Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Tool uses anomaly detection to discern real Android apps from root exploit malware

Researchers from North Carolina State University (NCSU) have refined a technique – known as anomaly detection – and created a tool that applies it to Android applications, ultimately allowing them to detect and contain apps that are actually root exploit malware.

On Tuesday, Xiaohui Gu, Tsung-Hsuan Ho, Daniel Dean, and William Enck released their findings in a report titled, “PREC: Practical Root Exploit Containment for Android Devices.” They also presented their research at the ACM Conference on Data and Application Security and Privacy in Texas.

The tool is known as PREC and works by using anomaly detection – meaning it compares the behaviors of downloaded Android apps against a database of how the respective applications should typically behave.

Gu told SCMagazine.com in a Wednesday email correspondence that by working with vendors to incorporate the tool into general app screening processes, the researchers will be able to establish and fill out the database.

“We can achieve 100 percent detection rate and raised false alarms in one out of 140 popular apps tested,” Gu said, explaining that their refined anomaly detection technique is so effective because it targets the C programming language. “All existing Android root exploits are written in C [code]. We can detect all of them.”

Root exploits typically involve attackers elevating privileges until they have full control over the administrative functions of an operating system. With regard to Android, attackers can take complete control of the smartphone.

“While official markets dedicate significant resources to detecting malware, state-of-the-art malware detection can be easily circumvented using logic bombs or checks for an emulated environment,” according to the report. “We present a [PREC] framework that protects users from such conditional malicious behavior.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.