Towards fast and scalable detection of attack clones in Android applications

The mobile operating system Android gains popularity among smartphone users as they gradually integrate their lifestyle with apps that provide services for their convenience which includes entering sensitive information such as bank account numbers, credit card numbers, and passwords into the apps. As such, Android is also gaining popularity in becoming the target for malicious attacks to steal such information. Despite studies and researches on methods to increase detection of malware components in suspected apps, malware are evolving and becoming more elusive to such methods. The purpose of this project is to look at existing techniques which summarize and identify malware apps with accuracy and scalability. We will also be looking at Software Architecture Recovery techniques used to accurately identify and decouple modules in a mobile application. By decoupling the modules in the app, the components can be differentiated into ad libraries and malware parts of the app. An approach which integrates existing techniques to build a system is proposed in this project. The existing techniques include generating centroids, which are representatives of methods in a class program, and using Application Similarity Degree to compare the degree of similarity between two apps. There is also Module Decoupling which decouples an app into clusters of modules which are highly similar. Soot, a third party library which provides intermediate representation of Java class files in Jimple and has the capability to perform static program analysis on programs, is used extensively in implementing the existing techniques discussed. After evaluating the system with valid tests from six different malware families and dataset of 212 ad libraries and 2468 variants of malware, the system was able to accurately identify most of the malware and ad library components from within the test apps. There were some errors which indicates that the system requires some fine-tuning such as the means of calculating the self-similarity for Affinity Propagation clustering.Bachelor of Engineering (Computer Science