Behavior grouping of Android malware family

Malicious apps may install unwanted program or gather sensitive information from mobile devices. We notice Android apps fork several threads to accomplish a complex task intrinsically, and so does Android malware, that makes security experts difficult to analyze them without knowing their structure. In this paper, we propose an analysis scheme to group and analyze Android malware based on their dynamic behaviors, and to identify the behaviors of a malware family. In addition, we apply the techniques of phylogenetic tree, significant principal components and dot matrix on different malware families to demonstrate their behavioral correlations. The proposed methods can automatically discover similar behaviors of different malware groups, extract the characteristics of each malware group, and provide visualized information based on runtime behaviors. We anticipate the grouping result and the structure of malware family are important and essential for further malware behavior analysis researches.

[1]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[2]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[3]  A. Gibbs,et al.  The Diagram, a Method for Comparing Sequences , 1970 .

[4]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[5]  Dawn Xiaodong Song,et al.  NetworkProfiler: Towards automatic fingerprinting of Android apps , 2013, 2013 Proceedings IEEE INFOCOM.

[6]  Michalis Faloutsos,et al.  ProfileDroid: multi-layer profiling of android applications , 2012, Mobicom '12.

[7]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[8]  Sean R. Eddy,et al.  Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids , 1998 .

[9]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[10]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[11]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[12]  A. Gibbs,et al.  The diagram, a method for comparing sequences. Its use with amino acid and nucleotide sequences. , 1970, European journal of biochemistry.

[13]  D. Mount Bioinformatics: Sequence and Genome Analysis , 2001 .

[14]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[15]  Andrew Walenstein,et al.  Evaluation of malware phylogeny modelling systems using automated variant generation , 2009, Journal in Computer Virology.

[16]  Yuan Zhang,et al.  Vetting undesirable behaviors in android apps with permission use analysis , 2013, CCS.

[17]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.