Characterization of Android malware based on subgraph isomorphism

TL;DR

This paper presents a method for detecting Android malware by analyzing opcode n-grams and using subgraph isomorphism to compare code structures, achieving high detection accuracy without complex dynamic analysis.

Contribution

It introduces a novel approach combining opcode n-gram analysis with subgraph isomorphism for precise malware detection and classification.

Findings

Achieves near-perfect detection rate on test datasets.

Effectively classifies malware into different families.

Operates efficiently without dynamic analysis environments.

Abstract

The Android operating system is the most spread mobile platform in the world. Therefor attackers are producing an incredible number of malware applications for Android. Our aim is to detect Android's malware in order to protect the user. To do so really good results are obtained by dynamic analysis of software, but it requires complex environments. In order to achieve the same level of precision we analyze the machine code and investigate the frequencies of ngrams of opcodes in order to detect singular code blocks. This allow us to construct a database of infected code blocks. Then, because attacker may modify and organized differently the infected injected code in their new malware, we perform not only a semantic comparison of the tested software with the database of infected code blocks but also a structured comparison. To do such comparison we compute subgraph isomorphism. It allows us to characterize precisely if the tested software is a malware and if so in witch family it belongs. Our method is tested both on a laboratory database and a set of real data. It achieves an almost perfect detection rate.