Paper Review AppContext Differentiating Malicious and Benign Mobile App Behaviors Using Context

High-level

Summary: A static analysis that extract contexts of security-sensitive behaviors to assist app analysis in differentiating between malicious and benign behaviors.

Evaluation:

202 malicious apps from various malware datasets and 633 benign apps from Google Play Store. AppContext identifies 192 malicious apps with 87.7% precision and 95% recall.

An insight, an abstraction, a static analysis technique.

Takeaways:

Notably, the key difference between these two apps is that the malicious app uses the SMS APIs under an unexpected context. SMS with vs. without user consent. Thus, malware often leverages system events to increase the chances of invoking its malicious payloads Since app reviewers or automated tools, such as Bouncer, can analyze apps for only a short period of time and with limited variations of environmental conditions.

abstraction of the contexts: activating conditions (e.g., events triggering the execution of payloads) and guarding conditions (e.g., environmental attributes controlling the execution of payloads). we define a context for a security-sensitive behavior as a tuple containing an activation event (the event that triggers the security-sensitive behavior), and a series of context factors (environmental attributes controlling the execution of the security-sensitive behavior).

To leverage the extracted contexts for differentiating malicious behaviors and benign ones, we transform these contexts as features and use machine learning techniques, such as support vector machine (SVM) [19], to classify security-sensitive behaviors as malware or benign one.

Malware Detection. Our approach complements existing malware-detection analysis by identifying contexts that indi- cates the intentions of data uses. There are various approaches that perform analysis to detect malicious behaviors, such as dynamic taint analysis [7], [43], language-based information flow [44]–[47], static analysis [33], [48]–[50], and Bayesian classification [51]. However, these approaches are concerned about how privacy-sensitive data protected by permissions are used, while our approach provides the contexts under which the permissions are triggered.

Practical Value

What you can learn from this to make your research better?

What characters of malware do you find and exploit?

Details and Problems From the presenters’ point of view, what questions might audience ask?

What is the baseline for evaluation?

AppContext chains all ICCs within the app and constructs an extended call graph (ECG) to infer activation events. AppContext combines the control flows of all components from entry points triggered by activation events to the method calls that trigger security-sensitive behaviors in a reduced inter-procedure control flow graph (RICFG) and leverages information flow analysis [18] to identify the environmental attributes that affect the control flows.