Screening smartphone applications using malware family signatures

The sharp increase in smartphone malware has become one of the most serious security problems. Since the Android platform has taken the dominant position in smartphone popularity, the number of Android malware has grown correspondingly and represents critical threat to the smartphone users. This rise in malware is primarily attributable to the occurrence of variants of existing malware. A set of variants stem from one malware can be considered as one malware family, and malware families cover more than half of the Android malware population. A conventional technique for defeating malware is the use of signature matching which is efficient from a time perspective but not very practical because of its lack of robustness against the malware variants. As a counter approach for handling the issue of variants behavior analysis techniques have been proposed but require extensive time and resources. In this paper, we propose an Android malware detection mechanism that uses automated family signature extraction and family signature matching. Key concept of the mechanism is to extract a set of family representative binary patterns from evaluated family members as a signature and to classify each set of variants into a malware family via an estimation of similarity to the signatures. The proposed family signature and detection mechanism offers more flexible variant detection than does the legacy signature matching, which is strictly dependent on the presence of a specific string. Furthermore, compared with the previous behavior analysis techniques considering family detection, the proposed family signature has higher detection accuracy without the need for the significant overhead of data and control flow analysis. Using the proposed signature, we can detect new variants of known malware efficiently and accurately by static matching. We evaluated our mechanism with 5846 real world Android malware samples belonging to 48 families collected in April 2014 at an anti-virus company; experimental results showed that; our mechanism achieved greater than 97% accuracy in detection of variants. We also demonstrated that the mechanism has a linear time complexity with the number of target applications.

[1]  Hao Chen,et al.  AnDarwin: Scalable Detection of Semantically Similar Android Applications , 2013, ESORICS.

[2]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[3]  Jiawei Zhu,et al.  Permission-Based Abnormal Application Detection for Android , 2012, ICICS.

[4]  Igor Santos,et al.  MADS: Malicious Android Applications Detection through String Analysis , 2013, NSS.

[5]  Byung-Gon Chun,et al.  Vision: automated security validation of mobile apps at app markets , 2011, MCS '11.

[6]  Konrad Rieck,et al.  Structural detection of android malware using embedded call graphs , 2013, AISec.

[7]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[8]  Arun Lakhotia,et al.  DroidLegacy: Automated Familial Classification of Android Malware , 2014, PPREW'14.

[9]  Heejo Lee,et al.  Detecting metamorphic malwares using code graphs , 2010, SAC '10.

[10]  Igor Santos,et al.  Instance-based anomaly method for Android malware detection , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[11]  Heejo Lee,et al.  Screening Smartphone Applications Using Behavioral Signatures , 2013, SEC.

[12]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[13]  Vijay Laxmi,et al.  AndroSimilar: robust statistical feature signature for Android malware detection , 2013, SIN.

[14]  Heng Yin,et al.  DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android , 2013, SecureComm.

[15]  John C. S. Lui,et al.  Droid Analytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[16]  Heejo Lee,et al.  BinGraph: Discovering mutant malware using hierarchical semantic signatures , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[17]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[18]  Juan E. Tapiador,et al.  Dendroid: A text mining approach to analyzing and classifying code structures in Android malware families , 2014, Expert Syst. Appl..

[19]  Vijay Laxmi,et al.  DroidOLytics: Robust Feature Signature for Repackaged Android Apps on Official and Third Party Android Markets , 2013, 2013 2nd International Conference on Advanced Computing, Networking and Security.

[20]  Igor Santos,et al.  Anomaly Detection Using String Analysis for Android Malware Detection , 2013, SOCO-CISIS-ICEUTE.