Tackling Androids Native Library Malware with Robust, Efficient and Accurate Similarity Measures

Kalysch, Anatoli; Milisterfer, Oskar; Protsenko, Mykolai; Müller, Tilo

doi:10.1145/3230833.3232828

Cited by 5 publications

(4 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1) Malware analysis. For efficient and accurate malware detection, the authors in [33] investigated code reuse in legitimate and malicious mobile apps, and code similarity measurement techniques were improved in [34].…”

Section: Related Workmentioning

confidence: 99%

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

Saeki

Kitayama

Koga³

et al. 2022

IEEE Access

View full text Add to dashboard Cite

XLoader and FakeSpy, the two major smishing botnets targeting Japan, change their attack strategies over various timescales. Based on recent observations of the botnets and Twitter data, we present empirical facts about their strategies and activity patterns and applied some of these strategic and activity patterns to malware detection and malicious domain detection. All the proposed methods yielded small false positive and negative rates, and are expected to run on user devices owing to their small computational cost. Recent malware detection methods based on traffic analysis extract TCP/IP traffic features if the upper layers of TCP are encrypted. In this study, Frida's hooking capability was employed to decode the upper layers (WebSocket and JSON-RPC) to create a list of all commands flowing over the botnet channel. The command-level traffic analysis presents decisive attack features because commands are transmitted according to strategies developed by the attackers. The proposed malicious domain detection method, on the other hand, exploited the tendency of the attackers to create domains in batches. Previous researchers focused on how benign and malicious domains were registered and used on the name servers. The proposed method, on the other hand, focuses on the arrival rate of SMS messages with URL links. The error rates become significantly small when users do not receive such messages very often.

show abstract

Section: Related Workmentioning

confidence: 99%

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

Saeki

Kitayama

Koga³

et al. 2022

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Kalysch et al [26] propose a technique based on the centroid of CFGs to measure the similarity between Android native codes. The centroid approach is faster than other approaches for matching CFGs.…”

Section: Related Workmentioning

confidence: 99%

“…Disassembling native code to an intermediate code (e.g., a CFG or MAIL) is a non-trivial problem. The work presented in [26] processes only native code libraries and not native code applications. Moreover, they cannot process Intel x86 and 64 bit ARM native code, because of the limitations of the tools used for disassembling.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

DroidClone: Attack of the android malware clones - a step towards stopping them

Alam

Soğukpınar

2021

COMSIS J

View full text Add to dashboard Cite

Code clones are frequent in use because they can be created fast with little effort and expense. Especially for malware writers, it is easier to create a clone of the original than writing a new malware. According to the recent Symantec threat reports, Android continues to be the most targeted mobile platform, and the number of new mobile malware clones grew by 54%. There is a need to develop techniques and tools to stop this attack of Android malware clones. To stop this attack, we propose DroidClone that exposes code clones (segments of code that are similar) in Android applications to help detect malware. DroidClone is the first such effort uses specific control flow patterns for reducing the effect of obfuscations and detect clones that are syntactically different but semantically similar up to a threshold. DroidClone is independent of the programming language of the code clones. When evaluated with real malware and benign Android applications, DroidClone obtained a detection rate of 94.2% and false positive rate of 5.6%. DroidClone, when tested against various obfuscations, was able to successfully provide resistance against all the trivial (Renaming methods, parameters, and nop insertion, etc) and some non-trivial (Call graph manipulation and function indirection, etc.) obfuscations.

show abstract

Automatic Refactoring

Parsa

2023

Software Testing Automation

View full text Add to dashboard Cite

Tackling Androids Native Library Malware with Robust, Efficient and Accurate Similarity Measures

Cited by 5 publications

References 20 publications

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

DroidClone: Attack of the android malware clones - a step towards stopping them

Automatic Refactoring

Contact Info

Product

Resources

About