Defensor: Lightweight and Efficient Security-Enhanced Framework for Android

Recently the market of Android has shown an explosive development. Unfortunately the increasing popularity turns the Android platform into the main target of malware. At the same time, the limited security protection built-in Android makes the situation much worse. In this paper, we present a new framework named Defensor which takes the practicability and effectiveness into consideration. The core part of Defensor is built in Linux kernel, which results in a small size of TCB. Defensor is a system-wide lightweight inspecting framework. It can closely monitor the malicious behaviors within and across applications, such as sending SMS to premium rate numbers, stealing privacy from the compromised device and getting root privileges through root exploits. This type of monitor is mandatory. Any application installed on the phone and any component including malicious native code can't bypass it. Defensor can not only rebuild the high level behaviors from system calls, but also extract the context information that the behavior runs in. Context-based information likes background and foreground contributes a lot to the accuracy of malware detection. We have tested Defensor on real malware to prove its effectiveness. Finally, an experimental evaluation showing that the overhead introduced by Defensor is limited.