An antivirus API for Android malware recognition

Abstract

On the Android platform, antivirus software suffers from significant deficiencies. Due to platform limitations, it cannot access or monitor an Android device's file system, or dynamic behavior of installed apps. This includes the downloading of malicious files after installation, and other file system alterations. That has grave consequences for device security, as any app - even without openly malicious code in its package file - can still download and execute malicious files without any danger of being detected by antivirus software. In this paper, we present a proposal for an antivirus interface to be added to the Android API. It allows for three primary operations: (1) on-demand file system scanning and traversal, (2) on-change file system monitoring, (3) a set of basic operations that allow for scanning of arbitrary file system objects without disclosing their contents. This interface can enable Android antivirus software to deploy techniques for malware recognition similar to those of desktop antivirus systems. The proposed measures comply with Android's security architecture and user data privacy is maintained. Through our approach, antivirus software on the Android platform would reach a level of effectiveness significantly higher than currently, and comparable to that of desktop antivirus software.