Detecting Android Malware using Support Vector Machines (SVM) - android

I'm trying to develop an application capable to detect malicious application for Android platform using Support Vector Machines (SVM).
I can get many system information from "logcat" and "strace" tools but I don't now how to manage to detect real malicious applications.
Does anyone know how to stablish/record normal behavior use of the device using those tools, I mean, get information from the device and set a behaviour pattern.
Best regards

You will always have trouble determining malicious application behavior: Kymie M.C. Tan, Roy A. Maxion, ""Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector," sp, pp.188, 2002 IEEE Symposium on Security and Privacy, 2002
But if you really want to try, perhaps the starting point is here: "Intrusion Detection Using Sequences of System Calls." S. Hofmeyr, S. Forrest, and A. Somayaji Journal of Computer Security Vol. 6, pp. 151-180 (1998)

I wonder, if this is possible ...
How do you want to rate whether a behavior is normal for an application? Do you plan a "learning phase" where everything a certain app does, is recorded (if that's possible without root access in the first place!) and then saved as the "profile" of "normal behavior" of that app?Say you record whatever behavior an application has, e.g. a tool to organize icons on the homescreen. Now say this application also offers the function to call one of your favorite contacts directly, it will need the permission to access your contacts and to make phonecalls. If this feature is hardly used, you would probably not record it during your "learning" period of this app and rate the app as malicious once it tries to make a phone call.And what if an app shows malicious behavior during the "learning phase" where you can't detect it because you haven't determined the "normal behavior" yet?
Sounds like the "normal behavior" has to be saved somewhere to rate an app before you install it and it starts acting weird or performs unwanted actions. But then again: what is anwanted for one user may be perfectly normal for another one ...
I'm interested in whatever fancy solutions people come up with, but I guess this will be a hard one ...

what if you use sets of malicious calls in Android first rather than profiling the normal ones.
Also, take note, if you're using unsupervised classification, it does not know what kind of data that it classifies

For Windows API usually people take a look on the sequence to determine their sets of actions.
You can find papers/researches done on that too for the Android platform.

Related

Make Phone Calls skipping dialer on Adobe AIR for Android

I am creating a android app on adobe air. I have a button in my app, clicking on which I need to call to a number skipping the dialer and once the call finishes I want the control to return to my app and record the call duration in local db. Someone please help me with code/links to the information.
Currently I am using following code to call the number which goes through the dialer,
navigateToURL(new URLRequest("tel:"+telNumber.text));
I do not believe that this is possible. The security model in both Android and iOS is pretty similar: an app cannot spy on another, peek at its data or direct execution. If you could do this, what would stop a malicious application from taking over the phone and doing bizarre things?
Once you leave your app, whether it be to jump to the browser, the maps, or the dialer, you have released control of the screen, and are now in the background with very limited execution capability.
It would be nice if the OS manufacturers opened up their systems more to have a clear API for controlling these fundamental apps. In particular the Apple dialer leaves much to be desired, but Apple bans any app that purports to be a dialer. Frankly the built-in dialers are not that clever, and it would be easy to imagine much better ones. Android is often customized by hardware vendors for this reason, and HTC, Samsung and others have their own dialers.
I don't even believe that the dialer programs agree on their data structures, so you would be on android chasing down 100 dialing programs and 100 different data formats, and for security reasons i don't think you can access the application private data.
I can imagine you would want to do what you are trying to do, but i think you are better off pursuing making your own dialer program, so you don't have to release control of the CPU to an unfriendly 3rd party program. Android won't stop you from making a dialer.
This is definitely 100% possible, I just did it (by using an ANE). Many apps have this functionality it just requires adding the correct permission on Android (to avoid security problems). Here is the ANE I used to skip the dialer and make an immediate call on Android in Adobe AIR: https://github.com/illuzor/Android-Communication-Extension-ANE (though specifically if anyone else tries using it, you must use AIR 21, using later version like 22 and beyond it did not work)

Android: Prevent regular users from accessing safe-mode?

