Towards large-scale hunting for Android negative-day malware

Lun Pin Yuan, Wenjun Hu, Ting Yu, Peng Liu, Sencun Zhu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations

Abstract

Android malware writers often utilize online malware scanners to check how well their malware can evade detection, and indeed we can find malware scan reports that were generated before the major outbreaks of such malware. If we could identify in-development malware before malware deployment, we would have developed effective defense mechanisms to prevent malware from causing devastating consequences. To this end, we propose Lshand to discover undiscovered malware before day zero, which we refer to as negative-day malware. The challenge includes scalability and the fact that malware writers would apply detection evasion techniques and submission anonymization techniques. Our approach is based on the observation that malware development is a continuous process and thus malware variants inevitably will share certain characteristics throughout its development process. Accordingly, Lshand clusters scan reports based on selective features and then performs further analysis on those seemingly benign apps that share similarity with malware variants. We implemented and evaluated Lshand with submissions to VirusTotal. Our results show that Lshand is capable of hunting down undiscovered malware in a large scale, and our manual analysis and a third-party scanner have confirmed our negative-day malware findings to be malware or grayware.

Original languageEnglish (US)
Title of host publicationRAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses
PublisherUSENIX Association
Pages533-545
Number of pages13
ISBN (Electronic)9781939133076
StatePublished - 2019
Event22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019 - Beijing, China
Duration: Sep 23 2019Sep 25 2019

Publication series

NameRAID 2019 Proceedings - 22nd International Symposium on Research in Attacks, Intrusions and Defenses

Conference

Conference22nd International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2019
Country/TerritoryChina
CityBeijing
Period9/23/199/25/19

All Science Journal Classification (ASJC) codes

  • Computer Science(all)
  • Safety, Risk, Reliability and Quality
  • Law
  • Safety Research

Fingerprint

Dive into the research topics of 'Towards large-scale hunting for Android negative-day malware'. Together they form a unique fingerprint.

Cite this