Identifying android malicious repackaged applications by thread-grained system call sequences

Ying-Dar Lin, Yuan Cheng Lai*, Chien Hung Chen, Hao Chuan Tsai

*Corresponding author for this work

Research output: Contribution to journalArticle

62 Scopus citations

Abstract

Android security has become highly desirable since adversaries can easily repackage malicious codes into various benign applications and spread these malicious repackaged applications (MRAs). Most MRA detection mechanisms on Android focus on detecting a specific family of MRAs or requiring the original benign application to compare with the malicious ones. This work proposes a new mechanism, SCSdroid (System Call Sequence Droid), which adopts the thread-grained system call sequences activated by applications. The concept is that even if MRAs can be camouflaged as benign applications, their malicious behavior would still appear in the system call sequences. SCSdroid extracts the truly malicious common subsequences from the system call sequences of MRAs belonging to the same family. Therefore, these extracted common subsequences can be used to identify any evaluated application without requiring the original benign application. Experimental results show that SCSdroid falsely detected only two applications among 100 evaluated benign applications, and falsely detected only one application among 49 evaluated malicious applications. As a result, SCSdroid achieved up to 95.97% detection accuracy, i.e., 143 correct detections among 149 applications.

Original languageEnglish
Pages (from-to)340-350
Number of pages11
JournalComputers and Security
Volume39
Issue numberPART B
DOIs
StatePublished - 11 Sep 2013

Keywords

  • Android
  • Dynamic analysis
  • Longest common substring
  • Malicious repackaged applications
  • System call

Cite this