Analyzing android repackaged malware by decoupling their event behaviors

Abstract

Malware have threatened Android security for a long time. One of main sources of those Android malware is that attackers inject malicious payloads into legitimate apps and then republish them, called repackaged malware. In this paper, we propose a new dynamic approach to analyze and detect the behaviors of Android repackaged malware. Our approach mainly concerns the framework-level behaviors of apps with rich semantics and a special execution sandbox is firstly constructed to extract them. Then, assuming that malicious payloads are usually triggered by certain events, we reconstruct the execution dependency graph to distinguish different event behaviors of malware. Thus, based on the independent event behavior sequences, only a small amount of malware samples from the same family are required to accurately compare and locate their common behaviors, which can be further used as signatures to detect other suspicious Android apps or to analyze malware’s activities. For evaluation, we have implement the prototype system and 9 families of real world repackaged malware are detected in our experiments. Although only 3 samples for each family are randomly chosen to extract their commonmalware behaviors, the results show that our approach still has a high detection accuracy (96.3%). In addition, some attacks such as code encryption and delay attack are also studied in this work.