TRAPDROID: Bare-Metal Android Malware Behavior Analysis Framework

Abstract

In the realm of mobile devices, malicious applications pose considerable threats to individuals, companies and governments. Cyber security researchers are in a constant race against malware developers and analyze their new methods to exploit them for better detection. In this paper, we present TRAPDROID, a dynamic malware analysis framework mostly focused on capturing unified behavior profiles of applications by analyzing them on physical devices in real-time. Our framework processes events, which are collected from system calls, binder communications, process stats, and hardware performance counters and combines them into a simple, yet meaningful behavior format. We evaluated our framework’s detection rate and performance by analyzing an up-to-date malware dataset, which also contains specially crafted applications with malicious intent. The framework is easy to use, fast and providing high accuracy in malware detection with relatively low overhead.