UpDroid: Updated Android Malware and

Its Familial Classification

Kursat Aktas, Assoc. Prof. Sevil Sen

WISE Lab.Hacettepe University

Mobile Security

📫 New mobile variants.

- Android is among the most targeted platforms by attackers.

- Mobile devices are usually protected by static analysis-based solutions. - Vulnerable to new attacks.- Vulnerable to new variants of existing attacks.

Updating

o One of the most effective evasion strategies.

Update attackso Does not contain any malicious code at the

installation phase.o Add its malicious code at runtime.

UpDroid: Updated Android Malware

Collecting AppsKoodous oRecently submitted applications oNot detected by other analysists oContaining at least on loading activityoCollected 11490 apps

ApkpureoMost popular apps from each categoryoCollected 6299 apps

Analysis of Apps

Each app is run for 15 minutes.DroidBox outputs are collected.

Three filtering mechanism1. loading + data leakage2. loading + malicious network connection3. native code loading signature + data leakage or malicious network connection

Dataset Validationsending potential candidate update attacks to VirusTotal.

oDetected more than 10 Avs.oIts dominant label belonging to an updated attack family.o82.66% of candidates confirmed as updated attacks.o7.1% of all connected samples missed our filtering mechanisms.

UpDroid Overview

21 malware families, 2479 malware samples

Family Classification

o Mobile malware variants are on the rise.o Commercial AVs are not reliable.

o Minimize the number of samples to be analysed.

o Help to decrease the analysis time.

Static + Dynamic features

Family Classification Results

Static Analysis-Based Approaches

Confusion Matrix for the Last5Y dataset

Conclusion

A new dataset, UpDroid is introduced.

Acknowledgement

This study is supported by TUBITAK (the project 115E150).

THE SCIENTIFIC AND TECHNOLOGICAL RESEARCH COUNCIL OF TURKEY