Android Malware Analysis with TraceDroid

From Master Projects
Jump to: navigation, search


About Android Malware Analysis with TraceDroid


Description

Android Malware Analysis with TraceDroid

The VU maintains a system called TraceDroid, which allows to dynamically analyze malware samples for Android: http://tracedroid.few.vu.nl/ A detailed writeup about the techniques can be found in Victor's MSc thesis: http://tracedroid.few.vu.nl/thesis.pdf --- We can offer several student projects (for BSc or small MSc projects) to extend this work:

Malware Clustering

It often helps to understand what malware samples are similar to each other. Ideally, we would have an overview of malware families, i.e., groups of malware samples created by the same author in different versions. In this project, you can explore techniques how to group similar (malicious or benign) Android apps. For example, you could use hierarchical clustering to group families based on their code or behavior.

Identification of SMS Stealing

Many malicious apps try to leak content of SMS messages received by a smartphone user. Adversaries typically use these messages to circumvent 2-factor authentication schemes that use SMS as channel to transfer the secondary token. A prominent example are mobile counterparts of banking trojans that forward mobile TAN messages to an attacker who aims to perform fraudulent banking transactions. In this project, you can explore techniques how we can automatically detect such behavior in TraceDroid. For example, you could inspect the malware behavior when we emulate ingoing SMS messages in TraceDroid.

Analysis Reports

Right now, TraceDroid is an expert system and only we, the maintainers, can really understand the output of the analysis. At the same time, TraceDroid is open to submissions by other people, who -- right now -- do not receive reports about the analysis. In this project, you can dig into the analysis results and find ways how to present them in a way that is suitable for malware submitters. For example, you could extend a (secure) web interface that presents a result report.

Static Analysis

TraceDroid is excellent for dynamic analysis, i.e., it records the malware behavior when under analysis. However, often it is useful to look at the malware statically. In this project, you can explore techniques how to convert an Android APK file to Java code and evaluate limitations (such as anti-decompilation).


Please contact c.rossow@vu.nl to discuss these ideas in detail.