Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2017: Detection of Intrusions and Malware, and Vulnerability Assessment pp 252–276Cite as

Deep Ground Truth Analysis of Current Android Malware

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10327))

Abstract

To build effective malware analysis techniques and to evaluate new detection tools, up-to-date datasets reflecting the current Android malware landscape are essential. For such datasets to be maximally useful, they need to contain reliable and complete information on malware’s behaviors and techniques used in the malicious activities. Such a dataset shall also provide a comprehensive coverage of a large number of types of malware. The Android Malware Genome created circa 2011 has been the only well-labeled and widely studied dataset the research community had easy access to (As of 12/21/2015 the Genome authors have stopped supporting the dataset sharing due to resource limitation). But not only is it outdated and no longer represents the current Android malware landscape, it also does not provide as detailed information on malware’s behaviors as needed for research. Thus it is urgent to create a high-quality dataset for Android malware. While existing information sources such as VirusTotal are useful, to obtain the accurate and detailed information for malware behaviors, deep manual analysis is indispensable. In this work we present our approach to preparing a large Android malware dataset for the research community. We leverage existing anti-virus scan results and automation techniques in categorizing our large dataset (containing 24,650 malware app samples) into 135 varieties (based on malware behavioral semantics) which belong to 71 malware families. For each variety, we select three samples as representatives, for a total of 405 malware samples, to conduct in-depth manual analysis. Based on the manual analysis result we generate detailed descriptions of each malware variety’s behaviors and include them in our dataset. We also report our observations on the current landscape of Android malware as depicted in the dataset. Furthermore, we present detailed documentation of the process used in creating the dataset, including the guidelines for the manual analysis. We make our Android malware dataset available to the research community.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Some malware can get pass Google’s vetting system and end up in Google Play.

  2. 2.

    Tool website: http://pag.arguslab.org/argus-saf.

  3. 3.

    Tool website: http://pag.arguslab.org/argus-cit.

  4. 4.

    Table 2 aggregates the behaviors over all malware varieties in a family. The more specific per-variety breakdown can be found at our Android malware website.

References

  1. Building Web Apps in WebView. https://developer.android.com/guide/webapps/webview.html

  2. Contagio Mobile Malware Mini Dump. http://contagiominidump.blogspot.com/

  3. Drive-by Download. https://en.wikipedia.org/wiki/Drive-by_download

  4. hexdump. https://www.freebsd.org/cgi/man.cgi?query=hexdump&sektion=1

  5. IDA. https://www.hex-rays.com/products/ida/index.shtml

  6. VirusShare. https://virusshare.com/

  7. VirusTotal. https://www.virustotal.com/

  8. IDC: Smartphone OS Market Share 2015, 2014, 2013, and 2012 (2015). http://www.idc.com/prodserv/smartphone-os-market-share.jsp

  9. A Growing Number of Android Malware Families Believed to Have a CommonOrigin: A Study Based on Binary Code (2016). https://community.fireeye.com/external/1438

  10. Allix, K., Bissyand, T.F., Klein, J., Le Traon, Y.: AndroZoo: collecting millions of android apps for the research community. In: Proceedings of the Mining Software Repositories (MSR) (2016)

    Google Scholar 

  11. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: Proceedings of the NDSS (2014)

    Google Scholar 

  12. Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app. is that? deception and countermeasures in the android user interface. In: Proceedings of the IEEE S&P (2015)

    Google Scholar 

  13. Nikita Buchka. Taking root (2015). https://securelist.com/blog/mobile/71981/taking-root/

  14. Buchka, N., Kuzin, M.: Attack on Zygote: a new twist in the evolution of mobile threats (2016). https://securelist.com/analysis/publications/74032/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/

  15. Chen, K., Wang, P., Lee, Y., Wang, X., Zhang, N., Huang, H., Zou, W., Liu, P.: Finding unknown malice in 10 seconds: mass vetting for new threats at the google-play scale. In: Proceedings of the USENIX Security Symposium, pp. 659–674 (2015)

    Google Scholar 

  16. Hurier, M., Allix, K., Bissyandé, T.F., Klein, J., Le Traon, Y.: On the lack of consensus in anti-virus decisions: metrics and insights on building ground truths of android malware. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 142–162. Springer, Cham (2016). doi:10.1007/978-3-319-40667-1_8

    Google Scholar 

  17. Kessem, L.: Android Malware About to Get Worse: GM Bot Source Code Leaked (2016). https://securityintelligence.com/android-malware-about-to-get-worse-gm-bot-source-code-leaked/

