-2

I am developing android an app to detect malicious apps .we are planning to detect malicious apps based on the requested permission.....does permission alone will help us to detect malicious apps or do we need to consider characteristics like use of dynamic code, usage of static http url....any help appreciated. ...

kj creations
  • 43
  • 2
  • 10
  • Your question seems ambiguous `Currently i am able to get list of all permissions`... cool, but what does this matter to the question? `I also want to know if static http url is used` As far as I know, you cant do this, unless you can check for every String in someone's code, then check if its being altered.. `detect presence of dynamic code` What dynamic code, in what language? A script is always dynamic, a Java class is never dynamic. DEX is always dynamic, etc etc... – Bonatti Mar 21 '16 at 11:38
  • Ok....sir ....I have corrected the question please check.... – kj creations Mar 21 '16 at 16:00

1 Answers1

1

I will breakdonw this question is several smallwer parts:

detect malicious apps

This is perhaps the harderst part in what you desire to do. Most anti virus, anti malware, etc. will usually search a "footprint" in the source code of the binary that is generating the instructions. If you found a number above threshold of footprints, you can guess that file is malware.

we are planning to detect malicious apps based on the requested permission

I am going to say explicitly: no...

As far as I have seem, most "weird" requests, are usually due to the programmers not fully understanding what the permission grants, or even why/what is necessary for.

This is so much an endemic problem, that Google itself changed how permissions work (if I am not mistaken, from K to L, or L to M or something in those updates)

Then again, an alarm app, that wants network access, wants to read all files in the system, wants to read/writte anything anywhere, wants to use your gps, etc etc, then that looks like malware on itself (and usually no READING user would use it).

do we need to consider characteristics like use of dynamic code

Yes. While Java itself cannot interpret its code "on-the-fly", DEX allows us to. And the most common hijacks are usually apps that do nothing, but then create an entry point to render javascript content, and perform some unexpected code.

usage of static http url

That is on itself not that much of a risk, since most browsers will request some security credential, and at least warn the user that he is on un-trusted network. A secondary problem that usually arrives is geerating the URL "on-the-fly" then asking an empty request to alter its request to that.

If an app is then requesting any web-based content bypassing the system (not a security issue, sometimes the programmer is simply making "less effort than necessary to fullfill a client request", then looking at static addresses, or even IPs is usually of no significant security value.

Bonatti
  • 2,778
  • 5
  • 23
  • 42
  • sir,how to search "footprint" in the source code of the binary of an android app that is generating the instructions? – kj creations Mar 22 '16 at 04:44
  • A "footprint" is a sequence of bits and bytes that is commonly found in undesired programs. While them themselfs are harmless, a malware usually implement a way for its code to generate unwanted instructions. For instance, a `JS (JavaScript)` file could contain a set of instructions, that evaluate to a redirection of page requests, its "footprint" would be any sequence that would lead to the command of redirection, and (usually) a way to evaluate a value to a string, thus hiding its true purpose.... Most antiiviruses company are "worth" by its compendium, and the engine that can predict them. – Bonatti Mar 22 '16 at 11:24