Detecting Android Obfuscated Malicious Applications

In recent years,Android system has always dominated the market of mobile devices because of its openness and high cost-effectiveness.However,the malicious applications(apps)emerge in endless,which seriously threatens users' privacy and property security.Therefore,the security of Android apps has gained more and more attentions.At present,the research on detection of Android malicious apps rises in response to the proper time and conditions,and static analysis technique is the main method for detection.However,in recent years,obfuscation technology has been widely used in Android apps.For legitimate developers,obfuscation technology protects their intellectual property from infringement,while developers of malicious apps apply this technology to increase the difficulty of reverse decomposition or to hide malicious code using reflection technology in order to avoid static analysis.Therefore,Android obfuscation technology is a double-edged swords.Benign and malicious apps coexists in Android obfuscation apps.In addition,the advent of 5G makes the security of mobile devices become more prominent.How to effectively detect obfuscated malicious apps in the market is thus a significant and urgent problem.At present,the detection and analysis methods on obfuscated malicious apps have the problems that non-existent obfuscated data sets and inefficient static analysis techniques.In order to solve these problems,in this work,we construct a dynamic detection method,which consists of two parts:obfuscated apps detection and malicious apps detection.The research work is summarized as follows:(1)Comprehensive summary of obfuscation technologies:The obfuscation technologies of Android apps are complex and diverse,and the apps obfuscated by different technologies usually have different features.Through distinguishing the obfuscation techniques used by obfuscated apps,distinctive and targeted features can be extracted for detecting obfuscated malapps,so as to improve the detection efficiency.Therefore,we firstly summarize the popular Android obfuscation technologies comprehensively,including identifier renaming,string encryption,control flow obfuscation,Java reflection and packaging.Then in order to evaluate the effect of detection on obfuscation technology,we download sources files of lots of Android apps from the Android open source market,and obfuscate them using three different obfuscation techniques.We obtain 3 pure obfuscated app data sets in the end,i.e.,375 obfuscated apps by identifier renamed,342 apps with string encryption and 338 control flow obfuscation apps.(2)Obfuscated apps detection:Effective detection of obfuscated malicious apps is based on pure obfuscated data sets,so we propose a method for detecting obfuscated apps.We firstly construct 3 detectors for different obfuscation technologies in the inner obfuscation detection,which are identifier renaming detector,string encryption detector and control flow obfuscation detector.Then we employ Support Vector Machine(SVM)to classify the apps,and their accuracy reach as 90.91%,88.47%and 78.96%respectively.As for unknown Android apps,if they are obfuscated by any of these obfuscation technologies,they are classified as obfuscated apps.Finally,we respectively screen out 778 and 712 obfuscated apps from 1315 benign apps and 1288 malicious apps using the obfuscated apps detection method.And we use these obfuscated apps as a data set for malicious apps detection.(3)Obfuscated malicious apps detection:Aiming at the problem of obfuscation app avoiding static analysis,we construct a dynamic method to detect obfuscated malicious apps.We install and execute the apps in the Android simulators to analyze their behavior characteristics.We finally select 12 kinds of commonly used dynamic features and add 2 new features in consideration of the especial characteristics of obfuscated apps.Finally,we construct 3 supervised learning models,namely SVM,Decision Tree(DT)and Random Forest(RF),to evaluate the effectiveness of our method.They achieve the accuracy as 93.49%,91.89%and 93.03%respectively.The experimental results demonstrate the effectiveness of our method for detecting obfuscated malicious apps.