ABSTRACT
With more than 500 million of activations reported in Q3
2012, Android mobile devices are becoming ubiquitous and
trends con rm this is unlikely to slow down. App stores,
such as Google Play, drive the entire economy of mobile
applications. Unfortunately, high turnovers and access to
sensitive data have soon attracted the interests of cyber-
criminals too with malware now hitting Android devices at
an alarmingly rising pace. In this paper we present Copper-
Droid, an approach built on top of QEMU to automatically
perform out-of-the-box dynamic behavioral analysis of An-
droid malware. To this end, CopperDroid presents a uni ed
analysis to characterize low-level OS-speci c and high-level
Android-speci c behaviors. Based on the observation that
such behaviors are however achieved through the invocation
of system calls, CopperDroid's VM-based dynamic system
call-centric analysis is able to faithfully describe the behav-
ior of Android malware whether it is initiated from Java,
JNI or native code execution.
We carried out extensive experiments to assess the e ec-
tiveness of our analyses on a large Android malware data set
of more than 1,200 samples belonging to 49 Android mal-
ware families (provided by the Android Malware Genome
Project) and about 400 samples over 13 families (collected
from the Contagio project). Our experiments show that
a proper malware stimulation strategy (e.g., sending SMS,
placing calls) successfully discloses additional behaviors on
a non-negligible portion of the analyzed malware samples
read more........http://www.isg.rhul.ac.uk/sullivan/pubs/eurosec-2013.pdf