I'm planning to deploy an app on my android smartphone which is supposed to be used by multiple other persons. Now of course I do not want them to do things with the device they are not supposed to do so I informed myself about several different ways to make it as safe as possible (Lock-down apps, Kiosk mode, Mobile-device-management, Code-tweaks and so on).
I found some solutions that look really promising but they all share the same problem that a user could just restart the device and boot it in safe-mode where those helpful apps won't be started. However, there is one exception: I've installed a MDM app called maas360 which somehow manages to apply the restrictions that I defined even in safe-mode, for example by blocking access to the menu settings. How is that even possible? The thing is just that this is not a free app and it offers a huge variety of functions - overall it seems to be a bit excessive for my goals.
So my general question would be: is it somehow possible to restrict access to the safe-mode somehow? Maybe like a password? From what I understand it is not even possible to set a system password for Android devices that you'd have to enter once it boots (except if you set up a password for unlocking the screen first which would then be the same one... very redundant).
Disabling physical switch of volume down (in case of samsung devices) will stop access to safe mode on device. I dont find any other way to do so.

How to take a screenshot of other app programmatically without root permission, like Screenshot UX Trial?

How to take a screenshot of other app programmatically without root permission, like Screenshot UX Trial?
I know I can capture the bitmap of the root view in my app. But I can't get the root view of the other app when my app is running in background
bitmap = Bitmap.createBitmap(rootview.getDrawingCache());
There is a permission for capturing current frame buffer in Manifest: android.permission.READ_FRAME_BUFFER. But some website says it's for signature app only.
Check Android Permissions - Protection Levels
After trying Screenshot UX Trial, I read the permission:
INTERNET: for connect to localhost screenshot server for rooted phone.
SYSTEM_ALERT_WINDOW: for topmost camera button.
VIBRATE: for vibrate feedback.
WRITE_EXTERNAL_STORAGE: to save the screenshot.
GET_TASKS: for detect foreground Develoment setting activity for non rooted&non preloaded capture method.
It seems either SYSTEM_ALERT_WINDOW or GET_TASKS allow the app to take screenshot.
I have two guess of how it works:
It may be able to access the Activity of the foreground activity, it gets the root view of the Activity, capture its screenshot.
Calling glreadpixels
If you try one of my guess, please let me know the result.
This is extremely difficult. I spent several years trying to do it. I eventually succeeded, but any solution will involve commercial as well as technical effort.
Update March 2015
Most of the stuff below is no longer up-to-date. There's now, after all these years, an android.media.projection package
https://developer.android.com/reference/android/media/projection/package-summary.html
which finally allows what you need!
Capturing the screen image of your own application
For completeness, I want to include your own comment that you can capture an image of your own application using Bitmap.createBitmap(rootview.getDrawingCache()); and similar mechanisms.
Capturing the screen of another application whilst you're in the background
Using the READ_FRAMEBUFFER permission
Firstly, you're right that a normal application can't make use of the READ_FRAMEBUFFER permission, because it's "signature"-level. That means you must be signed by the same key as the Android system ROM in order to be able to take such a screenshot.
I thought this was a bit sad, so back in 2009 I made an Android open-source project submission to ask that it be opened up1. The response from Dianne Hackborn, the Android architect was:
Um, no. Absolutely positively not.
So, that went well, then! Hence this permission is still signature-level to this day.
If you had this permission, however, you could call the captureScreen member of ISurfaceComposer2. You'd need to write some native code to access this function, using the Android NDK and also some undocumented APIs. However, it's possible.
Internally within the Android graphics subsystem, this uses a glReadPixels call to retrieve the pixels from the GPU back to the CPU. (The GPU is used for most of the compositing on Android. In fact Android 4.0+ supports extra hardware compositors, and the Surface Flinger has to do even more work to pull those pixels back to the CPU.)
This call works beautifully, except for a few small problems:
The risk of using an unsupported API which might break at any moment;
The hassle of calling it in C++
It causes the GPU pipelines to stall, which can upset the GPU designers but doesn't really cause problems in reality
It relies on a large bandwidth from the GPU back to the CPU. This is sometimes problematic because memory architectures are designed to send data in the opposite direction. However, I seem to recall that all modern Android chipset architectures directly share memory between the GPU and CPU, except for one (it may be Broadcom? - I can't remember) where this may cause this mechanism to be very slow.
... and one large problem ...
Most importantly, as a normal application writer, you can't even call this API due to the signature-level permissions required.
Still, on most Android devices, you can get 10 frames per second out of this. Better still, this API actually supports scaling the resulting image in hardware on the GPU, so if you're clever you can pre-scale the image to just the size you need, before the pixels even hit the CPU. So it can be extremely high performance.
Note, of course, that you as an application writer can't call glReadPixels because you don't have access to the relevant OpenGL context. It's owned by the surface flinger.
Using /dev/graphics/fb0 and similar
Some are tempted to try to read these Linux device files which represent the framebuffer. However, there are three problems:
