Anomaly-based exploratory analysis and detection of exploits in android mediaserver

Anomaly-based exploratory analysis and detection of exploits in android mediaserver

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Smartphone platforms are becoming increasingly complex, which gives way to software vulnerabilities difficult to identify and that might allow malware developers to gain unauthorised privileges through technical exploitation. However, the authors maintain that these types of attacks indirectly renders a number of unexpected behaviours in the system that can be profiled. In this work, the authors present CoME, an anomaly-based methodology aiming at detecting software exploitation in Android systems. CoME models the normal behaviour of a given software component or service and it is capable of identifying any unanticipated behaviour. To this end, they first monitor the normal operation of a given exploitable component through lightweight virtual introspection. Then, they use a multivariate analysis approach to estimate the normality model and detect anomalies. They evaluate their system against one of the most critical vulnerable and widely exploited services in Android, i.e. the mediaserver. Results show that the proposed approach can not only provide a meaningful explanatory of discriminant features for illegitimate activities, but can also be used to accurately detect malicious software exploitations at runtime.


    1. 1)
      • 1. IDC: ‘Worldwide quarterly smart connected device tracker’. Tech. rep., International Data Corporation, 2015.
    2. 2)
      • 2. Cisco: ‘Cisco visual networking index: global mobile data traffic forecast update, 2015–2020’. Tech. rep., Cisco, 2015.
    3. 3)
      • 3. Suarez-Tangil, G., Stringhini, G.: ‘Eight years of rider measurement in the android malware ecosystem: evolution and lessons learned’, arXiv preprint arXiv:1801.08115.
    4. 4)
      • 4. Lyne, J.: ‘Security threat trends 2015. Predicting what cybsersecurity will look like in 2015 and beyond’. Tech. rep., Sophos, 2015.
    5. 5)
      • 5. Kaspersky: ‘Kaspersky security bulletin 2015. 2016 predictions’. Tech. rep., Kaspersky, 2015.
    6. 6)
      • 6. Symantec: ‘2016 internet security threat report’. Tech. rep., Symantec, 2016.
    7. 7)
      • 7. Cao, C., Gao, N., Liu, P., et al: ‘Towards analyzing the input validation vulnerabilities associated with android system services’. Proc. of the 31st Annual Computer Security Applications Conf. (ACSAC), Los Angeles (CA), USA, 2015, pp. 361370.
    8. 8)
      • 8. Jimenez, M., Papadakis, M., Bissyandé, T.F., et al: ‘Profiling android vulnerabilities’. 2016 IEEE Int. Conf. on Software Quality, Reliability and Security (QRS), Vienna, Austria, 2016, pp. 222229.
    9. 9)
      • 9. van der Veen, V., Fratantonio, Y., Lindorfer, M., et al: ‘Drammer: deterministic rowhammer attacks on mobile platforms’. 23rd ACM Conf. on Computer and Communications Security (CCS), Vienna, Austria, 2016.
    10. 10)
      • 10. Fratantonio, Y., Bianchi, A., Robertson, W., et al: ‘Triggerscope: towards detecting logic bombs in android apps’. Proc. of the IEEE Symp. on Security and Privacy (S&P), San Jose, CA, 2016.
    11. 11)
      • 11. Ruiz-Heras, A., García-Teodoro, P., Sánchez-Casado, L.: ‘ADroid: anomaly-based detection of malicious events in android platforms’, Int. J. Inf. Secur., 2017, 16, (4), pp. 371384.
    12. 12)
      • 12. Forrest, S., Hofmeyr, S., Somayaji, A.: ‘The evolution of system-call monitoring’. Annual Computer Security Applications Conf., 2008. ACSAC 2008, Anaheim (CA), USA, 2008, pp. 418430.
