Obfuscated Android Malware Detection Using Dynamic Analysis Techniques

Abstract

Globally, the use of smartphones has surged dramatically in recent years. The development of user centric operating systems for smartphones has played a vital role in the adaptability of these devices. Android by Google is the most used smartphone operating system and captures a market share of more than 70%. This has encouraged hackers to exploit its vulnerabilities, resulting in a consistent increase in Android malware. Conventional signature based schemes provide a quick and efficient method for detecting known malware but are unable to cope with the rapid pace of emerging malware and their variants. This has led to the design of generic machine learning models for malware detection and categorization. These solutions are built on static and dynamic features, extracted from Android applications. The former aims at detecting malware without execution and the latter analyzes the runtime behavior of an application. Code obfuscation techniques are commonly used to evade the static malware analysis approaches. In recent years, researchers have turned to dynamic analysis based machine learning solutions for the detection of malware. Dynamic analysis features can be extracted from a number of sources, including network traffic, function call graphs, API calls, and volatile memory. Although, all these sources provide useful insights about application’s behavior, but existing studies indicate that volatile memory represents a comprehensive and holistic view of application’s runtime execution. It can be used to extract information related to OS Kernel, all executing processes, network activity, and application code. Thus, volatile memory is a rich collection of both system-specific and process-specific features. The aforementioned features have been investigated in more detail for malware detection for Linux andWindows platforms, as compared to Android. In addition, the researchers have focused more on binary classification of malware as compared to category classification such as Adware, random, banking and riskware. Category classification plays a vital role in formulating mitigation strategies against specific malware threats. In this research, a volatile memory based Android malware detection and categorization framework, MemDroidAnlayzer, is presented. The framework is capable of temporal acquisition of volatile memory dumps, which are then analyzed for extracting semantically rich information about application behavior. This study extracts two kinds of information from the memory; volatile memory state information and process-specific information in kernel task structure. The information is extracted by two components of MemDroidAnlayzer namely, VolDroid and KTSDroid. VolDroid extracts information related to the state of volatile memory after the execution of the application. It is pertinent to highlight that existing studies have not examined volatile memory state information w.r.t Android platform. VolDroid comprehensively analyzes various artifacts in volatile memory and forty valuable features for malware detection and categorization are reported. On the other hand, KTSDroid extracts processspecific information from the volatile memory by analyzing the kernel task structure, which is a hierarchical tree based data structure. To the best of our knowledge, KTSDroid is the most comprehensive kernel task structure analyzer for Android that extracts features from nine categories of the structure. In addition, each category tree is investigated to a depth of six levels. Significant kernel task structure categories and twenty-eight useful features have been identified. Further, the MemDroidAnalyzer synthesizes the features extracted by VolDroid and KTSDroid to increase the detection and categorization efficiency of the obfuscated and non-obfuscated malware. To the best of our knowledge, this work presents a unique combination of memory state information and process-specific information for Android malware analysis. MemDroidAnalyzer performance is validated against code obfuscation techniques including class encryption, string encryption, control flow modifications, class reordering, Android manifest transformation, identifier renaming, reflection and junk code insertion. The proposed framework is able to detect malicious Android applications with an F-score of 0.99 on known malware samples and 0.976 on obfuscated and new (unknown) samples, achieving an improvement of 4 percent on known malware samples and 2.5 percent on obfuscated (excluding preventive obfuscation) and unseen new malware samples in terms of F1-score as compared to existing memory-based studies for Android malware detection. MemDroidAnalyzer is also capable of categorizing malware into Adware, Banking Trojans, Riskware, and SMS Trojans classes. MemDroid- Analyzer stands out as the only solution for Android malware categorization solely based on memory based features (to the best of our knowledge) with an average F1-score of 0.965. The proposed features demonstrate resilience against obfuscation and tampering effects, unlike existing frameworks that exhibit similar performance but are susceptible to issues related to code hiding and tampering.