Light up that Droid! On the Effectiveness of Static Analysis Features against App Obfuscation for Android Malware Detection

TL;DR

This paper evaluates how different obfuscation techniques impact static analysis features used in Android malware detection and proposes a more robust ML-based detector.

Contribution

It assesses the resilience of static analysis features against obfuscation and introduces a new ML detector that maintains high accuracy despite obfuscation.

Findings

Obfuscation affects static features variably across tools

Some features remain effective for detection despite obfuscation

The proposed detector outperforms existing methods

Abstract

Malware authors have seen obfuscation as the mean to bypass malware detectors based on static analysis features. For Android, several studies have confirmed that many anti-malware products are easily evaded with simple program transformations. As opposed to these works, ML detection proposals for Android leveraging static analysis features have also been proposed as obfuscation-resilient. Therefore, it needs to be determined to what extent the use of a specific obfuscation strategy or tool poses a risk for the validity of ML malware detectors for Android based on static analysis features. To shed some light in this regard, in this article we assess the impact of specific obfuscation techniques on common features extracted using static analysis and determine whether the changes are significant enough to undermine the effectiveness of ML malware detectors that rely on these features. The experimental results suggest that obfuscation techniques affect all static analysis features to varying degrees across different tools. However, certain features retain their validity for ML malware detection even in the presence of obfuscation. Based on these findings, we propose a ML malware detector for Android that is robust against obfuscation and outperforms current state-of-the-art detectors.