    13. 13)
      • 13. Mutz, D., Valeur, F., Vigna, G., et al: ‘Anomalous system call detection’, ACM Trans. Inf. Syst. Secur., 2006, 9, (1), pp. 6193.
    14. 14)
      • 14. Pieczul, S.F.O.: ‘Runtime detection of zero-day vulnerability exploits in contemporary software systems’. DBSec 2016: Data and Applications Security and Privacy XXX, Trento, Italy, 2016 (LNCS, 9766), pp. 347363.
    15. 15)
      • 15. Camacho, J., Pérez-Villegas, A., García-Teodoro, P., et al: ‘PCA-based multivariate statistical network monitoring for anomaly detection’, Comput. Secur., 2016, 59, pp. 118137.
    16. 16)
      • 16. Tam, K., Khan, S., Fattori, A., et al: ‘Copperdroid: automatic reconstruction of android malware behaviors’. NDSS, San Diego (CA), USA, 2015, pp. 115.
    17. 17)
      • 17. García-Teodoro, P., Díaz-Verdejo, J., Maciá-Fernández, G., et al: ‘Anomaly-based network intrusion detection: techniques, systems and challenges’, Comput. Secur., 2009, 28, pp. 1828.
    18. 18)
      • 18. Camacho, J., Pérez-Villegas, A., Rodríguez-Gómez, R., et al: ‘Multivariate exploratory data analysis (MEDA) toolbox for Matlab’, Chemometr. Intell. Lab. Syst., 2015, 143, pp. 4957.
    19. 19)
      • 19. Dash, S., Suárez-Tangil, G., Khan, S., et al: ‘Droidscribe: classifying android malware based on runtime behavior’. Mobile Security Technologies (MoST 2016), San Jose (CA), USA, 2016, pp. 252261.
    20. 20)
      • 20. Enck, W., Ongtang, M., McDaniel, P.: ‘Understanding android security’, IEEE Secur. Priv., 2009, 1, (1), pp. 5057.
    21. 21)
      • 21. Garfinkel, T., Rosenblum, M.: ‘A virtual machine introspection based architecture for intrusion detection’. NDSS, San Jose (CA), USA, 2003, vol. 3, pp. 191206.
    22. 22)
      • 22. Lakhina, A., Crovella, M., Diot, C.: ‘Diagnosing network-wide traffic anomalies’, ACM SIGCOMM Comput. Commun. Rev., 2004, 34, (4), pp. 219230.
    23. 23)
      • 23. Kourti, T., MacGregor, J.F.: ‘Multivariate SPC methods for process and product monitoring’, J. Qual. Technol., 1996, 28, (4), pp. 409428.
    24. 24)
      • 24. Camacho, J.: ‘Observation-based missing data methods for exploratory data analysis to unveil the connection between observations and variables in latent subspace models’, J. Chemometr., 2011, 25, (11), pp. 592600.
    25. 25)
      • 25. Avraham, Z., Drake, J., Bassen, N.: ‘Experts found a unicorn in the heart of android’, 2015, Available at
    26. 26)
      • 26. Scholkopf, B., Smola, A.J., Williamson, R.C., et al: ‘New support vector algorithms’, Neural Comput., 2000, 12, (5), pp. 12071245, doi: 10.1162/089976600300015565.
    27. 27)
      • 27. Schölkopf, B., Platt, J.C., Shawe-Taylor, J., et al: ‘Estimating the support of a high-dimensional distribution’, Neural Comput., 2001, 13, (7), pp. 14431471, doi: 10.1162/089976601750264965. Available at
    28. 28)
      • 28. Chang, C.-C., Lin, C.-J.: ‘LIBSVM: a library for support vector machines’, ACM Trans. Intell. Syst. Technol., 2011, 2, pp. 27:127:27. Available at
    29. 29)
      • 29. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: ‘Network anomaly detection: methods, systems and tools’, IEEE Commun. Surv. Tutorials, 2014, 16, (1), pp. 303336, doi: 10.1109/SURV.2013.052213.00046. Available at
    30. 30)
      • 30. Manevitz, L.M.: ‘One-class SVMs for document classification’, The Journal of Machine Learning Research, 2001, 2, pp. 139154.
    31. 31)
      • 31. Quinn, J.A., Sugiyama, M.: ‘A least-squares approach to anomaly detection in static and sequential data’, Pattern Recognit. Lett., 2014, 40, (1), pp. 3640, doi: 10.1016/j.patrec.2013.12.016. Available at
