AppAngio: Revealing Contextual Information of Android App Behaviors by API-Level Audit Logs

Android users are now suffering severe threats from unwanted behaviors of various apps. The analysis of apps' audit logs is one of the essential methods for the security analysts of various companies to unveil the underlying maliciousness within apps. We propose and implement AppAngio , a novel...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on information forensics and security Vol. 16; pp. 1912 - 1927
Main Authors Meng, Zhaoyi, Xiong, Yan, Huang, Wenchao, Miao, Fuyou, Huang, Jianmeng
Format Journal Article
LanguageEnglish
Published New York IEEE 2021
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Android security
Application programming interface
Computational complexity
Contextual reveal
Couplings
Cybersecurity
divide and conquer
Feature extraction
Flow graphs
log matching
Malware
Nodes
Performance evaluation
Runtime
Security
Online AccessGet full text

Cover

More Information
Summary:Android users are now suffering severe threats from unwanted behaviors of various apps. The analysis of apps' audit logs is one of the essential methods for the security analysts of various companies to unveil the underlying maliciousness within apps. We propose and implement AppAngio , a novel system that reveals contextual information in Android app behaviors by API-level audit logs. Our goal is to help security analysts understand how the target apps worked and facilitate the identification of the maliciousness within apps. The key module of AppAngio is identifying the path matched with the logs on the app's control-flow graphs (CFGs). The challenge, however, is that the limited-quantity logs may incur high computational complexity in the log matching, where there are a large number of candidates caused by the coupling relation of successive logs. To address the challenge, we propose a divide and conquer strategy that precisely positions the nodes matched with log records on the corresponding CFGs and connects the nodes with as few backtracks as possible. Our experiments show that AppAngio reveals contextual information of behaviors in real-world apps. Moreover, the revealed results assist the analysts in identifying the maliciousness of app behaviors and complement existing analysis schemes. Meanwhile, AppAngio incurs negligible performance overhead on the real device in the experiments.
ISSN:1556-6013
1556-6021
DOI:10.1109/TIFS.2020.3044867