You need root.
Sometimes they're not even there.
Often, they don't represent the real screen image. Remember on Android that the graphics are composited on the GPU. So there's no reason why the CPU should have access to a copy of the full composited screen image, and it often doesn't. This file sometimes contains tearing (at best) and a garbage image (at worst). Interestingly, some of the tools for rooted phones do use this method, which I think is a mistake. If you've got root, you by definition have all Android permissions and can therefore call the above captureScreen API to get a correct image.
Using hardware partners
Now we get into the solutions which require commercial action.
Talking to the Android chipset makers often presents a solution. Since they design the hardware, they have access to the framebuffer - and they often are able to provide libraries which entirely avoid the Android permissions model by simply accessing their custom kernel drivers directly.
If you're aiming at a specific phone model, this is often a good way forward. Of course, the odds are you'll need to cooperate with the phone maker as well as the silicon manufacturer.
Sometimes this can provide outstanding results. For example I have heard it's possible on some hardware to pipe the phone hardware framebuffer directly into the phone hardware H.264 video encoder, and retrieve a pre-encoded video stream of whatever is on the phone screen. Outstanding. (Unfortunately, I only know this is possible on TI OMAP chips, which are gradually withdrawing from the phone market3).
Using security holes
Android rigidly enforces its permission model, and has few security holes. However the Android OEMs can sometimes be more careless.
For example a major OEM whose name begins with S has implemented a way to capture the screen using a keystroke. It saves it to a world-readable file on the SD card. Hypothetically you might be able to find what intercepts those keys and see how it works. Perhaps you could do something similar.
And perhaps there's a way for another major OEM whose name also begins with S.
No, I'm not going to go into any more detail on this section. To work out how to do those things, I'd need to have reverse-engineered software, and that might be illegal. Good luck, though.
Working with the phone makers
As described previously, the phone makers have ready access to an API which does work. And the phone makers have the signature-level permissions required.
So, all you need to do is to arrange to get your software signed by the phone maker.
This is, however, hard. By signing the software, the phone maker is guaranteeing its quality - so they should want to audit your source code. Also, due to the nature of Android - if they sign the software, they need to be the ones distributing it. You can't put it on the Market if it is signed by someone else's signature.
However, the OEM need not include it on the ROM - they can still distribute it on the Android market. But you can't.
A good solution would be if each vendor signed a small library which then could be accessed by a common SDK. Which leads me onto...
Work with software partners who have solved this already
I know a lot about this because I used to work at RealVNC. We worked with all the major Android phone vendors to get access to these signature-level APIs. I cannot overemphasise the many, many man-years of effort (commercially and technically) required to achieve this. Some of the OEMs have publicised this work - for example 4.
I do not work at RealVNC any more, so I have nothing to gain from advertising their software. But if you really really want to be able to capture the screen on multiple Android devices, you may wish to approach them about re-using their Remote Control Service or Android VNC SDK 5. It is not open-source so you should expect to pay, and believe me this is fair enough given the epic effort involved in working with all these Android OEMs.
In the interests of balance I should point out that other vendors have also worked with the phone makers on this - e.g. Soti. But I believe they all offer specific device management solutions, rather than a general remote control/event injection SDK.
Over USB
Another option - the adb daemon which listens for debugging connections over USB has slightly more privileges than a normal application, which is why it's able to grab the screen (you can see its image using the ddms tool). If you're able to run any command using adb then you too can gain those privileges (as per the android-screenshot-library linked previously).
Contribute to the Android open-source project
Eventually this problem reduced me to dust, and I left for greener pastures which didn't involve trying to squeeze pixels out of Android phones.
Before I left RealVNC though, we tried again to contribute these APIs to the Android open-source project. This time we got a more positive reaction6. In short, it was suggested that our security approach was almost right, but that the graphics system was in too much turmoil to accept our patches. Well, the great news is that the graphics system is no longer in turmoil - in fact it now has that captureScreen API which means no graphics system changes are needed whatsoever. It may therefore be possible to submit a new security mechanism to AOSP around this API which finally solves this problem.
Maybe the android-screenshot-library can help. But well in their Usage page it says that it needs a native service started with adb (from the android sdk).
PS: Remember that Screenshot UX does not work for every unrooted phone.
I don't think Android will allow you to access another app's frame buffer. This is just part of the security of Android. Each app should keep to its own resources.
If you really need to get a screen capture of any app, I would suggest using the native screen grab "gesture". For the the Nexus 7 for example, simply "... hold the power button and the volume down button at the same time for approximately 2 seconds."
A Google search will usually find the trick with your device.

