The Droid Knight: a silent guardian for the Android kernel, hunting for rogue smartphone malware applications

Muhammad Ali Akbar nexGIN RC, Institute of Space Technology, Islamabad
Farrukh Shahzad nexGIN RC, Institute of Space Technology, Islamabad
Muddassar Farooq nexGIN RC, Institute of Space Technology, Islamabad

  download slides (PDF)

Smartphone devices have become an important enabler for providing m-services in a ubiquitous fashion; as a result, malware attacks on smartphone platforms have significantly escalated. Since users are using smartphones for m-commerce-based financial transactions (and also store sensitive personal data on them), they must be protected against the rising threat of m-malware.

In this paper, we present a real-time malware detection framework for the Android platform that performs dynamic analysis of smartphone applications and detects the malicious activities through in-execution monitoring of process control blocks (PCB) in the Android kernel. We employ a novel scheme to mine the hidden execution patterns - from time-series PCB logs of Android applications - by using information theoretic measures, frequency component analysis and statistical analysis techniques. With the help of this novel scheme, this framework sits in the Android kernel as a loadable kernel module and is able to detect real-world malware applications for Android with very few false alarms. We have validated the framework using real-world Android malware (from well-known malware repositories) and popular benign applications taken from Google's official app store for Android (i.e. Google Play Store). By carefully designing a series of experiments, we evaluate the detection and runtime performance of our framework. Our framework is able to detect zero-day (previously unseen) malicious applications with over 98% accuracy, while keeping the false positive rate below 1%. It has a runtime processing overhead below 4% on a low-end smartphone. Consequently, the proposed framework is a novel detection tool that Android kernel deserves - a silent guardian and a watchful protector for Android users against mobile malware. The framework is generic and could be easily adapted to any Linux-based mobile platform.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.