Permissions are necessary for all kinds of app functions. Simultaneously, they are the attack path for rogue Android applications, such as infostealers. Through a new framework, however, malware can be detected automatically.
A new, scalable framework aiming to deliver precisely this is called PermGuard. A group of six researchers recently published a study explaining this framework to ward off Android malware. The concrete name for the methodology used is coined as permission-to-exploitation mapping. PermGuard could provide an additional line of defense against the still ubiquitous Android malware problem.
Google can’t do it alone
Defending over three billion Android users is something no one can do alone. Google, which controls and where necessary eliminates apps via its Play Store, is the creator of the OS but by no means its exclusive protector. Alternative app stores and sideloading, for example, provide other access paths for apps, such as Samsung’s Galaxy Store and open-source offerings. Android, being itself open-source, is prone to attack owing to its open nature, according to the researchers, because any weakness can be found and then exploited in the wild. Although Google does its best to continually plug these holes, the door will always be ajar for cyber attackers.
Getting users to download Android malware is regularly not the key moment for attackers. The step before that, often through phishing, redirects users to an illegitimate app store, for example, and it is required to have any chance at all of successfully attacking them. What follows after installation is also critical. Apps must explicitly ask for permissions through the Android OS, to open the camera for example, to access the calendar or to be able to edit files.
PermGuard knows how to deal with that last step. Because the researchers deploy the framework to “map” attack paths to asking for permissions, rogue apps get found out as soon as they exhibit malicious behavior through their permission requests.
AI against the avalanche of malware
The study illustrates that Android’s malware problem is one of scale. Because there’s such a large number of malware apps and all kinds of Android flavours, it is impossible to manually keep out all questionable app stores, download links and websites. For that reason, previous research teams have already deployed multiple machine learning techniques to keep the amount of work manageable for Android defenders.
The concept of PermGuard builds on lessons learned by other researchers. This framework is designed to keep the required training data as small as possible. This keeps it scalable, even for millions of applications to test.
First, apps were collected from various sources. Next, a repeatable way to extract permissions was set up and a dataset of both benign and malicious applications was built up. Mapping of attack techniques took place next, and then similarity-based selective training was unleashed on ML models. The most important part is decompiling each application’s Android-Manifest.xml. This contains all the permissions an application can request.
PermGuard was informed with the 100 permissions that were most common in benign apps and the 100 permissions that were actually requested by malware. All redundant instances were removed where the two lists of permissions overlapped to leave 123 discrete permissions. 23 different ways to set up Android malware were defined based on this, with categories such as “network surveillance” to distinguish them. A total of 55,911 benign and 55,911 malicious apps were collected.
Limitations
The accuracy is impressive: a score of 0.9933 was achieved on real datasets and 0.9828 with synthetic data. Although PermGuard is promising, it has its limitations, according to the researchers. For example, it lacks any kind of behavioural analysis that could better interpret the nature of the Android app being studied. Also, the team has not yet looked at the integration of LLMs to parse through and analyse the entire source code of Android apps, in which more signs of malware may be detectable.
Also read: 11 million Android phones infected by invisible ads