  18. Li, Y., Jang, J., Hu, X., Ou, X.: Android Malware Clustering through Malicious Payload Mining. Technical Report 2017–1, Argus Cybersecurity Lab, University of South Florida (2017). http://www.arguslab.org/tech_reports/2017-1

  19. Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., Platzer, C.: ANDRUBIS - 1,000,000 apps later: a view on current android malware behaviors. In: 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 3–17. IEEE (2014)

    Google Scholar 

  20. Maggi, F., Bellini, A., Salvaneschi, G., Zanero, S.: Finding non-trivial malware naming inconsistencies. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2011. LNCS, vol. 7093, pp. 144–159. Springer, Heidelberg (2011). doi:10.1007/978-3-642-25560-1_10

    Chapter  Google Scholar 

  21. Mohaisen, A., Alrawi, O.: AV-Meter: an evaluation of antivirus scans and labels. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 112–131. Springer, Cham (2014). doi:10.1007/978-3-319-08509-8_7

    Google Scholar 

  22. Polkovnichenko, A., Koriat, O., Horde, V.: A New Type of Android Malware on Google Play (2016). http://blog.checkpoint.com/2016/05/09/viking-horde-a-new-type-of-android-malware-on-google-play/

  23. Rasthofer, S., Arzt, S., Miltenberger, M., Bodden, E.: Harvesting runtime values in android applications that feature anti-analysis techniques. In: Proceedings of the NDSS (2016)

    Google Scholar 

  24. Rastogi, V., Shao, R., Chen, Y., Pan, X., Zou, S., Riley, R.: Are these ads safe: detecting hidden attacks through the mobile app-web interfaces. In: Proceedings of the NDSS (2016)

    Google Scholar 

  25. Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016). doi:10.1007/978-3-319-45719-2_11

    Chapter  Google Scholar 

  26. Shatilin, I.: Banking Trojans: mobile’s major cyberthreat. https://blog.kaspersky.com/android-banking-trojans/9897/

  27. Tam, K., Khan, S.J., Fattori, A., Cavallaro, L.: CopperDroid: automatic reconstruction of android malware behaviors. In: Proceedings of the NDSS (2015)

    Google Scholar 

  28. Wei, F., Roy, S., Ou, X., Robby: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the CCS (2014)

    Google Scholar 

  29. Woods, V., van der Meulen, R.: Gartner Says Emerging Markets Drove Worldwide Smartphone Sales to 15.5 Percent Growth in Third Quarter of 2015 (2015). http://www.gartner.com/newsroom/id/3169417

  30. Zhang, Y.: Kemoge: Another Mobile Malicious Adware Infecting Over 20 Contries (2015). https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html

  31. Zhou, W., Chen, Z., Su, J., Xie, J., Huang, H.: SlemBunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps (2015). https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html

  32. Zhou, W., Deyu, H., Jimmy, S., Yong Kang, R.: The Latest Family of Android Malware Attacking Users in Russia via SMS Phishing (2016). https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html

  33. Zhou, W., Huang, H., Chen, Z., Xie, J., Su, J.: SlemBunk Part II: Prolonged Attack Chain and Better-Organized Campaign (2016). https://www.fireeye.com/blog/threat-research/2016/01/slembunk-part-two.html

  34. Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: Proceedings of the IEEE S&P (2012)

    Google Scholar 

Download references

Acknowledgment

This research is partially supported by the U.S. National Science Foundation under Grant No. 1622402. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation. This research is also partially supported by David and Amy Fulton Grant received by co-author Roy at Bowling Green State University.

Author information

Authors and Affiliations

  1. University of South Florida, Tampa, FL, USA

    Fengguo Wei, Yuping Li & Xinming Ou

  2. Bowling Green State University, Bowling Green, OH, USA

    Sankardas Roy

  3. Didi Labs, Mountain View, CA, USA

    Wu Zhou

Authors
  1. Fengguo Wei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuping Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sankardas Roy
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xinming Ou
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Wu Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fengguo Wei .

Editor information

Editors and Affiliations

  1. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  2. University of Bonn and Fraunhofer FKIE, Bonn, Germany

    Michael Meier

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Wei, F., Li, Y., Roy, S., Ou, X., Zhou, W. (2017). Deep Ground Truth Analysis of Current Android Malware. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-60876-1_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-60875-4

  • Online ISBN: 978-3-319-60876-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation