proposed to detect Android applications’ sensitive behav-
iors. For example, TaintDroid presented by Enck et al. [17]
can detect privacy leaks by using a dynamic taint-tracing
method. However, it uses a passive detection method, which
needs to know the conditions of triggering privacy leaking
behaviors in advance. With the trigger conditions, the ana-
lyzer can then interact with applications manually to trigger
and confirm its privacy leaking behaviors. Consider a sam-
ple that only leaks the IMEI after the user clicks a particular
button on the screen, TaintDroid cannot detect this behav-
ior unless the analyzer clicks the right UI button manually.
Thus, the detection ability of TaintDroid is highly limited
when facing malware samples that need UI-based trigger
conditions. Hu et al. [23] proposed a method that feeds ran-
dom events to the application. However, given the huge ran-
domization space, it is very difficult to detect the sensitive
behaviors efficiently. Gilbert et al. [22] tested a variety of
categories of applications by generating random user events
for 30 minutes. However, this can only achieve 40% or less
code coverage in all cases.
In this paper, we are motivated to develop an automat-
ic method to reveal UI-based trigger conditions of sensitive
behaviors in Android applications. With the trigger condi-
tions provided by our method, dynamic analysis tools, such
as TaintDroid, will be able to automatically detect these sen-
sitive behaviors. To reveal UI-based trigger conditions, we
present a system called SmartDroid, which combines static
analysis and dynamic analysis techniques. In the Android
system, an Activity is the whole screen including button-
s, text boxes, and other UI elements, with which the user
can interact. Therefore, the main idea is that we use static
analysis to discover the expected Activity switch paths that
can lead to sensitive behaviors; then for each path, we apply
dynamic analysis to enforce the application run along the
path until sensitive behaviors are triggered. In the dynamic
analysis, SmartDroid will try to interact with every UI ele-
ment automatically in each Activity by traversing the view
tree of the current Activity in the modified Android system.
If the current Activity can jump to the next Activity in the
Activity switch path, the current UI element is our expected
element and will be saved. When we traverse UI elements
in the last Activity, the sensitive behaviors will be triggered
finally. At last, the sequence of all saved UI elements is
the trigger condition, including the coordinate and UI event
type.
We have implemented the SmartDroid system and eval-
uated it using several existing Android malwares with sen-
sitive behaviors. The result shows that SmartDroid is very
effective in revealing UI-based trigger conditions automati-
cally.
Contributions. Our solution makes the following con-
tributions:
• For the first time, we propose a novel method that
combines the static analysis and the dynamic analysis
to reveal UI-based trigger conditions. The key idea
is to use the dynamic analysis technology to enforce
the execution along the suspicious path obtained from
static analysis.
• Our method can augment existing dynamic analysis
tools with automatic UI interaction analysis capabili-
ties. This is a great complement to current techniques
and tools.
• We implement the SmartDroid system and have de-
tected several real-world, complicated, Android mal-
wares in the wild, which otherwise cannot be detected
by existing tools such as TaintDroid.
Organization. Section 2 gives the intuition and overview
of our work. Section 3 describes our system design. Section 4
presents the implementation of our system. Section 5 shows
the evaluation of our system and some case studies. Sec-
tion 6 discusses the limitations of our solution and suggests
possible improvements. Finally, we describe related work in
Section 7 and summarize our conclusions in Section 8.
2. INTUITION AND OVERVIEW
In this section, we present an example (Section 2.1) to
better demonstrate the complex UI-based trigger mechanis-
m of sensitive behaviors. After that, we briefly introduce our
solution (Section 2.2) to reveal the UI-based trigger condi-
tions.
2.1 Example: The Horoscope App
The Horoscope App [7] in this example is intended to show
your daily and monthly horoscopes. It connects to the In-
ternet and sends the IMEI out of your device after you click
certain buttons. We consider both behaviors of reading the
IMEI and accessing the Internet as sensitive behaviors. Be-
cause, the IMEI is the only ID of smartphone devices and
accessing the Internet may leak private information.
When this Horoscope App is started, the Android system
creates an instance of the app’s main Activity (an “Activi-
ty” provides user interfaces) depicted in Figure 1(a), which
will pause 3 seconds and then start another Activity in Fig-
ure 1(b) using an Intent (an Activity is started with an In-
tent in Android system). There are two buttons for logging
into Facebook and Twitter respectively and another button
for setting your date of birth. Twelve icons represent twelve
constellations on the screen. After you click one of twelve i-
cons, it will display the Activity shown in Figure 1(c), which
has two buttons for getting daily and monthly horoscope re-
spectively. Once you click either of them, it switches to the
Activity shown in Figure 1(d). In the last Activity, it read-
s and sends out the device’s IMEI by using the sensitive
APIs “android.telephony.TelephonyManager.getDeviceId()”
and“org.apache.http.client.HttpClient.execute()”respective-
ly.
If we were to use a dynamic analysis tool, such as Taint-
Droid, to test this sample, nothing would be detected, unless
the analyzer understands how to click correct buttons man-
ually. The method of feeding random events to the tool is
also very weak on this sample. Especially when one random
UI event clicks the wrong area, it will no longer reach the
target Activity unless the sample is restarted to be analyzed
again. For instance, when using MonkeyRunner[9] to gener-
ate a click event which clicks the advertisement bar shown in
Figure 1(c), the browser will pop up so that subsequent UI
events of MonkeyRunner will be out of context and therefore
ineffective.
2.2 Overview of our approach
Since the UI-based trigger conditions can be quite com-
plex, as described above, we seek to reveal them automat-
ically and precisely. Figure 2 shows a schematic diagram,
which includes the FCG (Function Call Graph) and the ACG