ANTSdroid: Automatic malware family behaviour generation and analysis for Android apps
Journal
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Journal Volume
10946 LNCS
Pages
796-804
Date Issued
2018
Author(s)
Abstract
Malware developers often use various obfuscation techniques to generate polymorphic and metamorphic versions of malwares. Keeping up with new variants and creating signatures for each individuals in a timely fashion has been an important problem but tedious works that anti-virus companies face all the time. It motivates us the idea of no more dancing with variants. In this paper, we aim to find a malware family’s main characteristic operations directly related to its intent. We propose global execution sequence alignment and segmentation algorithms to generate the execution stage chart of a malware family which presents a simple and easy-to-understand overview of the lifecycle as well as common and different operations that individual variants perform at a stage. We also present an automated dynamic Android malware profiling and family security analysis system in which we focus on the execution sequences of sensitive and permission-related API calls referred to as motifs of variants of malware family. To achieve the goal, we modify Android Debug Bridge (ADB) tool to add on several new features including enabling the recording of parameters and return value of an API call, the support of UID-based profiling to capture all the processes and threads to gain complete understanding of the activities of target malware app, and per thread trace generation. Finally, we use real-world dataset to validate the proposed system and methods. The generated family stage chart and motifs can provide security analysts semantics-rich understanding of what and how a malware family is designed and implemented. The main characteristic API call sequences of malware families can be used as signatures for effective and efficient malware detection in the future. © Springer International Publishing AG, part of Springer Nature 2018.
Subjects
Android malware family behaviour analysis; Android security; Dynamic analysis; Execution sequence alignment and segmentation
SDGs
Other Subjects
Android (operating system); Computer crime; Dynamic analysis; Malware; Network security; Program debugging; Semantics; Viruses; Android securities; Behaviour analysis; Execution sequences; Malware detection; Malware families; Metamorphic versions; Security analysis; Trace generation; Mobile security
Type
conference paper