Android Malware Clustering through Malicious Payload Mining

Clustering has been well studied for desktop malware analysis as an effective triage method. Conventional similarity-based clustering techniques, however, cannot be immediately applied to Android malware analysis due to the excessive use of third-party libraries in Android application development and the widespread use of repackaging in malware development. We design and implement an Android malware clustering system through iterative mining of malicious payload and checking whether malware samples share the same version of malicious payload. Our system utilizes a hierarchical clustering technique and an efficient bit-vector format to represent Android apps. Experimental results demonstrate that our clustering approach achieves precision of 0.90 and recall of 0.75 for Android Genome malware dataset, and average precision of 0.98 and recall of 0.96 with respect to manually verified ground-truth.Comment: Proceedings of the 20th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2017

Exploring the Usage of Topic Modeling for Android Malware Static Analysis

The rapid growth in smartphone and tablet usage over the last years has led to the inevitable rise in targeting of these devices by cyber-criminals. The exponential growth of Android devices, and the buoyant and largely unregulated Android app market, produced a sharp rise in malware targeting that platform. Furthermore, malware writers have been developing detection-evasion techniques which rapidly make anti-malware technologies ineffective. It is hence advisable that security expert are provided with tools which can aid them in the analysis of existing and new Android malware. In this paper, we explore the use of topic modeling as a technique which can assist experts to analyse malware applications in order to discover their characteristic. We apply Latend Dirichlet Allocation (LDA) to mobile applications represented as opcode sequences, hence considering a topic as a discrete distribution of opcode. Our experiments on a dataset of 900 malware applications of different families show that the information provided by topic modeling may help in better understanding malware characteristics and similarities

Host-based detection and analysis of Android malware: implication for privilege exploitation

The Rapid expansion of mobile Operating Systems has created a proportional development in Android malware infection targeting Android which is the most widely used mobile OS. factors such Android open source platform, low-cost influence the interest of malware writers targeting this mobile OS. Though there are a lot of anti-virus programs for malware detection designed with varying degrees of signatures for this purpose, many don’t give analysis of what the malware does. Some anti-virus engines give clearance during installations of repackaged malicious applications without detection. This paper collected 28 Android malware family samples with a total of 163 sample dataset. A general analysis of the entire sample dataset was created given credence to their individual family samples and year discovered. A general detection and classification of the Android malware corpus was performed using K-means clustering algorithm. Detection rules were written with five major functions for automatic scanning, signature enablement, quarantine and reporting the scan results. The LMD was able to scan a file size of 2048mb and report accurately whether the file is benign or malicious. The K-means clustering algorithm used was set to 5 iteration training phases and was able to classify accurately the malware corpus into benign and malicious files. The obtained result shows that some Android families exploit potential privileges on mobile devices. Information leakage from the victim’s device without consent and payload deposits are some of the results obtained. The result calls proactive measures rather than proactive in tackling malware infection on Android based mobile devices

pDroid

When an end user attempts to download an app on the Google Play Store they receive two related items that can be used to assess the potential threats of an application, the list of permissions used by the application and the textual description of the application. However, this raises several concerns. First, applications tend to use more permissions than they need and end users are not tech-savvy enough to fully understand the security risks. Therefore, it is challenging to assess the threats of an application fully by only seeing the permissions. On the other hand, most textual descriptions do not clearly define why they need a particular permission. These two issues conjoined make it difficult for end users to accurately assess the security threats of an application. This has lead to a demand for a framework that can accurately determine if a textual description adequately describes the actual behavior of an application. In this Master Thesis, we present pDroid (short for privateDroid), a market-independent framework that can compare an Android application’s textual description to its internal behavior. We evaluated pDroid using 1562 benign apps and 243 malware samples, and pDroid correctly classified 91.4% of malware with a false positive rate of 4.9%