TY - JOUR
T1 - Detection of Repackaged Android Malware with Code-Heterogeneity Features
AU - Tian, Ke
AU - Yao, Danfeng
AU - Ryder, Barbara G.
AU - Tan, Gang
AU - Peng, Guojun
N1 - Funding Information:
The authors would like to thank the anonymous reviewers for their insightful comments and suggestions on the work. This work was supported in part by DARPA APAC award FA8750-15-2-0076. A preliminary version of the work appeared in the Proceedings of the IEEE Mobile Security Technologies (MoST) workshop, in conjunction with the IEEE Symposium on Security and Privacy [1].
Publisher Copyright:
© 2004-2012 IEEE.
PY - 2020/1/1
Y1 - 2020/1/1
N2 - During repackaging, malware writers statically inject malcode and modify the control flow to ensure its execution. Repackaged malware is difficult to detect by existing classification techniques, partly because of their behavioral similarities to benign apps. By exploring the app's internal different behaviors, we propose a new Android repackaged malware detection technique based on code heterogeneity analysis. Our solution strategically partitions the code structure of an app into multiple dependence-based regions (subsets of the code). Each region is independently classified on its behavioral features. We point out the security challenges and design choices for partitioning code structures at the class and method level graphs, and present a solution based on multiple dependence relations. We have performed experimental evaluation with over 7,542 Android apps. For repackaged malware, our partition-based detection reduces false negatives (i.e., missed detection) by 30-fold, when compared to the non-partition-based approach. Overall, our approach achieves a false negative rate of 0.35 percent and a false positive rate of 2.97 percent.
AB - During repackaging, malware writers statically inject malcode and modify the control flow to ensure its execution. Repackaged malware is difficult to detect by existing classification techniques, partly because of their behavioral similarities to benign apps. By exploring the app's internal different behaviors, we propose a new Android repackaged malware detection technique based on code heterogeneity analysis. Our solution strategically partitions the code structure of an app into multiple dependence-based regions (subsets of the code). Each region is independently classified on its behavioral features. We point out the security challenges and design choices for partitioning code structures at the class and method level graphs, and present a solution based on multiple dependence relations. We have performed experimental evaluation with over 7,542 Android apps. For repackaged malware, our partition-based detection reduces false negatives (i.e., missed detection) by 30-fold, when compared to the non-partition-based approach. Overall, our approach achieves a false negative rate of 0.35 percent and a false positive rate of 2.97 percent.
UR - http://www.scopus.com/inward/record.url?scp=85028698192&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85028698192&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2017.2745575
DO - 10.1109/TDSC.2017.2745575
M3 - Article
AN - SCOPUS:85028698192
VL - 17
SP - 64
EP - 77
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
SN - 1545-5971
IS - 1
M1 - 8018581
ER -