Targeted Dynamic Analysis for Android Malware

Targeted Dynamic Analysis for Android Malware Michelle Wong Master of Applied Science Graduate Department of Electrical and Computer Engineering University of Toronto 2015 The identification and analysis of Android malware involves either static or dynamic program analysis of the malware binary. While static analysis has good code coverage, it is not as precise due to the lack of run-time information. In contrast, because Android malware is often bundled with applications that have legitimate functionality, dynamic analysis can take a long time to find and analyze the small amount of code implementing the malicious functionality. We propose IntelliDroid, a tool that combines the advantages of both static and dynamic analyses to efficiently analyze suspicious behavior in Android applications. A lightweight static phase identifies possible malicious behavior and gathers information to generate inputs that can dynamically exercise that behavior. IntelliDroid overcomes several key challenges of analyzing Android malware and when evaluated on 30 instances of malicious behavior, IntelliDroid successfully identifies the behavior, extracts path constraints, and executes the malicious code in all but one case.