SIAT: A systematic inter-component communication real-time analysis technique for detecting data leak threats on Android

• Published in: Journal of computer security Vol. 32; no. 3; pp. 291 - 317
• Main Authors: Hu, Yupeng, Kuang, Wenxin, Zhe, Jin, Li, Wenjia, Li, Keqin, Zhang, Jiliang, Hu, Qiao
• Format: Journal Article
• Language: English
• Published: London, England SAGE Publications 17.06.2024; Sage Publications Ltd
• Subjects: Algorithms; Applications programs; Data integrity; Datasets; Performance degradation; Performance evaluation; Real time; Run time (computers); Workflow; Android malware; dynamic threats detection; inter-component communication; taint tags; threat patterns
• ISSN: 0926-227X; 1875-8924
• DOI: 10.3233/JCS-220044

This paper presents the design and implementation of a systematic Inter-Component Communications (ICCs) dynamic Analysis Technique (SIAT) for detecting privacy-sensitive data leak threats. SIAT’s specific approach involves the identification of malicious ICC patterns by actively tracing both data flows and implicit control flows within ICC processes during runtime. This is achieved by utilizing the taint tagging methodology, a technique utilized by TaintDroid. As a result, it can discover the malicious intent usage pattern and further resolve the coincidental malicious ICCs and bypass cases without incurring performance degradation. SIAT comprises two key modules: Monitor and Analyzer. The Monitor makes the first attempt to revise the taint tag approach named TaintDroid by developing the built-in intent service primitives to help Android capture the intent-related taint propagation at multi-level for malicious ICC detection. Specifically, we enable the Monitor to perform systemwide tracking of intent with five abstraction functionalities embedded in the interactive workflow of components. By analyzing the taint logs offered by the Monitor, the Analyzer can build the accurate and integrated ICC patterns adopted to identify the specific leak threat patterns with the identification algorithms and predefined rules. Meanwhile, we employ the patterns’ deflation technique to improve the efficiency of the Analyzer. We implement the SIAT with Android Open Source Project and evaluate its performance through extensive experiments on a particular dataset consisting of well-known datasets and real-world apps. The experimental results show that, compared to state-of-the-art approaches, the SIAT can achieve about 25% ∼200% accuracy improvements with 1.0 precision and 0.98 recall at negligible runtime overhead. Apart from that, the SIAT can identify two undisclosed cases of bypassing that prior technologies cannot detect and quite a few malicious ICC threats in real-world apps with lots of downloads on the Google Play market.