CopperDroid: On the Reconstruction of Android Malware Behaviors

Today mobile devices and their application marketplaces drive the entire economy of the mobile landscape. For instance, Android platforms alone have produced staggering revenues exceeding 9 billion USD, which unfortunately attracts cybercriminals with malware now hitting the Android markets at an alarmingly rising pace.

To better understand this slew of threats, in this talk I present CopperDroid, an automatic VMI-based dynamic analysis system to reconstruct the behavior of Android malware. Based on the key observation that all interesting behaviors are eventually expressed through system calls, CopperDroid presents a novel unified analysis able to capture both low-level OS-specific and high-level Android-specific behaviors. To this end, CopperDroid presents an automatic system call-centric analysis that faithfully reconstructs events of interests, including IPC and RPC interactions and complex Android objects, to describe the behavior of Android malware regardless of whether it is initiated from Java or native code execution. CopperDroid’s analysis generates detailed behavioral profiles that abstract a large stream of low-level—sometimes uninteresting—events into concise high-level semantics, which are well-suited to provide effective insights.

Extensive evaluation on more than 2,900 Android malware samples, show that CopperDroid faithfully describes OS- and Android-specific behaviors and, through the use of a simple yet effective app stimulation technique, successfully triggers and discloses additional behaviors on more than 60% (on average) of the analyzed malware samples, qualitatively improving code coverage of dynamic-based analyses.

Lorenzo Cavallaro is a Senior Lecturer of Information Security in the Information Security Group at Royal Holloway University of London. His research interests focus on systems security, and malware analysis and detection.

Lorenzo is Principal Investigator on the 4-year EPSRC-funded BACCHUS grant EP/L022710/1 “MobSec: Malware and Security in the Mobile Age” (Jun 2014–Jun 2018), Principal Investigator on the 3-year EPSRC-funded CEReS grant EP/K033344/1 “Mining the Network Behavior of Bots” (Jun 2013–May 2016), co-Investigator on the 3.5 years EPSRC- and GCHQ-grant EP/K006266/1 “Cyber Security Cartographies (CySeCa)” (Oct 2012–Mar 2016), Academic Partner of the EPSRC-funded “Network in Internet and Mobile Malicious Software (NIMBUS)” (Nov 2012–Oct 2015), Associate Member of the EU FP7 NoE SysSec and member of the SysSec RedBook ( Task Force, and Partner of the EU FP7 CSA CyberROAD aimed at the development of a cybercrime and cyber-terrorism research roadmap. He is author and co-author of several papers and has published in well-known venues and served as PC member and reviewer of various conferences and journals. He was Program co-Chair of WISTP 2013, and has delivered “Malicious Software and its Underground Economy: Two Sides to Every Story”, a MOOC Coursera course (40,000+ enrolled students) in June 2013, with a second edition scheduled for April 28 2014.

Before joining the ISG, Lorenzo was a Post-Doc at VU Amsterdam working on systems dependability (Prof. A. S. Tanenbaum), malware analysis, and memory errors (Prof. H. J. Bos). He was also a Post-Doc at UC Santa Barbara (UCSB), working on botnet analysis and detection (Profs C. Kruegel and G. Vigna). At UCSB, Lorenzo co-authored the paper titled “Your Botnet is My Botnet: Analysis of a Botnet Takeover”, which reports on the team efforts on taking over a real-world botnet (ACM CCS & UCSB CS Outstanding Publication Award). During his PhD, Lorenzo was a long-term visiting PhD scholar at Stony Brook University working on memory errors and taint analysis (Prof. R. Sekar).

Hosted jointly with the LSDS group.