Tester Jobs Requirements (VIDEO GAME): Extracting system features on Android devices

Saturday, September 16, 2017

Extracting system features on Android devices

I am trying to build a lightweight host based intrusion detection system for Android devices. The project is based on the previously developed Andromaly framework for detecting malware on Android mobile devices. Unfortunately, the Andromaly project has been shut down for some time because of uncertain reasons.

The main goal of the project is to create an application that will determine whether some other application is normal or malicious. In order to do so, my application will collect certain system features from the device and apply machine learning algorithms to create a model that will be able to properly classify new applications as normal or malicious. The features will be collected when both normal and malicious applications are running on the device.

The authors of Andromaly framework noted that these six features differ the most from normal and malicious applications: Anonymous_Pages, Total_Entities, Battery_Temperature, Running_Processes, Mapped_Pages, Garbage_Collection. So, the first step in the project was to extract these features from an Android device.

The amount of memory used for anonymous pages can be easily obtained from the file /proc/meminfo which can be accessed on any Android device. Inside the file there is an entry named AnonPages, which contains the amount of memory used for anonymous pages expressed in kilobytes. In the same way one can get the amount of memory used for mapped pages which is stored in the Mapped entry.

The number of total entities on the system can be obtained from the file /proc/loadavg. In that file the first three numbers show the number of running tasks on the system averaged over the last 1, 5 and 15 minutes. The fourth entry shows the current number of runable task and the total number of entities(tasks) in the system.

The current battery temperature can be accessed via the Android API. In order to get the battery temperature we need to listen to an intent(ACTION_BATTERY_CHANGED) and register a receiver when that intent is fired. In the receiver we can then get the current battery temperature. This can be seen in the code below.

 public class BatteryTempActivity extends Activity { /*Define a receiver*/ private BroadcastReceiver mBatInfoReceiver = new BroadcastReceiver(){ @Override public void onReceive(Context arg0, Intent intent) { double temperature = intent.getIntExtra(BatteryManager.EXTRA_TEMPERATURE, 0) / 10.; batteryTemperatureView.setText("Battery temperature: " + String.valueOf(temperature) + " C"); } }; @Override protected void onCreate(Bundle savedInstanceState) { /*Register receiver for intent*/ this.registerReceiver(this.mBatInfoReceiver, new IntentFilter(Intent.ACTION_BATTERY_CHANGED)); } }

Code 1. Getting battery temperature from a device

The number of running application processes on a device can also be accessed with the Android API. Firstly it is necessary to retrieve an ActivityManager instance which holds the global system state. Once the ActivityManager is obtained it can be used to return a list of all application processes currently on the system. The code can be seen below.

 public int getNumOfRunningProcesses(){ ActivityManager manager = (ActivityManager) getSystemService(ACTIVITY_SERVICE); List <manager.RunningAppProcessInfo &agt; runningAppProcessesList = manager.getRunningAppProcesses(); int numOfRunningProcesses = runningAppProcessesList.size(); return numOfRunningProcesses; }

Code 2. Retrieving the number of running processes

The last feature, Garbage_Collection, is a bit tricky, since I am not sure what the authors of Andromaly framework meant by it. One idea is that this feature was meant to show how often the Android garbage collector is called, but I was not able to get that information at this moment. The entire project is open source and under GNU General Public License version 3.

The code can be found on Github: Anomaly Detector

download file now