Andro-profiler: Detecting and Classifying Android Malware based on Behavioral Profiles

TL;DR

Andro-profiler is a hybrid behavior-based system that detects and classifies Android malware with over 98% accuracy by analyzing system call logs generated in emulated environments, including zero-day threats.

Contribution

It introduces a novel hybrid analysis approach that combines behavior profiling from system logs for effective malware detection and classification, including zero-day samples.

Findings

Achieves over 98% detection accuracy.

Outperforms existing malware classification methods.

Capable of identifying zero-day malware samples.

Abstract

Mass-market mobile security threats have increased recently due to the growth of mobile technologies and the popularity of mobile devices. Accordingly, techniques have been introduced for identifying, classifying, and defending against mobile threats utilizing static, dynamic, on-device, off-device, and hybrid approaches. In this paper, we contribute to the mobile security defense posture by introducing Andro-profiler, a hybrid behavior based analysis and classification system for mobile malware. Andro-profiler classifies malware by exploiting the behavior profiling extracted from the integrated system logs including system calls, which are implicitly equivalent to distinct behavior characteristics. Andro-profiler executes a malicious application on an emulator in order to generate the integrated system logs, and creates human-readable behavior profiles by analyzing the integrated system logs. By comparing the behavior profile of malicious application with representative behavior profile for each malware family, Andro-profiler detects and classifies it into malware families. The experiment results demonstrate that Andro-profiler is scalable, performs well in detecting and classifying malware with accuracy greater than $98\%$, outperforms the existing state-of-the-art work, and is capable of identifying zero-day mobile malware samples.