BPFroid: Robust Real Time Android Malware Detection Framework
This addresses malware detection for Android users and developers, offering a robust, real-time solution with low overhead, though it appears incremental as it builds on eBPF technology for a specific domain.
The authors tackled real-time Android malware detection by developing BPFroid, a dynamic analysis framework using eBPF technology to monitor events across the Android stack without system modifications, achieving successful real-time alerts with minimal performance overhead.
We present BPFroid -- a novel dynamic analysis framework for Android that uses the eBPF technology of the Linux kernel to continuously monitor events of user applications running on a real device. The monitored events are collected from different components of the Android software stack: internal kernel functions, system calls, native library functions, and the Java API framework. As BPFroid hooks these events in the kernel, a malware is unable to trivially bypass monitoring. Moreover, using eBPF doesn't require any change to the Android system or the monitored applications. We also present an analytical comparison of BPFroid to other malware detection methods and demonstrate its usage by developing novel signatures to detect suspicious behavior that are based on it. These signatures are then evaluated using real apps. We also demonstrate how BPFroid can be used to capture forensic artifacts for further investigation. Our results show that BPFroid successfully alerts in real time when a suspicious behavioral signature is detected, without incurring a significant runtime performance overhead.