FA3: Fine-Grained Android Application Analysis

FA3: Fine-Grained Android Application Analysis

연구 분야: Safety

학회: HotMobile '23: Proceedings of the 24th International Workshop on Mobile Computing Systems and Applications

Understanding Android applications' behavior is essential to many security applications, e.g., malware analysis. Although many systems have been proposed to perform such dynamic analysis, they are limited by their applicable analysis environment (on device vs. emulator), transparency to subject apps, applicable runtime (Dalvik vs. ART), applicable system stack, or granularity. In this paper, we propose FA3 (Fine-Grained Android Application Analysis), a novel on-device, non-invasive, and fine-grained analysis platform by leveraging existing profiling mechanisms in the Android Runtime (ART) and kernel to inspect method invocations and control-flow transfers for both Java methods and third-party native libraries. FA3 embeds its tracing capability in multiple layers of the Android system stack to not only capture fine-grained application behaviors but ensure even non-conventional or malicious tricks of loading and executing OAT/ELF binaries cannot escape our monitoring. We carefully evaluated FA3 using real-world malware. Experimental results showed that FA3 successfully analyzes sophisticated malware samples and provides a comprehensive view of their behavior.