Table 4 Example of parsing rules for detecting malicious behavior
Behavior factor | Parsing rule | Comment |
|---|---|---|
Sending SMS | mms.transaction.SmsReceiverService | SMS |
Calling | access(/system/app/Phone.apk ~ ) | |
writev(3, OutgoingCallBroadcaster ~) | Calling | |
Sending sensitive information | open(/proc/cpuinfo ~ ), write(1, Processor ~) | CPU Spec. |
open(/sdcard ~ ), stat64(/sdcard/~ ) | Storage access | |
stat64(/system/app/MediaProvider.apk), | ||
access(/data/~/com.android.providers.media/databases), | ||
com.android.providers.media.MediaScannerService), | ||
open(/data/dalvik-cache/system@app @MediaProvider.apk@classes.dex) | Media file | |
{stat64 | open | access}(/system/app/Contacts.apk), | ||
{stat64 | open} (/data/~ @Contacts.apk@classes.dex) | Contact information | |
\(\langle \)map\(\rangle \) \(\sim \) \(\{\) NET_OP | mcc | mnc } \(\sim \) \(\langle \setminus \)map\(\rangle \), \(\langle \)map\(\rangle \) \(\sim \) \(\{\) networkOperator | sim_operator } \(\sim \) \(\langle \setminus \)map\(\rangle \) | MCC, MNC | |
\(\langle \)map\(\rangle \) \(\sim \) \(\{\) affid | did | device_id | andide } \(\sim \) \(\langle \setminus \)map\(\rangle \) | Device ID | |
\(\langle \)map\(\rangle \) \(\sim \) \(\{\) osversion | device_type } \(\sim \) \(\langle \setminus \)map\(\rangle \) | OS version | |
\(\langle \)map\(\rangle \) \(\sim \) \(\{\) manufacturer | phoneModel | device_name | model } \(\sim \) \(\langle \setminus \)map\(\rangle \) | Device | |
\(\langle \)map\(\rangle \) \(\sim \) \(\{\) network | wifi } ~ \(\langle \setminus \)map\(\rangle \) | Wifi information | |
\(\langle \)map\(\rangle \) \(\sim \) \(\{\) carrier | device_carrier } ~ \(\langle \setminus \)map\(\rangle \) | Carrier | |
\(\langle \)map\(\rangle \) \(\sim \) \(\{\) imei | imsi } \(\sim \) \(\langle \setminus \)map\(\rangle \) | IMEI, IMSI | |
\(\langle \)map\(\rangle \) \(\sim \) \(\{\) longitude | latitude } \(\sim \) \(\langle \setminus \)map\(\rangle \) | Location | |
\(\langle \)map\(\rangle \) \(\sim \) \(\{\) location | country_code | locale } \(\sim \) \(\langle \setminus \)map\(\rangle \) | Country code | |
\(\langle \)map\(\rangle \) \(\sim \) \(\{\) language } \(\sim \) \(\langle \setminus \)map\(\rangle \) | Language | |
Converting data | \(\{\)sendto | OpenNet | SendNet | DataLeak} ( \(\sim \) Content-Encoding: gzip \(\sim \) ) | Encoding algorithm |
\(\{\)sendto | OpenNet | SendNet | DataLeak}( \(\sim \) CryptoUsage: \(\{\)DES|AES|Blowfish} \(\sim \) ) | Cipher algorithm |