Automatic Investigation Framework for Android Malware Cyber-Infrastructures

TL;DR

This paper introduces ToGather, an automated framework that analyzes Android malware to uncover their malicious cyber infrastructure, providing detailed intelligence to enhance threat mitigation strategies.

Contribution

The paper presents a novel graph-based framework, ToGather, for automatically investigating the Internet infrastructure behind Android malware, addressing a gap in existing detection methods.

Findings

Effective identification of malicious cyber infrastructure

Promising results on real malware samples

Enhanced threat awareness for Android malware

Abstract

The popularity of Android system, not only in the handset devices but also in IoT devices, makes it a very attractive destination for malware. Indeed, malware is expanding at a similar rate targeting such devices that rely, in most cases, on Internet to work properly. The state-of-the-art malware mitigation solutions mainly focus on the detection of the actual malicious Android apps using dy- namic and static analyses features to distinguish malicious apps from benign ones. However, there is a small coverage for the In- ternet/network dimension of the Android malicious apps. In this paper, we present ToGather, an automatic investigation framework that takes the Android malware samples, as input, and produces a situation awareness about the malicious cyber infrastructure of these samples families. ToGather leverages the state-of-the-art graph theory techniques to generate an actionable and granular intelligence to mitigate the threat imposed by the malicious Internet activity of the Android malware apps. We experiment ToGather on real malware samples from various Android families, and the obtained results are interesting and very promising