Nowadays, Android malware uses sensitive APIs to manipulate an Android device’s resources frequently. Conventional malware analysis uses hooking techniques to detect this harmful behavior. However, this approach is facing many problems, such as low coverage rate and computational overhead. To solve this problem, we proposed HALWatcher, an alternative technique to monitor resource manipulation on Android Open Source Project (AOSP). By modifying Hardware Abstract Layer (HAL) resource accessing interfaces and their implementation, we can embed more monitoring functions at critical methods that are in charge of transferring data between the Hardware Driver and the Framework Layer. Hence, HALWatcher provides a lightweight and high coverage rate system that can perform resource manipulation monitoring for Android OS. In this paper, we prove that the hooking technique is limited in detecting resource manipulation attacks. Besides that, HALWatcher shows an outperform detection rate with a low computational effort.

中文翻译：

---

基于HAL的AOSP资源操纵监控

如今，Android恶意软件使用敏感的API频繁地操纵Android设备的资源。传统的恶意软件分析使用挂钩技术来检测这种有害行为。但是，这种方法面临许多问题，例如覆盖率低和计算开销大。为了解决这个问题，我们提出了HALWatcher，这是一种在Android开放源代码项目（AOSP）上监视资源操纵的替代技术。通过修改硬件抽象层（HAL）资源访问接口及其实现，我们可以在负责在硬件驱动程序和框架层之间传输数据的关键方法中嵌入更多监视功能。因此，HALWatcher提供了一种轻量级且覆盖率高的系统，可以对Android OS执行资源操作监视。在本文中，我们证明了挂钩技术在检测资源操纵攻击方面受到限制。除此之外，HALWatcher的运算效率也低，运算量小。