The authors present DroidAnalytics, an Android malware analytic system for malware collection, signature generation, information retrieval, and malware association based on similarity score. Furthermore, DroidAnalytics can efficiently detect zero-day repackaged malware.
- How to automatically collect and manage a high volume of mobile malware?
- How to analyze a zero-day suspicious application, and compare or associate it with existingmalware families in the database?
- How to perform information retrieval so to reveal similar malicious logic with existing malware, and to quickly identify the new malicious code segment?
- Android App Information (AIS) Parser: it is used to represent *.apk* information.
- Signature Generator: use a three-level signature generation scheme to identify each application, which is based on the mobile application, classes, methods. We generate a method's signature using the API call sequence, and given the signature of a method, create the signature of a class which composes of different methods, finally, the signature of an application is composed of all signatures of its classes.
- Android API calls table: use the Java reflection to obtain all descriptions of the API calls.
- Disassembling process: takes the Dalvik opcodes of the *.dex* file and transforms them to methods and classes.
- Generate Lev3 signature: extracts the API call ID sequence as a string in each method, then hashes this string value to produce the method's signature.
- Generate Lev2 signature: generate the Lev2 signature for each class based on the Lev3 signature of methods within that class.
- Generate Lev1 signature: based on the Lev2 signatures.
> We conduct three experiments and show how analysts can study malware, carry out similarity measurement between applications, as well as perform class association among 150,368 mobile applications in the database.
DroidAnalytics's signature generation is based on the following observation: For any functional application, it needs to invoke various Android API calls, and Android API calls sequence within a methods is difficult to modify.
