Inspecting Binder Transactions to Detect Anomalies in Android

Abstract

With the growing number and complexity of threats to mobile devices in the latest years, new security strategies are constantly developed to protect the users. The wide variety of Android malware families makes it challenging to keep up with malware evolution and build detection systems that are generic enough to deal with them. This work explores inter-process communication (IPC) between Android processes for anomaly detection. All IPC messages in Android go through the Binder driver, making it a good vantage point to observe all kinds of malicious actions. We observed how malicious and benign applications interact with Binder and built a dataset representing their behavior. We enriched the raw dataset by classifying Binder calls into five groups according to their functionality and by identifying high- and low-risk groups. These new features were used in a machine learning-based method to detect malware on Android and validate it using these datasets, achieving accuracy and F1Score close to 0.90.