Monet: A User-oriented Behavior-based Malware Variants Detection System for Android

TL;DR

MONET is a malware detection system for Android that combines runtime behavior analysis with static structures, achieving high accuracy in identifying malware variants and resisting obfuscation techniques with minimal performance impact.

Contribution

This paper introduces MONET, a novel framework that integrates behavior-based and static analysis for effective malware variant detection on Android devices.

Findings

Achieves 99% accuracy in malware variant detection

Resists 10 different obfuscation and transformation techniques

Maintains around 7% performance overhead and 3% battery overhead

Abstract

Android, the most popular mobile OS, has around 78% of the mobile market share. Due to its popularity, it attracts many malware attacks. In fact, people have discovered around one million new malware samples per quarter, and it was reported that over 98% of these new malware samples are in fact "derivatives" (or variants) from existing malware families. In this paper, we first show that runtime behaviors of malware's core functionalities are in fact similar within a malware family. Hence, we propose a framework to combine "runtime behavior" with "static structures" to detect malware variants. We present the design and implementation of MONET, which has a client and a backend server module. The client module is a lightweight, in-device app for behavior monitoring and signature generation, and we realize this using two novel interception techniques. The backend server is responsible for large scale malware detection. We collect 3723 malware samples and top 500 benign apps to carry out extensive experiments of detecting malware variants and defending against malware transformation. Our experiments show that MONET can achieve around 99% accuracy in detecting malware variants. Furthermore, it can defend against 10 different obfuscation and transformation techniques, while only incurs around 7% performance overhead and about 3% battery overhead. More importantly, MONET will automatically alert users with intrusion details so to prevent further malicious behaviors.