IntelliDroid: A Targeted Input Generator for
the Dynamic Analysis of Android Malware
By Michelle Y. Wong and David Lie
PR ES E NTED BY A LE X LI ( K A IM IN)
What is IntelliDroid?
• IntelliDroid is an input generator used in combination with dynamic
analysis tools to detect Android malware
• Focuses on generating as little input as possible without losing
coverage
• Combines static and dynamic analysis
Background and Context
Static Analysis
• Performed in non-runtime environment
• Inherently imprecise since it operates on an abstraction of the program
Dynamic Analysis
• Performed during runtime
• Only analyses code that is executed
Methods of Dynamic Analysis
• Predetermined Script – static set of inputs to test
• Random Fuzzing – generate random sets of inputs to trigger as
many behaviors as possible
• Concolic – uses symbolically derived path constraints to
compute paths for inputs (will not go into detail)
• All three methods are inefficient since they do not focus on
malicious activity
IntelliDroid’s Input Generation
• Trigger malicious code using as little input as possible
• Most malicious android code requires an app to invoke an
Android API. This is referred to as a set of targeted APIs
• IntelliDroid computes inputs that would trigger all targeted APIs
• Dynamic Analysis tool uses the inputs to trigger malicious code
Structure of IntelliDroid’s Operation
• The static portion extracts the required call paths and
contraints to trigger targeted APIs
• The dynamic portion calculates the runtime values of the
constraints and generates input values
Extracting Call Paths
• Iterate through entry points (usually event handlers) and
generate partial call graphs for each point.
• A call graph shows a set of call paths that originates from the
entry point
• The call graphs are used to identify a call path that leads to the
targeted API
• Constraints along the call path are extracted
• onReceive() is the entry point
• sendTextMessage() and
abortBroadcast() are Android
APIs that are currently targeted
• The call path that leads to the
targeted APIs will go through
handleSms()
• Constraints are
needsReply(addr,body) and
addr.equals(this.num)
Extracting Event Chains
• Sometimes constraints depend on variables not included in the
event handler’s parameters
• Call paths for these variables are also extracted. These are
supporting paths
• Supporting paths and main paths combine to form event chains.
All paths must be executed in order to reach the targeted API
Solving the Constraints
• During runtime, extracted constraints are solved using a third
party constraint solver
• The constraint solver determines the input values required to
satisfy constraints
• Input values are injected into the app to trigger desired
behavior
How accurate is IntelliDroid?
• Testing involved pairing IntelliDroid and TaintDroid for privacy
leaks
• Tested against FlowDroid (a static analysis tool) using 26 cases
of privacy leaks
• IntelliDroid was able to detect all cases, whereas FlowDroid
missed 7 cases
How accurate is IntelliDroid?
• For other malicious behavior, 75 behaviors were tested using
malware from the Android Malware Genome
• IntelliDroid paired with the appropriate dynamic analysis tool
was able to detect 70 of 75 cases
• IntelliDroid was unable to detect cases with complex constraints
due to limitations of the third party constraint solver
How fast is IntelliDroid?
• 1260 malware samples from the Android Malware Genome and
1066 apps from the Android Observatory were tested
• A 60 minute limit was set for IntelliDroid to complete all above
tests
• IntelliDroid was able to analyse 88.1% of the above samples,
averaging 138.4 seconds per app
• This is estimated to be 10 times as fast as other state-of-the-art
input generation methods
Criticism
• Effectiveness is highly dependent on the dynamic analysis tool
• Complex functions for constraints are unsolvable (hash
functions, trigonometric functions)
• Malware that do not call Android APIs will not be detected
• Missing edges in call graphs can prevent targeted APIs from
being reached
Criticism
• Obfuscation techniques can prevent extracting complete call
graphs (e.g. masquerade malicious code as dead code)
• Malware that incorporates encryption will not be picked up as it
prevents encrypted constraints from being solved
• Call graphs are extracted statically. This means reflection can
potentially invalidate call graphs
Conclusion
• IntelliDroid is a reasonably accurate input generator with
excellent performance compared to other methods
• Must be paired with dynamic analysis tools
• The concept of targeted APIs could be used by dynamic analysis
tools to improve performance