A precise representation for attacks can benefit the detection of malware in both accuracy and efficiency. However, it is still far from expectation to describe attacks precisely on the Android platform. In addition, new features on Android, such as communication mechanisms, introduce new challenges and difficulties for attack detection. In this paper, we propose abstract attack models to precisely capture the semantics of various Android attacks, which include the corresponding targets, involved behaviors as well as their execution dependency. Meanwhile, we construct a novel graph-based model called the inter-component communication graph (ICCG) to describe the internal control flows and inter-component communications of applications. The models take into account more communication channel with a maximized preservation of their program logics. With the guidance of the attack models, we propose a static searching approach to detect attacks hidden in ICCG. To reduce false positive rate, we introduce an additional dynamic confirmation step to check whether the detected attacks are false alarms. Experiments show that DroidEcho can detect attacks in both benchmark and real-world applications effectively and efficiently with a precision of 89.5%.

中文翻译：

---

DroidEcho：深入剖析 Android 应用程序中的恶意行为

攻击的精确表示有助于在准确性和效率方面检测恶意软件。然而，在Android平台上准确描述攻击还远未达到预期。此外，Android 上的新功能，例如通信机制，为攻击检测带来了新的挑战和困难。在本文中，我们提出了抽象攻击模型来精确捕获各种 Android 攻击的语义，包括相应的目标、涉及的行为以及它们的执行依赖性。同时，我们构建了一个新的基于图的模型，称为组件间通信图（ICCG）来描述应用程序的内部控制流和组件间通信。这些模型考虑了更多的通信渠道，并最大限度地保留了其程序逻辑。在攻击模型的指导下，我们提出了一种静态搜索方法来检测隐藏在 ICCG 中的攻击。为了降低误报率，我们引入了一个额外的动态确认步骤来检查检测到的攻击是否是误报。实验表明，DroidEcho 可以有效且高效地检测基准和现实世界应用程序中的攻击，精度为 89.5%。