The goal of MobSec is to improve the security of mobile devices by reducing the risk from installing and using third party applications.
With more than 1 billion of Android-activated devices and over 1 billion of monthly-active Android users, mobile platforms have clearly become ubiquitous with trends showing such a pace is unlikely slowing down. Application marketplaces, such as Google Play, drive the entire economy of mobile applications. For instance, with more than 50 billion downloaded apps, Google Play has generated revenues exceeding 5 billion USD in 2013. Such a wealthy and quite unique ecosystem with high turnovers and access to sensitive data has unfortunately spurred an alarming growth in Android malware. Privacy breaches (e.g., access to address book and GPS coordinates), monetization through premium SMS and calls, and colluding malware to bypass 2-factor authentication schemes have become real threats. Recent studies also report how easily mobile marketplaces have been abused to host malware or seemingly legitimate applications embedding malicious components.
According to the security roadmap provided by the European Network of Excellence SysSec, ``[...] more research focused on the development of defensive tools and techniques that can be deployed to the current smartphone systems to detect and prevent attacks against the device and its applications is needed''. To this end, MobSec aims at exploring mobile-related threats, developing comprehensive mitigation techniques. In particular, MobSec will revolve around the following themes:
- Mobile applications analyses
- to build the necessary knowledge for understanding the new slew of cyber-criminal mobile-related threats we are facing. Understanding is not a mere academic exercise, but rather a fundamental aspect of paramount importance, which will allow to extract behavioural information necessary to devise novel and effective policy enforcement and mobile malware mitigation techniques. To this end, we have recently presented CopperDroid, an approach built on top of QEMU to perform out-of-the-box dynamic behavioral analysis of Android malware. CopperDroid presents a unified analysis to characterize low-level OS-specific (e.g., opening and writing to a file, executing a program) and high-level Android-specific (e.g., accessing personal information, sending an SMS) behaviors. In particular, based on the observation that such behaviors are all achieved through the invocation of system calls, CopperDroid's VMI-based system call-centric analysis describes Android malware behavior regardless of whether that is initiated from Java or native code. It is worth to point out that CopperDroid represents MobSec's preliminary research effort toward understanding the behavior of Android malware. A number of research questions including—but not limited—to the automatic, comprehensive, and faithful reconstruction of Android apps behaviors, the reliable identification of behaviors triggered by malware embedded in benign applications, event-behavior attributions, and the simulation of complex UI interactions are still open questions and will be explored by MobSec.
- Malware (App) selective set-based classification
- to understand whether the OS and Android-secific behaviors CopperDroid reconstructs are useful to classify Android malware (and apps, in general), building on and improving traditional state-of-the-art machine learning techniques; see mobsec-classifier for more information and to request access to our code and feature set, for reproducing and building on our experiments and techniques.
- Evasion-resistant information leakage detection
- to replace (or complement) state-of-the-art approaches, vulnerable to easy-to-deploy evasion attacks.
- Detection of malicious mobile applications
- a particularly challenging task in the mobile landscape that largely sees malware repackaged (and embedded) in benign apps, and the enforcement of fine-grained security policies to contain malicious behaviors—abstracting away (or limiting) users involvement (as opposed to the state-of- the-art).
- Hardware-supported virtualization
- to provide efficient in-device mitigations against mobile threats.
One of the first outcome of MobSec is CopperDroid a freely-available VM-based system call-centric dynamic analysis systems to reconstruct the behavior of Android apps. CopperDroid, originally developed in collaboration with the Security Lab at University of Milan, is available at http://copperdroid.isg.rhul.ac.uk
MobSec is partially yet generously sponsored by the UK EPSRC (EP/L022710/1) and by a donation from Intel Security (formerly McAfee Labs UK).