Detecting and classifying method based on similarity matching of Android malware behavior with profile

Jae-wook Jang, Jaesung Yun, Aziz Mohaisen, Jiyoung Woo, Huy Kang Kim
2016 SpringerPlus  
The explosive growth in the number of mobile devices running the Android platform has attracted the attention of hackers for the wealth of sensitive information that are usually stored on mobile devices, including phone numbers, short messages, confidential emails and correspondences, and banking information and credentials. The availability of this information in many mass-market mobile devices makes them a desirable target for hackers, who excelled at developing a large number of mobile
more » ... ous software (malware), making the security of mobile devices one of the most important and challenging areas of research. For example, According to a report by McAfee, the total number of mobile malware continued its linear climb as it broke 8 million in the second quarter of 2015, and increased by 17 % over the first quarter of the same year (McAfee Abstract Mass-market mobile security threats have increased recently due to the growth of mobile technologies and the popularity of mobile devices. Accordingly, techniques have been introduced for identifying, classifying, and defending against mobile threats utilizing static, dynamic, on-device, and off-device techniques. Static techniques are easy to evade, while dynamic techniques are expensive. On-device techniques are evasion, while off-device techniques need being always online. To address some of those shortcomings, we introduce Andro-profiler, a hybrid behavior based analysis and classification system for mobile malware. Andro-profiler main goals are efficiency, scalability, and accuracy. For that, Andro-profiler classifies malware by exploiting the behavior profiling extracted from the integrated system logs including system calls. Andro-profiler executes a malicious application on an emulator in order to generate the integrated system logs, and creates human-readable behavior profiles by analyzing the integrated system logs. By comparing the behavior profile of malicious application with representative behavior profile for each malware family using a weighted similarity matching technique, Andro-profiler detects and classifies it into malware families. The experiment results demonstrate that Andro-profiler is scalable, performs well in detecting and classifying malware with accuracy greater than 98 %, outperforms the existing state-of-the-art work, and is capable of identifying 0-day mobile malware samples.
doi:10.1186/s40064-016-1861-x pmid:27006882 pmcid:PMC4777979 fatcat:kqnzpvpzdreubbvpucfaflraou