    32. 32)
      • 32. Heller, K., Svore, K., Keromytis, A.D., et al: ‘One class support vector machines for detecting anomalous windows registry accesses’. Workshop on Data Mining for Computer Security (DMSEC), Melbourne, FL, 19 November 2003. Available at
    33. 33)
      • 33. Chuang, H., Wang, S.: ‘Machine learning based hybrid behavior models for android malware analysis’. IEEE Int. Conf. on Software Quality, Reliability and Security, Vancouver, Canada, 2015, pp. 201216.
    34. 34)
      • 34. Suárez-Tangil, G., Tapiador, J., Peris, P., et al: ‘Evolution, detection and analysis of malware for smart devices’, IEEE Commun. Surv. Tutorials, 2014, 16, (2), pp. 961987.
    35. 35)
      • 35. Checkoway, S., Davi, L., Dmitrienko, A., et al: ‘Return-oriented programming without returns’. Proc. of CCS 2010, 2010, pp. 559572.
    36. 36)
      • 36. Kim, H., Smith, J., Shin, K.: ‘Detecting energy-greedy anomalies and mobile malware variants’. Proc. of the 6th Int. Conf. on Mobile Systems, Applications, and Services, Chicago Illinois, USA, 2008, pp. 239252.
    37. 37)
      • 37. Rosen, S., Qian, Z., Mao, Z.: ‘Appprofiler: a flexible method of exposing privacy-related behavior in android applications to end users’. Proc. of the Third ACM Conf. on Data and Application Security and Privacy, San Diego (CA), USA, 2013, pp. 221232.
    38. 38)
      • 38. Bugiel, S., Davi, L., Dmitrienko, A., et al: ‘XManDroid: a new android evolution to mitigate privilege escalation attacks’. Tech. rep., Technische Universitat Darmstadt, 2011.
    39. 39)
      • 39. Grace, M., Zhou, Y., Wang, Z., et al: ‘Systematic detection of capability leaks in stock android smartphones’. Proc. of the 19th Annual Symp. on Network and Distributed System Security, San Diego (CA), USA, 2012.
    40. 40)
      • 40. Elish, K., Yao, D., Ryder, G.B., et al: ‘A static assurance analysis of android applications’. Tech. rep., Virginia Polytechnic Institute and State University, 2013.
    41. 41)
      • 41. Lu, L., Li, Z., Wu, Z., et al: ‘CHEX: statically vetting android apps for component hijacking vulnerabilities’. Proc. of the 2012 ACM Conf. on Computer and Communications Security, Raleigh (NC), USA, 2012, pp. 229240.
    42. 42)
      • 42. Grace, M., Zhou, Y., Zhang, Q., et al: ‘Riskranker: scalable and accurate zero-day android malware detection’. Proc. of the 10th Int. Conf. on Mobile Systems, Applications, and Services, Ambleside, United Kingdom, 2012, pp. 281294.
    43. 43)
      • 43. Hao, H., Li, Z., He, Y., et al: ‘Characterization of android applications with root exploit by using static feature analysis’. Algorithms and Architectures for Parallel Processing, Springer, 2015, pp. 153165.
    44. 44)
      • 44. Wu, L.: ‘Vulnerability detection and mitigation in commodity android devices’. Ph.D. thesis, North Carolina State University, 2015.
    45. 45)
      • 45. Ho, T., Dean, D., Gu, X., et al: ‘PREC: practical root Xxploit containment for android devices’. Proc. of the 4th ACM Conf. on Data and Application Security and Privacy, S. Antonio (Texas), USA, 2014, pp. 187198.
    46. 46)
      • 46. Camacho, J., Magán-Carrión, R., García-Teodoro, P.: ‘Networkmetrics: multivariate big data analysis in the context of the internet’, J. Chemometr., 2016, 30, 9, pp. 488505.
    47. 47)
      • 47. Kim, K., Choi, M.: ‘Android malware detection using multivariate time-series technique’. 2015 17th Asia-Pacific Network Operations and Management Symp. (APNOMS), Busan, South Korea, 2015, pp. 198202.

Related content

This is a required field
Please enter a valid email address