Identification of Android Malware Families with Model Checking

Android malware is increasing more and more in complexity. Current signature based antimalware mechanisms are not able to detect zero-day attacks, also trivial code transformations may evade detection. Malware writers usually add functionality to existing malware or merge different pieces of malware code: this is the reason why Android malware is grouped into families, i.e., every family has in common the malicious behavior. In this paper we present a model checking based approach in detecting Android malware families by means of analysing and verifying the Java Bytecode that is produced when the source code is compiled. A preliminary investigation has been also conducted to assess the validity of the proposed approach.

[1]  Helen J. Wang,et al.  Finding diversity in remote code injection exploits , 2006, IMC '06.

[2]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[3]  Gerardo Canfora,et al.  Obfuscation Techniques against Signature-Based Detection: A Case Study , 2015, 2015 Mobile Systems Technologies Workshop (MST).

[4]  Stephan Merz,et al.  Model Checking , 2000 .

[5]  Rance Cleaveland,et al.  The NCSU Concurrency Workbench , 1996, CAV.

[6]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[7]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[8]  Eric Filiol,et al.  Formalization of Viruses and Malware Through Process Algebras , 2010, 2010 International Conference on Availability, Reliability and Security.

[9]  Tayssir Touili,et al.  PoMMaDe: pushdown model-checking for malware detection , 2013, ESEC/FSE 2013.

[10]  Andrew Walenstein,et al.  Malware phylogeny generation using permutations of code , 2005, Journal in Computer Virology.

[11]  Colin Stirling,et al.  An Introduction to Modal and Temporal Logics for CCS , 1991, Concurrency: Theory, Language, And Architecture.

[12]  Kang G. Shin,et al.  Large-scale malware indexing using function-call graphs , 2009, CCS.

[13]  Tayssir Touili,et al.  Model-Checking for Android Malware Detection , 2014, APLAS.

[14]  Tayssir Touili,et al.  Efficient Malware Detection Using Model-Checking , 2012, FM.

[15]  Pietro Lio',et al.  Unity in Diversity: Phylogenetic-inspired Techniques for Reverse Engineering and Detection of Malware Families , 2011, 2011 First SysSec Workshop.

[16]  Roberto Barbuti,et al.  Selective Mu-Calculus and Formula-Based Equivalence of Transition Systems , 1999, J. Comput. Syst. Sci..

[17]  David Brumley,et al.  BitShred: feature hashing malware for scalable triage and semantic analysis , 2011, CCS '11.

[18]  Tudor Dumitras,et al.  Experimental Challenges in Cyber Security: A Story of Provenance and Lineage for Malware , 2011, CSET.

[19]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[20]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[21]  Gerardo Canfora,et al.  A Classifier of Malicious Android Applications , 2013, 2013 International Conference on Availability, Reliability and Security.