Dexteroid: Detecting Malicious Behaviors in Android Apps Using Reverse-Engineered Life Cycle Models
This addresses the challenge of improving malware detection for Android users and developers, offering an incremental enhancement over prior static analysis methods.
The paper tackles the problem of detecting sophisticated Android malware that evades existing static analysis tools by introducing Dexteroid, a framework that uses reverse-engineered life cycle models to capture app behaviors and detect attacks triggered by specific event sequences, achieving effective and efficient results in precision, recall, and execution time compared to FlowDroid on datasets including 1526 Google Play apps and 1259 malware apps.
The amount of Android malware has increased greatly during the last few years. Static analysis is widely used in detecting such malware by analyzing the code without execution. The effectiveness of current tools relies on the app model as well as the malware detection algorithm which analyzes the app model. If the model and/or the algorithm is inadequate, then sophisticated attacks that are triggered by specific sequences of events will not be detected. This paper presents a static analysis framework called Dexteroid, which uses reverse-engineered life cycle models to accurately capture the behaviors of Android components. Dexteroid systematically derives event sequences from the models, and uses them to detect attacks launched by specific ordering of events. A prototype implementation of Dexteroid detects two types of attacks: (1) leakage of private information, and (2) sending SMS to premium-rate numbers. A series of experiments are conducted on 1526 Google Play apps, 1259 Genome Malware apps, and a suite of benchmark apps called DroidBench and the results are compared with a state-of-the-art static analysis tool called FlowDroid. The evaluation results show that the proposed framework is effective and efficient in terms of precision, recall, and execution time.