updroid: updated android malware and its familial...
TRANSCRIPT
UpDroid: Updated Android Malware and
Its Familial Classification
Kursat Aktas, Assoc. Prof. Sevil Sen
WISE Lab.Hacettepe University
Mobile Security
📫 New mobile variants.
- Android is among the most targeted platforms by attackers.
- Mobile devices are usually protected by static analysis-based solutions. - Vulnerable to new attacks.- Vulnerable to new variants of existing attacks.
Updating
o One of the most effective evasion strategies.
Update attackso Does not contain any malicious code at the
installation phase.o Add its malicious code at runtime.
UpDroid: Updated Android Malware
Collecting AppsKoodous oRecently submitted applications oNot detected by other analysists oContaining at least on loading activityoCollected 11490 apps
ApkpureoMost popular apps from each categoryoCollected 6299 apps
Analysis of Apps
Each app is run for 15 minutes.DroidBox outputs are collected.
Three filtering mechanism1. loading + data leakage2. loading + malicious network connection3. native code loading signature + data leakage or malicious network connection
Dataset Validationsending potential candidate update attacks to VirusTotal.
oDetected more than 10 Avs.oIts dominant label belonging to an updated attack family.o82.66% of candidates confirmed as updated attacks.o7.1% of all connected samples missed our filtering mechanisms.
UpDroid Overview
21 malware families, 2479 malware samples
Family Classification
o Mobile malware variants are on the rise.o Commercial AVs are not reliable.
o Minimize the number of samples to be analysed.
o Help to decrease the analysis time.
Static + Dynamic features
Family Classification Results
Static Analysis-Based Approaches
Confusion Matrix for the Last5Y dataset
Conclusion
A new dataset, UpDroid is introduced.
Acknowledgement
This study is supported by TUBITAK (the project 115E150).
THE SCIENTIFIC AND TECHNOLOGICAL RESEARCH COUNCIL OF TURKEY