Thursday 1 October 15:00 - 15:30, Red roomJun Yong Park (AhnLab)
Seolwoo Joo (AhnLab) download slides (PDF)The use of behaviour-based detection is one of the most promising approaches with the rapid growth of Android applications and malware. Many security researchers are struggling with how to determine malicious behaviours and identify malware. The visualization of executables is one of the most effective ways to identify malware. However, there is no well-known or generic way for day-to-day security researchers to visualize the behaviours of Android applications and malware.In this paper, we will address how the behaviours of Dalvik executables could be visualized effectively by DEVIL. DEVIL is also known as Dex Visualizer and is a graph-based approach for visualizing the flow of various Dalvik objects, typically classes. Currently, DEVIL uses only static analysis information but it can easily be integrated with dynamic analysis information by design. However, this paper will focus on how to generate inter-object relations and visualize a graph of those relations. For example, inter-object relations could be generated by tracing so-called Android Application Lifecycle triggers, which could be Android APIs, permissions, intents and so on. A graph is visualized by force-directed layout algorithm of d3.js framework using inter-object relations.Finally, we will demonstrate some results of force-directed graph visualization of Android malware and will round off with some examples of how DEVIL could be applied in detecting Android malware.Click here for more details about the conference.