The threat of screenshot-taking malware: analysis, detection and prevention

Thesis

Among the various types of spyware, screenloggers are distinguished by their ability to capture screenshots. This gives them considerable nuisance capacity, giving rise to theft of sensitive data or, failing that, to serious invasions of the privacy of users. Several examples of attacks relying on this screen capture feature have been documented in recent years.

On desktop environments, screenshot APIs are widely used by legitimate applications that provide screen sharing, screen casting, remote control, employee control, and parental control. This makes malicious use of the screenshot functionality particularly stealthy. Existing malware detection approaches are not adapted to screenlogger detection due to the composition of their datasets and the way samples are executed.

Moreover, the available countermeasures either suffer from a lack of usability that prevents their large-scale use or have a limited effectiveness.

In this thesis, I propose a defence-in-depth approach combining prevention and detection against screenshot-taking spyware. This approach was developed after an extensive analysis of this spyware category.

Our detection model achieves an accuracy of 97.4% versus 94.3% for a standard state of the art detection model. This model was trained and tested on the first complete and representative dataset dedicated to malicious and legitimate screenshot-taking applications.

Our prevention mechanism is based on the retinal persistence property of the human visual system. Its usability was tested with a panel of 119 users.

Authors: Sbai, H

• Type of award: DPhil
• Level of award: Doctoral
• Awarding institution: University of Oxford
• Language: English
• Keywords: malware analysis; screenshot; malware detection; malware dataset; defence-in-depth; flicker fusion; screenlogger; retinal persistence; spyware
• Subjects: Malware (Computer software); Vision; Computer security; Detection