ANTSdroid: Automatic malware family behaviour generation and analysis for Android apps

Abstract

Malware developers often use various obfuscation techniques to generate polymorphic and metamorphic versions of malwares. Keeping up with new variants and creating signatures for each individuals in a timely fashion has been an important problem but tedious works that anti-virus companies face all the time. It motivates us the idea of no more dancing with variants. In this paper, we aim to find a malware family’s main characteristic operations directly related to its intent. We propose global execution sequence alignment and segmentation algorithms to generate the execution stage chart of a malware family which presents a simple and easy-to-understand overview of the lifecycle as well as common and different operations that individual variants perform at a stage. We also present an automated dynamic Android malware profiling and family security analysis system in which we focus on the execution sequences of sensitive and permission-related API calls referred to as motifs of variants of malware family. To achieve the goal, we modify Android Debug Bridge (ADB) tool to add on several new features including enabling the recording of parameters and return value of an API call, the support of UID-based profiling to capture all the processes and threads to gain complete understanding of the activities of target malware app, and per thread trace generation. Finally, we use real-world dataset to validate the proposed system and methods. The generated family stage chart and motifs can provide security analysts semantics-rich understanding of what and how a malware family is designed and implemented. The main characteristic API call sequences of malware families can be used as signatures for effective and efficient malware detection in the future.