SafeGuard: a behavior based real-time malware detection scheme for mobile multimedia applications in android platform

Abstract

SafeGuard is proposed as a solution to monitor behaviors of smartphone applications in real-time and detect and block any malicious behaviors. This solution consists of a server that manages and deploys the blocking rules and the device solution that monitors various applications in Android devices. The proposed scheme provides users with real-time malware information such as spyware detected by the SafeGuard library upon suspicious API call within the Android platform. Except for use of Rootkit at the kernel level, the scheme can detect behaviors that use the API from the platform or caused by a combination of those APIs. The database that determines any malicious behaviors can be periodically updated to block various malicious behaviors by using preemptive responses different from existing anti-virus products. For this purpose, the behaviors of smartphone applications are classified and are defined for monitoring. The architecture to apply them is also proposed in the Android framework and the proposed scheme is applied in the Android smartphone environment to verify its stability and feasibility through measuring the overhead in the environment.