Researchers from North Carolina State University in the US have developed a new tool to detect and contain malware that attempts root exploits in Android devices.
The researchers said the tool improves on previous techniques by targeting code written in the C programming language, which is often used to create root exploitation malware, whereas the bulk of Android security applications are written in Java.
The new security tool, dubbed Practical Root Exploit Containment (PREC), refines an existing technique called anomaly detection, which compares the behavior of a downloaded smartphone application, such as Angry Birds, with a database of how the application should be expected to behave.
PREC will analyse deviations from normal behavior to determine if they are malware or harmless false positives.
The researchers said if PREC determines that an app is attempting root exploit, it effectively contains the malicious code and prevents it from being executed.
NC State assistant professor of computer science and co-author of a paper on the work, Will Enck, said anomaly detection isn’t new, and it has a problematic history of reporting a lot of false positives.
"What sets our approach apart is that we are focusing solely on C code, which is what most – if not all – Android root exploits are written in," Enck said.
The researchers are planning to work with app vendors like Google Play to set up a database of normal app behavior.
NC State associate professor of computer science and co-author of the paper Helen Gu said they have already implemented the PREC system and tested it on real Android devices.
"We are now looking for industry partners to deploy PREC, so that we can protect Android users from root exploits," Gu said.
