RTPDroid: Detecting Implicitly Malicious Behaviors Under Runtime Permission Model

Abstract

In Android 6.0 and above, the install-time permission model is replaced with the runtime permission model (RPM), where permission requesting is performed at runtime, rather than at install time, to protect users' privacy. The RPM brings certain benefits to security, but still has drawbacks that are exploitable by malware. The permission could be attained under a reasonable context and then be freely used under another context for executing malicious behavior without notifying users. In addition, the RPM may cause bugs when developers forget to add permission checking before using it. Motivated by this, we propose RTPDroid, an approach to detect implicitly malicious behaviors and bugs brought by the RPM. To do so, implicitly malicious behaviors and bugs are defined formally. Then, notions of user-aware contexts as well as user-aware call graphs are defined and utilized for the detection. Experiments on 221 real-world apps reveal 131 bugs and 174 implicitly malicious behaviors under the RPM.