INFRASTRUCTURE FOR LEARNING THE BEHAVIOUR OF MALICIOUS AND ABNORMAL APPLICATIONS

Nowadays, Android is one of the most popular operating systems for mobile devices. Therefore, an increasing number of exploits and malicious applications for Android are developed by attackers. Many Android applications have malicious or abnormal behaviour: stealing private information, subscribing to unwanted paid services, consuming a large amount of resources on the device and displaying unwanted advertisements. Students learning security need to understand the behaviour of such applications. In this paper, we propose an infrastructure for collecting information pertaining to application behaviour at runtime and exposing the malicious and atypical actions performed by Android applications. The purpose of this infrastructure is to provide a meaningful learning experience to students, as they study malicious applications. The infrastructure includes collectors at every level of the operating system and the behaviour information includes: the consumed resources (CPU, memory), the exchanged messages (SMSs, phone calls, packets), the state changes of the communication channels (WiFi, 3G, Bluetooth, NFC). Behaviour information is sent periodically from the collectors to a native application and can be visualised through a Graphical User Interface, directly on the mobile device. Students are allowed to select any process in the system and investigate its behaviour in real time. They also can extract the behaviour information from the mobile device in order to perform statistical analysis on the data. Students are able compare the collected data for legitimate and malicious/abnormal applications and identify the malicious behaviour patterns. These patterns can be used to discover new malware, that is not yet detected by commercial antivirus solutions. The learning experience provided by our infrastructure is essential for developing practical security skills.