DroidInjector: A process injection-based dynamic tracking system for runtime behaviors of Android applications

Abstract

As the most widely applied mobile operating system for smartphones, Android is challenged by fast growing security problems, which are caused by malicious applications (apps). Behaviors of malicious apps become more and more inconspicuous, which largely increase the difficulty of security detection. This paper provides a new dynamic method, called DroidInjector, to further enrich Android malware detection technologies. DroidInjector is a process injection-based dynamic tracking method for monitoring the behaviors of target app during its running period. Distinguished with existing works, 1) DroidInjector uses a ptrace-based technology to attach itself to the process of the target app, so tracking can be done on smartphones or emulators, and without modifying Android OS; 2) DroidInjector can monitor security-sensitive Java API calls in Android Runtime (Android Virtual Machine) by hooking the APIs related to Android component lifecycle phases, dynamic library loading, multi-threading, inter-component and inter-process communications, and system resources. Thus, DroidInjector supports flexible deployments, and is able to provide a fine-grained context-aware, flow-aware and library-aware API calls tracking for the target app. DroidInjector is validated in extensive experiments through performance evaluation, application evaluation and case evaluation for multiple malicious and benign apps running on several smartphones installed with standard or customized Android systems.