Mobile malware has recently become an acute problem. Existing solutions either base static reasoning on syntactic properties, such as exception handlers or configuration fields, or compute data-flow reachability over the program, which leads to scalability challenges.We explore a new and complementary category of features, which strikes a middleground between the above two categories. This new category focuses on security-relevant operations (communcation, lifecycle, etc) and in particular, their multiplicity and happens-before order as a means to distinguish between malicious and benign applications. Computing these features requires semantic, yet lightweight, modeling of the program's behavior.We have created a malware detection system for Android, MASSDROID, that collects traces of security-relevant operations from the call graph via a scalable form of data-flow analysis. These are reduced to happens-before and multiplicity features, then fed into a supervised learning engine to obtain a malicious/benign classification. MASSDROID also embodies a novel reporting interface, containing pointers into the code that serve as evidence supporting the determination.We have applied MASSDROID to 35,000 Android apps from the wild. The results are highly encouraging with an F-score of 95% in standard testing, and >90% when applied to previously unseen malware signatures. MASSDROID is also efficient, requiring about two minutes per app. MASSDROID is publicly available as a cloud service for malware detection.

Pinpointing mobile malware using code analysis

Ferrara P;
2016

Abstract

Mobile malware has recently become an acute problem. Existing solutions either base static reasoning on syntactic properties, such as exception handlers or configuration fields, or compute data-flow reachability over the program, which leads to scalability challenges.We explore a new and complementary category of features, which strikes a middleground between the above two categories. This new category focuses on security-relevant operations (communcation, lifecycle, etc) and in particular, their multiplicity and happens-before order as a means to distinguish between malicious and benign applications. Computing these features requires semantic, yet lightweight, modeling of the program's behavior.We have created a malware detection system for Android, MASSDROID, that collects traces of security-relevant operations from the call graph via a scalable form of data-flow analysis. These are reduced to happens-before and multiplicity features, then fed into a supervised learning engine to obtain a malicious/benign classification. MASSDROID also embodies a novel reporting interface, containing pointers into the code that serve as evidence supporting the determination.We have applied MASSDROID to 35,000 Android apps from the wild. The results are highly encouraging with an F-score of 95% in standard testing, and >90% when applied to previously unseen malware signatures. MASSDROID is also efficient, requiring about two minutes per app. MASSDROID is publicly available as a cloud service for malware detection.
IEEE/ACM International Conference on Mobile Software Engineering and Systems, MobileSoft 2016
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10278/3730040
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? 2
social impact