Abstract
Malware developers often use various obfuscation techniques to generate polymorphic and metamorphic versions of malwares. Keeping up with new variants and creating signatures for each individuals in a timely fashion has been an important problem but tedious works that anti-virus companies face all the time. It motivates us the idea of no more dancing with variants. In this paper, we aim to find a malware family’s main characteristic operations directly related to its intent. We propose global execution sequence alignment and segmentation algorithms to generate the execution stage chart of a malware family which presents a simple and easy-to-understand overview of the lifecycle as well as common and different operations that individual variants perform at a stage. We also present an automated dynamic Android malware profiling and family security analysis system in which we focus on the execution sequences of sensitive and permission-related API calls referred to as motifs of variants of malware family. To achieve the goal, we modify Android Debug Bridge (ADB) tool to add on several new features including enabling the recording of parameters and return value of an API call, the support of UID-based profiling to capture all the processes and threads to gain complete understanding of the activities of target malware app, and per thread trace generation. Finally, we use real-world dataset to validate the proposed system and methods. The generated family stage chart and motifs can provide security analysts semantics-rich understanding of what and how a malware family is designed and implemented. The main characteristic API call sequences of malware families can be used as signatures for effective and efficient malware detection in the future.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Thomas, K., et al.: Investigating commercial pay-per-install and the distribution of unwanted software. In: Proceedings of the 25th USENIX Security Symposium, pp. 721–738 (2016)
Tam, K., et al.: The evolution of android malware and android analysis techniques. ACM Comput. Surv. (CSUR) 49(4), 76 (2017)
Barrera, D., et al.: A methodology for empirical analysis of permission-based security models and its app to android. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 73–84 (2010)
Au, K.W.Y., et al.: PScout: analyzing the android permission specification. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 217–228 (2012)
Zhang, Y., et al.: Vetting undesirable behaviours in android apps with permission use analysis. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 611–622 (2013)
Rastogi, V., et al.: AppsPlayground: automatic security analysis of smartphone apps. In: Proceedings of the ACM Conference on Data and App Security and Privacy, pp. 209–220 (2013)
Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware. In: Proceedings of the ACM Foundations of Software Engineering (FSE), pp. 576–588 (2014)
Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 1–29 (2014)
Peiravian, N., et al.: Machine learning for android malware detection using permission and API calls. In: Proceedings of the IEEE 25th International Conference on Tools with Artificial Intelligence, pp. 300–305 (2013)
Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-04283-1_6
Wu, D.J., et al.: DroidMat: android malware detection through manifest and API calls tracing. In: Proceedings of the IEEE Asia Joint Conference on Information Security (Asia JCIS), pp. 62–69 (2012)
Yan, L.-K., Yin, H.: DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of the USENIX Security Symposium, pp. 569–584 (2012)
Tam, K., et al.: CopperDroid: automatic reconstruction of android malware behaviours. In: Proceedings of the Network and Distributed System Security Symposium (2015)
Android developer. https://source.android.com/security/index.html
Somarriba, O., et al.: Detection and visualization of android malware behaviour. J. Electr. Comput. Eng. 2016, 1–17 (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Sun, Y.S., Chen, CC., Hsiao, SW., Chen, M.C. (2018). ANTSdroid: Automatic Malware Family Behaviour Generation and Analysis for Android Apps. In: Susilo, W., Yang, G. (eds) Information Security and Privacy. ACISP 2018. Lecture Notes in Computer Science(), vol 10946. Springer, Cham. https://doi.org/10.1007/978-3-319-93638-3_48
Download citation
DOI: https://doi.org/10.1007/978-3-319-93638-3_48
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93637-6
Online ISBN: 978-3-319-93638-3
eBook Packages: Computer ScienceComputer Science (R0)