Android is a Linux based operating system it is designed primarily for touch screen mobile devices such as smartphones and tablet computers. One of the most widely used mobile OS these days is android. The android is software that was founded in Palo Alto of California in 2003. As of May 2017, it has over 2 billion monthly active users, the largest installed base of any operating system, and as of December 2018, the Google Play store features over 2.6 million applications.
Growing popularity of Android mobile operating system has not only attracted user community but also the malware developers towards this platform. Large number of malicious apps have been detected in the past years in Google Play Store and third party app markets.
Android Malware are the malwares which have infected Android in many differet ways. Each malware have a different structure and executions. The malwares which behave similarly are categorised into a single Android Malware Family.
APIs are a set of functions and procedures that allow for the creation of applications that access data and features of other applications, services or operating system. APIs makes it easier to develop a computer program by providing all the building blocks, which are then put together by the programmer. With an API, you really don’t know what’s going on behind the scenes. In other words, an API is the messenger that delivers your request to the provider that you’re requesting it from and then delivers the response back to you.
Android is divided into a layered architecture. Application framework layer is on top of native library layer. The application layer provides major Application programming interface (APIs) and higher-level services in the form of java classes. The application developers are allowed to access all the APIs framework for the core programs that make simpler the reuse of APIs components. These APIs are open to everybody to create android applications. There is different type of application components. Each type has a different lifecycle and purpose that describes how the component will be created and destroyed. Frameworks in the Application Framework layer are written in Java and provide abstractions of the underlying native libraries and Dalvik capabilities to applications. Android applications run in their own sandboxed Dalvik VM and can consist of multiple components: Activities, services, broadcast receivers and content providers etc. Components can interact with other components of the same or a different application via intents.
There is no definite defination for Sensitive APIs. Sensitive API's are the API's which handles the sensitive information in Android Devices. Now the sensitive information can be personal information rendering, it can be reading of databases, it can be sensing and receiving sms etc.
In this tool the Sensitive API's are the set of APIs which are used to access Sensitive Resources on the Android Device. Sensitive Resources such as Devce ID of the Application, Location of the user, getting the information about Network Type.
There are 10 API classes used as Sensitive API classes. All these API classes will have different API methods which are used to detect the malicious behaviour in an Application.
E.g.-
- Landroid/telephony/TelephonyManager;->listen(Landroid/telephony/PhoneStateListener; I)V
- Landroid/telephony/TelephonyManager;->getNetworkType()I
- Landroid/net/ConnectivityManager;->getActiveNetworkInfo()Landroid/net/NetworkInfo;
- Landroid/content/pm/PackageManager;->isSafeMode()Z
In the above examples TelephonyManager, ConnectivityManager, PackageManager are the API classes and listen(), getNetworkType(), getActiveNetworkInfo(), isSafeMode() are the API Methods.
The Tool uses the following Sensitive APIs Classes -
These classes are used to give the list of all Sensitive API calls as an output.
A call graph (also known as a call multigraph) is a control flow graph, which represents calling relationships between API's in an Android Application. Each node represents an API and each edge (f, g) indicates that API a calls API b. Call graphs can be dynamic or static.A dynamic call graph is a record of an execution of the Android Application. Thus, a dynamic call graph can be exact, but only describes one run of the application. A static call graph is a call graph intended to represent every possible execution of the Android Application.
Call graphs can be defined to represent varying degrees of precision. A more precise call graph more precisely approximates the behavior of the real Android Application, at the cost of taking longer to compute and more memory to store. The most precise call graph is fully context-sensitive, which means that for each application, the graph contains a separate node for each call stack that application have in it
Written in python . It's used to create a UNIQUE directed graph as a signature. The tool follows the following steps :-
androguard cg 'Application Name'
A callgraph.gml is created using the above command in the same folder where application is placed.
Run the Signatue_Creator.py through command line. The Signatue_Creator.py is used to gather the API, using the callgraph.gml created in Step 1. The callgraphs contains around thousands of API's, from these only sensitive API's and the API's calling them are collected and represented as a directed graph. Each graph is unique for the family they belong too.
python3 Signature_Creator.py
sensitive_api=['TelephonyManager','SmsManager','LocationManager','AudioManager','HttpURLConnection','ConnectivityManager','BroadcastReceiver','Cipher','AccessibleObject','PackageManager']A graph is created, displayed on the screen and saved as Signature.gml
Using this on multiple applications and finding the similarities can be used to generate signature of a particular Malware Family.