Behavorial signatures

The main goal of the Kharon Project is to characterize Android malware by behavioral signatures

Such signatures represent how a malware impacts other objects of the operating system during an execution:

  • which files or processes have been created
  • with which processes the malware has exchanged information
  • towards which remote IP addresses the malware has sent data

These signatures are computed using AndroBlare an information flow monitor that observes information exchanges at the operating system level. The related research article has been published at the 8th International Conference on Networks and System Security (NSS 2014) and can be found here

These signatures are represented by graphs called System Flow Graphs (SFG), i.e. directed multi-graphs where nodes are files (rounded gray boxes), processes (green ellipses) or sockets (blue stars) and edges denotes information flows betweens these containers. The following graphs is the behavioral signature of the malware DroidKungFu2 (2011)


This signature has been computed by monitoring with AndroBlare a malicious execution of an application infected by DroidKungFu2. This signature tells us how the malware contaminates the operating system (creation of the files gjsvr, gjsvro, hotplug, legacy, creation of a process that executes the code contained in gjsvro and legacy, and installation of a new application unbeknownst to the user.

About Us