Screening smartphone applications using malware family signatures

The sharp increase in smartphone malware has become one of the most serious security problems. Since the Android platform has taken the dominant position in smartphone popularity, the number of Android malware has grown correspondingly and represents critical threat to the smartphone users. This rise in malware is primarily attributable to the occurrence of variants of existing malware. A set of variants stem from one malware can be considered as onemalware family, andmalware families covermore thanhalf of theAndroid malware population. A conventional technique for defeatingmalware is the use of signature matchingwhich is efficient froma timeperspectivebutnot verypractical becauseof its lackof robustness against the malware variants. As a counter approach for handling the issue of variants behavior analysis techniques have been proposed but require extensive time and resources. In this paper, we propose an Android malware detection mechanism that uses automated family signature extraction and family signature matching. Key concept of the mechanism is to extract a set of family representative binary patterns from evaluated family members as a signature and to classify each set of variants into a malware family via an estimation of similarity to the signatures. The proposed family signature and detection mechanism offers more flexible variant detection than does the legacy signature matching, which is strictly dependent on the presence of a specific string. Furthermore, compared with the previous behavior analysis techniques considering family detection, the proposed family signature has higher detection accuracywithout the need for the significant overhead of data and control flowanalysis.Using theproposed signature,we candetect newvariants of known malware efficiently and accurately by static matching. We evaluated our mechanism with 5846 realworldAndroidmalware samplesbelonging to48 families collected inApril 2014 at an anti-virus company; experimental results showedthat; ourmechanismachievedgreater than 97%accuracy indetection of variants.Wealso demonstrated that themechanismhas a linear time complexity with the number of target applications. © 2015 Elsevier Ltd. All rights reserved.