Detecting Local Covert Channels Using Process Activity Correlation on Android Smartphones

Abstract : Modern malware threats utilize many advanced techniques to increase their stealthiness. To this aim, information hiding is becoming one of the preferred approaches, especially to exfiltrate data. However, for the case of smartphones, covert communications are primarily used to bypass the security framework of the device. The most relevant case is when two "colluding applications" cooperate to elude the security policies enforced by the underlying OS. Unfortunately, detecting this type of malware is a challenging task as well as a poorly generalizable process. In this paper, we propose a method for the detection of malware exploiting colluding applications. In more details, we analyze the correlation of processes to spot the unknown pair covertly exchanging information. Experimental results collected on an Android device showcase the effectiveness of the approach, especially to detect low-attention raising covert channels, i.e., those active when the user is not operating the smartphone.
Document type :
Journal articles
Complete list of metadatas

https://hal.archives-ouvertes.fr/hal-01302828
Contributor : Jean-François Lalande <>
Submitted on : Friday, April 15, 2016 - 10:57:56 AM
Last modification on : Thursday, February 7, 2019 - 2:36:31 PM

Identifiers

  • HAL Id : hal-01302828, version 1

Collections

Citation

Marcin Urbanski, Wojciech Mazurczyk, Jean-François Lalande, Luca Caviglione. Detecting Local Covert Channels Using Process Activity Correlation on Android Smartphones. International Journal of Computer Systems Science and Engineering, CRL Publishing Ltd, 2017, 32 (2), pp.71-80. ⟨hal-01302828⟩

Share

Metrics

Record views

285