How can I kill everything on my Android tablet except my app, and keep them all dead?

Please don't tell me what a bad idea this is. I am not using it as an Android tablet. It is the interface for a propitiatory medical system my company is designing. It's only function ever will be to control the system we are building.
That being said, how can I remove everything from the tablet and only run my app until the tablet dies or the standard firmware is reinstalled?
The tablet is being used exclusively as an interface control panel and CPU to my program which controls the medical equipment externally. I don't want anything else on the tablet. I don't want the users to do anything other than run my program on my equipment.
How can I lock the users into only using my program for the life of the tablet?
(I am building a system that happens to use an Android tablet to control it. Basically, I thought it would be easier to use a tablet, rather than design from scratch a system based on one or more microprocessors and which uses a custom designed and built color interface panel. If the doctors want to use an Android tablet for their offices, they are welcome to buy one.)
Thank you in advance.
Thank you all for your advice.
You will have to build your own version of Android if you wish to do this. For several reasons it is not possible to make an application that will do what you want and have it work on consumer devices.
Exactly how you need to go about customizing the OS build is going to depend on your exact hardware. But the simplest modifications will be removing the unneeded apk files from system/app/ and data/app/
AOSP and XDA-Developers are two great resources for learning the ins and outs of building a custom ROM.
If the device has reasonable power to it, you shouldn't need to worry about background processes.
If this is a consumer product, then it probably has the Google Apps suite and other related items, in which case rooting it and not installing those would be the best route. AOSP only runs processes that it needs to run Android out of the box.
Edit: You might just write the apps a Launcher and not allow opening other apps as the best route to accomplishing your goals.
You might need a custom ROM. It really depends on what version of Android your device supports. Check out the last in the list below.
http://www.redmondpie.com/best-most-popular-custom-roms-for-android-and-why-you-should-try-them-out/
I'm facing similar obstacles utilizing my business tablets. I want to restrict all the pre-loaded applications & only allow the tablet to be utilized for certain applications. White listed websites & such. I wonder if a 3rd party service such as ZENPRISE might offer a mobile management system that would take care of this for me?
zenprise

Is it possible to do all these on an Android phone?

I am wondering is it possible to do all these on an Android phone? Example, Samsung Galaxy S phone
To automatically launch a video clip upon phone start up i.e. from off position or phone ‘reboot’/’restart’
To run the video clip while the phone is idling
To launch to a particular wap site when interrupted
To restrict user from going to other portal other than the 3 steps above
To restrict user from running other application on the phone.
1) Yes but it may be hard to completely replace the phone's own screens and animation effects thus giving the smooth experience I think you're looking for. It's also pretty user-hostile.
2) What is 'idling'? If you mean standby, absolutely not. You'd kill the battery in 20 minutes in any case.
3) You can launch a website when the phone comes out of standby but it would be really annoying for the user. As for WAP .. I have no idea if you can view WAP on Android. Probably someone has made a viewer. I wasn't aware WAP was being used by anyone since some time around 2008.
4) Not without making your own custom build of Android and flashing it (very difficult technically). Sounds pretty evil for the user.
5) Again, not without making your own custom build of Android. You're reducing the phone to a brick pretty much with this stuff.
Yes, though it is user-hostile.
I have no idea what you are talking about.
I have no idea what you are talking about.
No, except by making your own firmware. Even by replacing the home screen, the user can boot into the Android equivalent of "safe mode" and bypass a replacement home screen app. You would need to have your home screen be the only one on the device, and your apps be the only one on the device.
See #4.
I will add only to question (1), since all the questions have been already answered. If you talk about replacing the standard boot and shutdown animations, then yes, it is very possible and pretty much any custom ROM for the SGS will let you do that. It's just a matter of assembling the sequence of PNG files you want. There are two image flashes before the animation, one is built-in in the bootloader, the other is hardcoded on the kernel.
Examples: http://forum.xda-developers.com/showthread.php?t=869347
You can do all these things, however you will need to flash a custom image - I assume you want to customise in-house handsets for a specific project, rather than have this as a generic app - I can't imagine normal users installing this kind of lockdown, and it sounds similar to an approach I was looking at for a project needing cheap PDAs with GSM connectivity.
If that's the case, and volumes are low, you might be better off targeting developer handsets, which can be bought through a publisher account on Android Market. I think this limits you to 10 handsets.
Hope this helps,
Phil Lello

Categories

Resources