UC Davis

The daily use of mobile phones, and particularly smartphones, has become an integral part of modern civilization. With the continued adoption of smartphones by users world wide, an abundance of applications to meet their various demands is a necessity. A plethora of applications are provided through markets, such as the Google Play Store, that allow users to download applications directly to their device. As the Google Play Store is one of the most popular markets, they provide considerably robust security, and users have trust in their ability to properly vet hosted products. Be that as it may, there exists a subset of society which seeks to exploit and take advantage of unsuspecting victims. Due to the robustness of the security scanning, malware developers must circumvent marketplace security controls. An example of an exploit is called piggybacking. In this case, a benign application can be prepared for an update attack with the piggybacking technique that injects the malicious code. Detecting this change in the application is the main focus of the study. Because of the piggybacking technique, which is cleverly obfuscated, static analysis is not a consistent method to detect malice; hardware performance counters (HPCs) that are capable of dynamic analysis are adopted to explore whether the HPCs have the potential to detect clandestine applications. HPCs were utilized to observe the possibility of detection of piggybacked applications, furthermore, the piggybacked applications that contain the update attacks. HPC data was collected via a rooted phone with automated pipelines, and for the depth of the study, the comparison between static data and dynamic data was provided with visualization, call graphs and scatter graphs. Additionally, a machine learning tool, WEKA, was utilized to discover whether the data can classify the applications into benign or malicious. Six different classifiers are selected, and as a result, the Decision Tree classifiers achieved around 94% to 99% detect accuracy proving that HPCs are a viable method to detect update malware. The result led us to determine whether HPCs are utilizable to detect embedded malware.