Signature-based detection of privilege-escalation attacks on Android

Android has become a major player in smartphone software arena, thanks to the massively positive reception of Google Play by the developers and users alike. In general, Android applications follow a set of permissions, which are used for access control. However, through the privilege-escalation vulnerability, a malicious application can escalate itself and access an un-permitted resource. Consequently, serious security and safety exploits such as privacy violation, reverse-shell access to the device, and drive-by downloads may occur. We propose a flexible and efficient defense mechanism against such exploits. Our solution - SAndroid, is an extensible and a lightweight application. It provides enhanced safety and security against privilege escalation attacks through rapid detection. SAndroid is based on active monitoring and detection of malicious applications through tracking of system logs and malicious process signatures. The assurance of safety provided by SAndroid is confirmed through design, testing, and verification. SAndroid follows modular approach permitting high flexibility and efficiency. Through real experiments, we confirmed that SAndroid is an efficient and low cost solution having negligible false-positives. This paper describes the architecture and design of the SAndroid framework and provides details of our experiments.