Annual Computer Security Applications Conference (ACSAC) 2013

Full Program »

T4. Analysing Android Malware at Runtime

Tuesday, 10 December 2013
08:30 - 12:00

Orleans B

Android-based smartphones are the most sold in the world dominating the market share with a solid 72.4% [1]. A key-aspect in Android's success is the support for third-party applications (or simply apps) creating a very dynamic software landscape accessible through the Google Play marketplace as well as third-party markets.

The rate of Android success is only matched by the increase in malicious activity targeting Android. Between 2011 and 2012 the malware samples targeting Android has gone up of 1000% [2]. At the end of 2012, Android has crashed another record becoming the top target for malicious code overtaking Microsoft's Windows operating system [3].

Android is not only dominating the mobile device market (smartphones and tablets), but is also becoming predominant in mission critical support and infotainment car systems. The implication of its security issues can be very important in these sectors as well. For instance, through Android malware could find its way to interact with the Can Bus system of a car.

In this course, we will study the security model in Android and how malware is able to bypass some of its security features. To better understand the security exploits, the first part of the course will be dedicated to the Android security framework and how apps interact with it. The second part of the course will focus on the analysis of real malware samples. To demonstrate the malware capabilities, we will use a real Android device where the malware samples will be installed and executed. By means of a tracing tool developed in our lab, we can monitor at runtime the malware execution and display its action to the audience. Finally, we will cover recent research effort in securing the Android OS.

Prerequisites. An understanding of Operating Systems (Linux in particular) and Access control models (MAC and DAC).


  1. Introduction (1 hour)

    An initial overview of the course content followed by an overview of the basic principle of system security to bring all the students at the same level of knowledge on access control and policy-based systems.

  2. Overview of the Android Security Framework And Inter Component Communication (ICC) (1 hour)

    We will dive in the details of the security framework of Android and some of its not-so-well documented exceptions/refinements. To better understand some of the malware action is also important to cover the ICC mechanism offered by Android to apps for exchanging information and communicate with the system services (e.g., SMS sending service).

  3. State of the art (1 hour )

    We will discuss the state of the art in research, covering the most recent research efforts in security for the Android OS. We will also discuss why current commercial solutions, such as Anti-Virus Software are not capable of contrasting this huge wave of attacks.

  4. Malware Classification (1 hour)

    There are several malware families for Android. We will discuss each of these families providing details of their malicious actions, and what damage/loss they cause.

  5. Malware Runtime Dissection (1 1/2 hour)

    In this part of the course, we will use a real device (connected to the projector) where several malware samples will be deployed (at least one for each malware family). By means of an analysis tool developed in our department, we will trace the actions performed by the malware at runtime showing the details of each attacks.

  6. Malware Runtime Dissection (1/2 hour)

    We will conclude with some final remarks, detailing some techniques that can be used to protect apps developed for this platform with emphasis on mission critical and cyber-physical systems.

About the Instructor:

Dr. Giovanni Russello is a lecturer at the University of Auckland. He has worked on policy-based systems, access control mechanisms, and cloud security for more than 10 years. In the last two years, he has focused his research efforts in enhancing security for the Android OS. This professional development course is based on Giovanni's experience in the field. Giovanni has already provided a longer version of this course as a postgraduate course at his department receiving excellent feedback from his students. Giovanni is the founder and CEO of Active Mobile Security, a stealth startup focusing on mobile security.


Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC