominate the smart phone market due to its openness and
cost-effectiveness. Nevertheless, the rapid expansion of Android market share
introduces malware aiming at Android at an alarming rate, which poses great threats to
its users.
Some solutions to security issues on Android have been put forward, but most of
them belong to the traditional static analysis approach, and they cannot analyze
malicious behaviors during the execution of a program. Although few solutions are able
to analyze samples dynamically, they show weaknesses in stability and so forth.
According to previous statement, this dissertation proposes an approach by
analyzing Android malware dynamically at virtual machine level, which actively tracks
and records the behavior of target program instead of using traditional static analysis
method. Based on the newly-proposed method, a new Android malware behavior
analysis system based on sandbox is proposed, which modifies the Android system and
tracks data originated from sensitive sources. Defining data tags in our new system is
the first step, and it is based on the premise of analyzing data sources and application
interface libraries that malware frequently uses. And then this dissertation concentrates
on how to embed data tags at various object levels, along with transmitting data and
tags across programs by Binder IPC mechanism. Finally, a module for extracting tags
from data is also constructed, so as to acquire valuable information indicating how data
is handled. In addition, a module for exporting logs out of the virtual machine is
implemented as well, which enables recording of sensitive data.
To verify the correctness of our system, relevant tests are designed. And two
different kinds of Android applications for testing are selected, one is a self-written
program imitating behaviors that malware possesses, such as file operation, sensitive
data access and automatic Internet connection in the background; and others are
malware samples collected online. The self-written sample invokes APIs provided by
万方数据
