In recent years the PC has been replaced by mobile devices formany security sensitive operations, both from a privacy and a financial standpoint. Therefore the stark increase in malware targeting Android, the mobile OS with the largest market share, wasbound to happen. While device vendors are taking their precautions with app-store and on-device scanning, limitations abound,mainly related to the malware signature-based detection approach.This situation calls for an additional protection layer that detects unknown malware that breaches existing countermeasures. In this work we propose SpotCheck, an anomaly detector intended to run on Android devices. It samples app executions and submits any suspicious apps to more thorough processing by malwares and boxes. We compare Kernel Principal Component Analysis(KPCA) and Variational Autoencoders (VAE) on app execution representations based on the well-known system call traces, as well as a novel approach based on memory dumps. Results show that whenusing VAE, SpotCheck attains a level of effectiveness comparable to what has been previously achieved for network anomaly detection. Even more interesting, the KPCA anomaly detector managed comparable effectiveness even for the experimental memory dump approach. Overall, these promising results present a solid platform upon which to strive for an improved design.
Authors: Mark Vella; Christian Colombo.
Date of Publication: November 2020.