AppContext: Differentiating malicious and benign mobile app behaviors using context

Wei Yang, Xusheng Xiao, Benjamin Andow, Sihan Li, Tao Xie, William Enck

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Mobile malware attempts to evade detection during app analysis by mimicking security-sensitive behaviors of benign apps that provide similar functionality (e.g., sending SMS messages), and suppressing their payload to reduce the chance of being observed (e.g., executing only its payload at night). Since current approaches focus their analyses on the types of securitysensitive resources being accessed (e.g., network), these evasive techniques in malware make differentiating between malicious and benign app behaviors a difficult task during app analysis. We propose that the malicious and benign behaviors within apps can be differentiated based on the contexts that trigger securitysensitive behaviors, i.e., the events and conditions that cause the security-sensitive behaviors to occur. In this work, we introduce AppContext, an approach of static program analysis that extracts the contexts of security-sensitive behaviors to assist app analysis in differentiating between malicious and benign behaviors. We implement a prototype of AppContext and evaluate AppContext on 202 malicious apps from various malware datasets, and 633 benign apps from the Google Play Store. AppContext correctly identifies 192 malicious apps with 87.7% precision and 95% recall. Our evaluation results suggest that the maliciousness of a security-sensitive behavior is more closely related to the intention of the behavior (reflected via contexts) than the type of the security-sensitive resources that the behavior accesses.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, ICSE 2015
PublisherIEEE Computer Society
Pages303-313
Number of pages11
ISBN (Electronic)9781479919345
DOIs
StatePublished - Aug 12 2015
Event37th IEEE/ACM International Conference on Software Engineering, ICSE 2015 - Florence, Italy
Duration: May 16 2015May 24 2015

Publication series

NameProceedings - International Conference on Software Engineering
Volume1
ISSN (Print)0270-5257

Other

Other37th IEEE/ACM International Conference on Software Engineering, ICSE 2015
Country/TerritoryItaly
CityFlorence
Period5/16/155/24/15

ASJC Scopus subject areas

  • Software

Fingerprint

Dive into the research topics of 'AppContext: Differentiating malicious and benign mobile app behaviors using context'. Together they form a unique fingerprint.

Cite this