Similar to PC malware, researchers found that malicious mobile applications usually fetch and run code on-the-fly without the user's knowledge. Their purpose are often to stealthily collect and exfiltrate sensitive information. Static analysis solutions typically inspect the source code, binaries or call sequences for detecting anomalies. However, dynamic code loading, Java reflection-based method invocation, data encryption, and self verification of signatures are commonly seen in the malware code. These types of code obfuscation make static analysis based detection challenging. Dynamic analysis, as a complementary to the static analysis, detects the runtime behaviors of the malicious apps.
We design a triggering relation model for dynamically analyzing network traffic on Android devices. Our model enables one to infer the dependency of outbound network requests from the device. Our solution provides the logic insights between the user's interaction and malicious traffic. We profile the traffic patterns of benign apps to detect malicous network requests and enhance the sense-making process.
We present a two-stage learning-based solution to detect the malicious network activities. The discovery of causal relations on pairwise network events enables us to construct a traffic dependence graph. Our solution classifies the root triggers to identify malicious requests based on their dependency features. The new capability of our solution is to distinguish malicious root triggers from legitimate ones. It allows us to detect the stealthy malware activities that may not be detected by existing traffic classification solutions. Without knowing any prior knowledge of the malware's source code, our framework enables the detection of malicious requests sent from the newly released apps.