SYSTEM ARCHITECTURE AND WORKFLOW – ANDROID MOBILE MALWARE

Our developed security framework is designed to be generic,and can operate as a cloud-based service. The primary com-ponents are the Security Server, the Google Cloud Messaging(GCM) service, the Mobile Application, and the AnalysisTestbed, as outlined below. In combination, they provide thescaffolding for the interconnection of the mobile device to apowerful analysis testbed.

Security Server:The security hub is a typical LAMP(Linux, Apache, MySQL, PHP) server. Specifically, the Linux operating system is Ubuntu 14.04 server, runningApache2, MySQL 5.5 and PHP-5. The server is managed by the web application programmed in PHP, implementing the La ravel 5 framework, and the requisite dependencies. The web application utilizes the MySQL relational database model to store and manage smartphone system information, and application and log data, received from connected Android devices. It also provides the interface for security visualization for the security operator.

GCM:Google Cloud Messaging is a cloud-based mes-saging service provided by Google for developing applications compatible with Android, iOS, and Chrome. The primary feature of the GCM is to provide an authenticated project message host that queues messages while the device is not connected, and supports upstream and downstream messaging.

Mobile App:The mobile application is developed for Android OS devices. While operating, the mobile appli-cation is designed to listen for GCM messages and send system, application, and log data to the security server upon request for security analysis

Data Analysis:The Data Analysis module utilizes Software [17] to analyze the test data set comprised of dynamically obtained Android system calls and static permission information of malicious and benign appli-cations. From the training analysis, the module can make predictive assertions about new applications based on their attributes.

The workflow, shown in Figure 1, illustrates the typicalinteraction between the system components. The two time-dependent system operations are on Startup of the application,and Daily updates to identify system changes. These dailyupdates can additionally be initiated from the visualization inthe security hub, at the discretion of a security administrator.Startup– (1) Upon initializing the Android application, theGCM server is contacted to retrieve the registration token.This enables the initialization of new devices, as well as forsituations where the registration ID is refreshed. After (2)retrieving the registration token, (3) the application contactsthe web server and passes three key values: the GCM regis-tration token, and the device Brand and Serial. The applicationserver then queries the database for the target data. If theinformation matches, no further action is taken. However, ifthe GCM registration token has changed, it is then updatedin the database. Should the device identifying information notbe found, it is immediately added to the database, and (4)the server messages the GCM server, requesting additionalsystem information from the device. (5) The GCM serverpasses the message to the device, and (6) the device passesthe requested data to the web server to be added to the newlycreated database entry.Daily– (7) Independently, the web server will message theGCM server daily, requesting application data for analysis.(8) The GCM will pass along the request when the device isconnected. (9) The device then transmits the requested data tothe web server for analysis. The received device informationis stored in the database, preprocessed, and (10) transmitted tothe analysis module. The analysis module then operates on thedata and determines the risks, if any. The module composesa report that is (11) returned to the web server. This report isstored in the database as for review, and copies are transmittedto the security official and the (12) GCM server. Finally, theGCM server (13) delivers the report to the device.Once a device has been registered, the security server,running in the cloud, sends daily messages to the GCM. Download Link TheGCM queues the messages and transmits the requests to themobile device. The mobile app, listening for GCM messages,processes the requests and responds to the server directly. Oncethe requested data is received by the server, it updates thedatabase and triggers the analysis module. The module reducesthe data and determines the status of the mobile device. If thedevice has been compromised, notification is sent to both thesecurity officer, as well as to the mobile device.

Open chat