Annual Computer Security Applications Conference (ACSAC) 2016

Full Program »

M1. Understanding and Contrasting Android Malware at Runtime

Monday, 5 December 2016
08:30 - 12:00

Salon 6A

At the end of 2015, Android-based devices are the most sold in the world dominating the market with a solid 84.7% share [1]. A key-aspect in Android's success is the support for third-party applications (or simply apps) creating a very dynamic software landscape accessible through the Google Play marketplace as well as third-party markets.

The rate of Android success is only matched by the increase in malicious activity targeting Android. Between 2011 and 2012 the malware samples targeting Android has gone up of 1000% [2]. At the end of 2012, Android has crashed another record becoming the top target for malicious code overtaking Microsoft's Windows operating system [3]. Currently, Android malware is still on the rising. A recent report by anti-virus vendor Kaspersky [4] indicates that the number of new malicious programs targeting Android has tripled in 2015.

Android is not only dominating the mobile device market (smartphones and tablets), but is also becoming predominant in mission critical support and infotainment car systems. The implication of its security issues can be very important in these areas as well. For instance, through Android malware could find its way to interact with the Can Bus system of a car. Also, Android is very relevant in Internet of Things (IoT) devices where it is being used as OS.

This course will be organised as follows. Firstly, to bring everyone up to speed, we will discuss some relevant access controller models used in Android. Then we will move into details about Android and detailing some of its internals. Next, we will study Android security mechanism and features. We will cover also recent research efforts for enhancing some aspect of Android security framework.

In the last part of the course, we will focus on Android malware highlighting the attack types and providing details of some malware families. One of the common characteristics of Android malware is that most of them use reverse engineering for repackaging benign apps with malicious payloads. In view of this, we will cover some of the recent approaches that deal with app tampering detection and protecting. We will conclude with a Q&A session.

[1] Smartphone OS Market Share, Q3 2015. Available:  

[2] Android malware up over 1000% in last three months. .

[3] The changing face of security: Android overtakes windows as top threat. overtakes-windows-as-top-threat/


Learning Objectives:

  • Deep understanding of the Android security model
  • Understanding of the malware capabilities and how to contrast them
  • Know-how to develop robust and secure apps and policies for cyber-physical systems
  • An overview of the most recent security approached in Android

Prerequisites: An understanding of Operating Systems (Linux in particular) and Access control models (MAC and DAC).


1. Introduction

An initial overview of the course content followed by an overview of the basic principle of system security to bring all the students at the same level of knowledge on access control and policy-based systems. 

2. Overview of the Android Security Framework And Inter Component Communication (ICC)

We will dive in the details of the security framework of Android and some of its not-so-well documented exceptions/refinements. To better understand some of the malware action is also important to cover the ICC mechanism offered by Android to apps for exchanging information and communicate with the system services (e.g., SMS sending service).

3. State of the Art

We will discuss the state of the art in research, covering the most recent research efforts in security for the Android OS. We will also discuss why current commercial solutions, such as Anti-Virus Software are not capable of contrasting this huge wave of attacks.

4. Malware Classification

There are several malware families for Android. We will discuss each of these families providing details of their malicious actions, and what damage/loss they cause.

5. App Code Protection

In this part of the course, we will use a real device where several malware samples will be deployed and executed. The most important aspects of the attack for each malware will be highlighted to the students.

6. Conclusion

Wrapping up the course with Q&A session and pointers for further reading material.


About the Instructor:

Dr. Giovanni Russello is an Associate Professor at the University of Auckland. He has worked on access control and cloud security for the past 10 years. In the last 5 years, he has also focused in enhancing the security for the Android OS.

This course builds on the experience gained in the last 3 years where Giovanni has given a similar course at ACSAC 2013, ACSAC 2014, and ACSAC 2015. The course is based on a post-graduate course (20 hours of lectures), taught at his department since 2013. Students who attended this course were very enthusiastic and find it very useful.


Powered by OpenConf®
Copyright©2002-2016 Zakon Group LLC