Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology

Preda, Mila Dalla; Maggi, Federico

doi:10.1007/s11416-016-0282-2

Cited by 35 publications

(36 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The current generation of malware detectors are incapable of handling encryption in the body of malware. This experiment reiterates this fact and supports the conclusions drawn by Preda et al in[17]. The conclusions drawn by them indicating a huge gap in the requirement and the availability of sophisticated anti-virus products is still very much prevalent.8.2 Future WorkSimilar to the obfuscators employed in this experiment, it should be possible to create ''de-obfuscators'' for Android files.…”

supporting

confidence: 86%

“…For this project, we use a tool called AAMO (Another Android Malware Obfuscator) [17]. This tool gives us various obfuscators for use with our experimentations.…”

Section: Methodsmentioning

confidence: 99%

“…Using this tool, we decompile a android file, perform obfuscation operations on them, and recompile the file again. In this experiment, we use the source code provided by the developers of AAMO [17] and available at [18].…”

Section: Methodsmentioning

confidence: 99%

See 2 more Smart Citations

Black Box Analysis of Android Malware Detectors

Nellaivadivelu

View full text Add to dashboard Cite

Black Box Analysis of Android Malware Detectors by Guruswamy Nellaivadivelu Code obfuscation can make it challenging to detect malware in Android devices. Malware writers obfuscate the code of their programs by employing various techniques that attempt to hide the true purpose of the program. Malware detectors can use a number of features to classify a program as a malware. If the malware detector uses a feature that is obfuscated, then the malware detector will likely fail to classify the malware as malicious software. In this research, we obfuscate selected features of known malware and determine whether the malware can still be detected by a given detector. Using this approach, we show that we can effectively perform black box analysis of various malware detectors. ACKNOWLEDGMENTS I would like to express my deep gratitude to Dr. Stamp for his valuable guidance and supervision throughout the project work. I am also extremely thankful to him for teaching me interesting new concepts and techniques in the field of security during the entire course of my graduate program. I am also grateful to my committee members for reviewing my work and providing constructive feedback. v C.25 Detection Rates after applying the Obfuscator Renaming, Reordering, Goto, and Arithmetic Branch. Average: 0.403457. .

show abstract

supporting

confidence: 86%

“…For this project, we use a tool called AAMO (Another Android Malware Obfuscator) [17]. This tool gives us various obfuscators for use with our experimentations.…”

Section: Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Black Box Analysis of Android Malware Detectors

Nellaivadivelu

View full text Add to dashboard Cite

show abstract

“…We next take a subset of apps for both malware and benign and run them through three obfuscation tools. We choose as as our obfuscation tools: (1) the Automatic Android Malware Obfuscator (AAMO) [43] which has been used to demonstrate how virus detection tools perform against obfuscation, (2) DroidChameleon [44] also used to demonstrate the performance of virus detection tools in the presence of obfuscation, and (3) Obfuscapk [19] which is a recent, open source obfuscator with multiple advanced obfuscation configurations. We configured the obfuscators to use obfuscation techniques that Hammad et al [32] identified as challenging for virus detection methods.…”

Section: Obfuscated Appsmentioning

confidence: 99%

Representing string computations as graphs for classifying malware

Vecchio

Ziarek

2020

Proceedings of the IEEE/ACM 7th International Conference on Mobile Software Engineering and Systems

View full text Add to dashboard Cite

Android applications rely heavily on strings for sensitive operations like reflection, access to system resources, URL connections, database access, among others. Thus, insight into application behavior can be gained through not only an analysis of what strings an application creates but also the structure of the computation used to create theses strings, and in what manner are these strings used. In this paper we introduce a static analysis of Android applications to discover strings, how they are created, and their usage. The output of our static analysis contains all of this information in the form of a graph which we call a string computation. We leverage the results to classify individual application behavior with respect to malicious or benign intent. Unlike previous work that has focused only on extraction of string values, our approach leverages the structure of the computation used to generate string values as features to perform classification of Android applications. That is, we use none of the static analysis computed string values, rather using only the graph structures of created strings to do classification of an arbitrary Android application as malware or benign. Our results show that leveraging string computation structures as features can yield precision and recall rates as high as 97% on modern malware. We also provide baseline results against other malware detection tools and techniques to classify the same corpus of applications. CCS CONCEPTS • Theory of computation → Program analysis; • Human centered computing → Mobile computing; • Security and privacy → Malware and its mitigation.

show abstract

“…This strategy adds junk instructions which are not functional. For binaries, we can add no-operation instructions (NOP or 0x00) (Dalla Preda and Maggi 2017;Marcelli et al 2018). Besides, we can also add junk methods, such as adding defunct methods in Android smali codes (Dalla Preda and Maggi 2017).…”

Section: Junk Codesmentioning

confidence: 99%

Layered obfuscation: a taxonomy of software obfuscation techniques for layered security

Zhou

Jiang

et al. 2020

Cybersecur

View full text Add to dashboard Cite

Software obfuscation has been developed for over 30 years. A problem always confusing the communities is what security strength the technique can achieve. Nowadays, this problem becomes even harder as the software economy becomes more diversified. Inspired by the classic idea of layered security for risk management, we propose layered obfuscation as a promising way to realize reliable software obfuscation. Our concept is based on the fact that real-world software is usually complicated. Merely applying one or several obfuscation approaches in an ad-hoc way cannot achieve good obscurity. Layered obfuscation, on the other hand, aims to mitigate the risks of reverse software engineering by integrating different obfuscation techniques as a whole solution. In the paper, we conduct a systematic review of existing obfuscation techniques based on the idea of layered obfuscation and develop a novel taxonomy of obfuscation techniques. Following our taxonomy hierarchy, the obfuscation strategies under different branches are orthogonal to each other. In this way, it can assist developers in choosing obfuscation techniques and designing layered obfuscation solutions based on their specific requirements.

show abstract

Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology

Cited by 35 publications

References 12 publications

Black Box Analysis of Android Malware Detectors

Black Box Analysis of Android Malware Detectors

Representing string computations as graphs for classifying malware

Layered obfuscation: a taxonomy of software obfuscation techniques for layered security

Contact Info

Product

Resources

About