한국융합학회논문지 (Journal of the Korea Convergence Society)

  • 제8권3호
  • /
  • Pages.49-61
  • /
  • 2017
  • /
  • 2233-4890(pISSN)
  • /
  • 2713-6353(eISSN)
한국융합학회 (Korea Convergence Society)
권호 표지
DOI QR코드

DOI QR Code

Mepelyzer : 서버 기반 다형상 모바일 앱에 대한 메소드 및 퍼미션 유사도 기반 악성앱 판별

Mepelyzer : Malicious App Identification Mechanism based on Method & Permission Similarity Analysis of Server-Side Polymorphic Mobile Apps

  • 이한성 (한신대학교 컴퓨터공학부) ;
  • 이형우 (한신대학교 컴퓨터공학부)
  • 투고 : 2017.02.24
  • 심사 : 2017.03.20
  • 발행 : 2017.03.28
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

안드로이드 플랫폼에서 다양한 모바일 애플리케이션이 개발/배포되면서 편리함과 유용성이 더욱 증가하고 있으나 지속적으로 악성 모바일 애플리케이션(Malicious Mobile Application) 또한 급증하고 있어 스마트폰 사용자도 모르게 단말 내 중요 정보 등이 외부로 유출되고 있다. 악성앱 검출을 위해 안드로이드 플랫폼을 대상으로 다양한 모바일 백신이 개발되었지만 최근에 발견된 서버 기반 다형상 모바일 악성앱인 경우 은닉 우회 기법을 포함하고 있으며, C&C 서버 기반 다형상 생성기에 의해서 각 사용자 단말에 매번 조금씩 다른 형태의 악성앱이 생성 및 설치되기 때문에 기존 모바일 백신에 손쉽게 검출되지 않는다는 문제점이 있다. 이에 본 논문에서는 서버 기반 다형상 모바일 악성앱에 대한 APK 역컴파일 과정을 통해 핵심 악성 코드를 구성하는 DEX 파일내 메소드에 대한 유사도와 접근권한 유사도 측정을 통해 상관관계를 분석하여 SSP 악성앱을 판별하는 기법을 제시하였다. DEX 메소드 유사도와 퍼미션 유사도 분석 결과 SSP 악성앱에 대한 동작 방식의 특징을 추출할 수 있었으며 정상앱과 구별 가능한 차이점을 발견할 수 있었다.

Recently, convenience and usability are increasing with the development and deployment of various mobile applications on the Android platform. However, important information stored in the smartphone is leaked to the outside without knowing the user since the malicious mobile application is continuously increasing. A variety of mobile vaccines have been developed for the Android platform to detect malicious apps. Recently discovered server-based polymorphic(SSP) malicious mobile apps include obfuscation techniques. Therefore, it is not easy to detect existing mobile vaccines because some other form of malicious app is newly created by using SSP mechanism. In this paper, we analyze the correlation between the similarity of the method in the DEX file constituting the core malicious code and the permission similarity measure through APK de-compiling process for the SSP malicious app. According to the analysis results of DEX method similarity and permission similarity, we could extract the characteristics of SSP malicious apps and found the difference that can be distinguished from the normal app.

키워드

과제정보

연구 과제 주관 기관 : 한국연구재단

참고문헌

  1. W. Enck, M. Ongtang, P. McDaniel, "Understanding android security," IEEE Security & Privacy Magazine, Vol. 7, No. 1, pp. 50-57, 2009. https://doi.org/10.1109/MSP.2009.26
  2. Google Play, https://play.google.com/store/apps
  3. Wei Xu, Fangfang Zhang, Sencun Zhu, "Permlyzer: Analyzing Permission Usage in Android Applications," 2013 IEEE International Symposium on Software Reliability Engineering (ISSRE), pp. 400-410, 2013.
  4. Karina Sokolova, Charles Perez, Marc Lemercier, "Android application classification and anomaly detection with graph-based permission patterns," Journal of Decision Support Systems, Vol. 93, No. C, pp. 62-76, 2017. https://doi.org/10.1016/j.dss.2016.09.006
  5. Detecting Polymorphic Malware, http://www.lavasoft.com/mylavasoft/securitycenter/whitepapers/detecting-polymorphic-malware.
  6. Margaret Rouse, "Polymorphic Malware," http://searchsecurity.techtarget.com/definition/polymorphic-malware.
  7. Ashu Sharma, S. K. Sahay, "Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey, International Journal of Computer Applications, Vol.90, No.2, pp.7-11, 2014. https://doi.org/10.5120/15544-4098
  8. Han Seong Lee, Hyung-Woo Lee, "Fake C&C Server for Evidence Aggregation and Detection of Server-Side Polymorphic Mobile Malware on Android Platform," Information, Vol.18, No.8, pp.3733-3737, 2015.
  9. Han Seong Lee, Hyung-Woo Lee, "Implementation of Polymorphic Malware DB based Dynamic Analysis Sysetm for Android Mobile Applications," Information, Vol.18, No.7, pp.3187-3197, 2015.
  10. You Joung Ham, Hyung-Woo Lee, "Malicious Trojan Horse Application Discrimination Mechanism using Realtime Event Similarity on Android Mobile Devices," Journal of Internet Computing and Services, Vol.15, No.3, pp.31-43, 2014. https://doi.org/10.7472/jksii.2014.15.3.31
  11. Ming Xu, Lingfei Wu, Shushi Qi, Jian Xu, "A similarity metric method of obfuscated malware using function-call graph," Journal of Computer Virology and Hacking Techniques, Vol. 9, pp.35-47, 2013. https://doi.org/10.1007/s11416-012-0175-y
  12. Y. Zhong, H. Yamaki, H. Takakura, "A Malware Classification method Based on Similarity of Function Structure," 12th International Symposium of Applications and the Internet(SAINT), pp.256-261, 2012.
  13. Sushma Verma, Sunil Kumar Muttoo, S.K. Pal, "MDroid: Android based Malware Detection Using MCM Classifier," International Journal of Engineering Applied Sciences and Technology, Vol.1, No.8, pp. 206-215, 2016.
  14. You Jeong Ham, Daeyeol Moon, Hyung-Woo Lee, Jaedeok Lim, Jeong Nyeo Kim, "Android Mobile Application System Call Event Pattern Analysis for Determination of Malicious Attack", International Journal of Security and Its Applications(IJSIA), Vol.8, No.1, pp.231-246, 2014. https://doi.org/10.14257/ijsia.2014.8.1.22
  15. Virustotal, http://www.virustotal.com.
  16. dex file decompile, http://egloos.zum.com/shadowxx/v/10658242.
  17. Yajin Zhou, Xuxian Jiang, "Android Malware Genome Project," http://www.malgenomeproject.org, 2013.
  18. Sung-Hyun Yun, "The Mobile ID based Digital Signature Scheme Suitable for Mobile Contents Distribution", Journal of the Korea Convergence Society, Vol. 2. No. 1, pp. 1-6, 2011.
  19. Sik-Wan Cho, Won-Jun Jang, Hyung-Woo Lee, "mVoIP Vulnerability Analysis And its Countermeasures on Smart Phone", Journal of the Korea Convergence Society, Vol. 3. No. 3, pp. 7-12, 2012.
  20. Myeong-Ho Lee, "A Study on N-Screen Convergence Application with Mobile WebApp Environment", Journal of the Korea Convergence Society, Vol. 6. No. 2, pp. 43-48, 2015. https://doi.org/10.15207/JKCS.2015.6.2.043