Fingerprinting Android packaging: Generating DNAs for malware detection

Android's market experienced exponential popularity during the last few years. This blazing growth has, unfortunately, opened the door to thousands of malicious applications targeting Android devices everyday. Moreover, with the increasing sophistication of today's malware, the use of traditional hashing techniques for Android malware fingerprinting becomes defenseless against polymorphic malicious applications. Inspired by fuzzy hashing techniques, we propose, in this paper, a novel and comprehensive fingerprinting approach for Android packaging APK. The proposed fingerprint captures, not only the binary features of the APK file, but also the underlying structure of the app. Furthermore, we leverage this fingerprinting technique to build ROAR, an automatic system for Android malware detection and family attribution. Our experiments show that the proposed fingerprint and the ROAR system achieve a precision of 95%.

[1]  Vijay Laxmi,et al.  DroidOLytics: Robust Feature Signature for Repackaged Android Apps on Official and Third Party Android Markets , 2013, 2013 2nd International Conference on Advanced Computing, Networking and Security.

[2]  Hervé Guihot Getting Started With the NDK , 2012 .

[3]  Harald Baier,et al.  Similarity Preserving Hashing: Eligible Properties and a New Algorithm MRSH-v2 , 2012, ICDF2C.

[4]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[5]  Steve Hanna,et al.  Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications , 2012, DIMVA.

[6]  Ángel F. Zazo Rodríguez,et al.  Web Document Duplicate Detection Using Fuzzy Hashing , 2011, PAAMS.

[7]  Hao Chen,et al.  AnDarwin: Scalable Detection of Semantically Similar Android Applications , 2013, ESORICS.

[8]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[9]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[10]  Christoph Busch,et al.  mvHash-B - A New Approach for Similarity Preserving Hashing , 2013, 2013 Seventh International Conference on IT Security Incident Management and IT Forensics.

[11]  Heather M. Rinkenbaugh Annual Security Report , 2014 .

[12]  Vassil Roussev,et al.  Data Fingerprinting with Similarity Digests , 2010, IFIP Int. Conf. Digital Forensics.

[13]  Mu Zhang,et al.  Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs , 2014, CCS.

[14]  Vassil Roussev,et al.  An evaluation of forensic similarity hashes , 2011, Digit. Investig..

[15]  Shiuh-Pyng Shieh,et al.  DROIT: Dynamic Alternation of Dual-Level Tainting for Malware Analysis , 2015, J. Inf. Sci. Eng..

[16]  David Brumley,et al.  BitShred: feature hashing malware for scalable triage and semantic analysis , 2011, CCS '11.

[17]  Nicolas Christin,et al.  Evading android runtime analysis via sandbox detection , 2014, AsiaCCS.

[18]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[19]  Nicolas Christin,et al.  A5: Automated Analysis of Adversarial Android Applications , 2014, SPSM@CCS.

[20]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[21]  Jiyong Jang,et al.  Experimental study of fuzzy hashing in malware clustering analysis , 2015 .

[22]  Paul Mackerras,et al.  The rsync algorithm , 1996 .

[23]  Vijay Laxmi,et al.  AndroSimilar: Robust signature for detecting variants of Android malware , 2015, J. Inf. Secur. Appl..

[24]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[25]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[26]  Sotiris Ioannidis,et al.  AndRadar: Fast Discovery of Android Applications in Alternative Markets , 2014, DIMVA.

[27]  Yuan Zhang,et al.  Vetting undesirable behaviors in android apps with permission use analysis , 2013, CCS.

[28]  Ninghui Li,et al.  Using probabilistic generative models for ranking risks of Android apps , 2012, CCS.

[29]  Vrizlynn L. L. Thing,et al.  Securing Android , 2015, ACM Comput. Surv..

[30]  Mu Zhang,et al.  Efficient, context-aware privacy leakage confinement for android applications without firmware modding , 2014, AsiaCCS.

[31]  Yajin Zhou,et al.  Fast, scalable detection of "Piggybacked" mobile applications , 2013, CODASPY.

[32]  Heng Yin,et al.  DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android , 2013, SecureComm.

[33]  Jesse D. Kornblum Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..

[34]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[35]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[36]  Bhavani M. Thuraisingham,et al.  A scalable multi-level feature extraction technique to detect malicious executables , 2007, Inf. Syst. Frontiers.

[37]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[38]  Thomas Schreck,et al.  Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques , 2015, International Journal of Information Security.

[39]  Golden G. Richard,et al.  OpSeq: Android Malware Fingerprinting , 2015, PPREW@ACSAC.

[40]  Ying Zou,et al.  Detecting Android Malware Using Clone Detection , 2015, Journal of Computer Science and Technology.