HomDroid: Detecting Android Covert Malware by Social-Network Homophily Analysis

TL;DR

HomDroid is a novel method that detects Android covert malware by analyzing call graph homophily, achieving high detection accuracy and addressing challenges posed by malware that camouflages malicious behavior within benign code.

Contribution

This paper introduces the first dataset of covert malware and proposes HomDroid, a static analysis approach leveraging call graph homophily to detect covert malware effectively.

Findings

Detects 96.8% of covert malware

Outperforms state-of-the-art systems in false negative rates

Provides a new dataset for covert malware research

Abstract

Android has become the most popular mobile operating system. Correspondingly, an increasing number of Android malware has been developed and spread to steal users' private information. There exists one type of malware whose benign behaviors are developed to camouflage malicious behaviors. The malicious component occupies a small part of the entire code of the application (app for short), and the malicious part is strongly coupled with the benign part. In this case, the malware may cause false negatives when malware detectors extract features from the entire apps to conduct classification because the malicious features of these apps may be hidden among benign features. Moreover, some previous work aims to divide the entire app into several parts to discover the malicious part. However, the premise of these methods to commence app partition is that the connections between the normal part and the malicious part are weak. In this paper, we call this type of malware as Android covert malware and generate the first dataset of covert malware. To detect them, we first conduct static analysis to extract the call graphs. Through the deep analysis on graphs, we observe that although the correlations between the normal part and the malicious part in these graphs are high, the degree of these correlations has a distribution. Based on the observation, we design HomDroid to detect covert malware by analyzing the homophily of call graphs. We identify the ideal threshold of correlation to distinguish the normal part and the malicious part based on the evaluation results on a dataset of 4,840 benign apps and 3,385 covert malicious apps. According to our evaluation results, HomDroid is capable of detecting 96.8% of covert malware while the False Negative Rates of another four state-of-the-art systems (i.e., PerDroid, Drebin, MaMaDroid, and IntDroid) are 30.7%, 16.3%, 15.2%, and 10.4%, respectively.