Android malware obfuscation variants detection method based on multi-granularity opcode features

Abstract

Android malware poses a serious security threat to ordinary mobile users. However, the obfuscation technology can generate malware variants, which can bypass existing detection methods and significantly reduce detection accuracy. Aiming at the detection of Android malware obfuscation variants, we propose an efficient anti-obfuscation Android malware detection system MGOPDroid. For different obfuscation technologies, MGOPDroid extracts opcode features with different granularities, combines the TFIDF algorithm and the difference index of opcode feature distribution before and after obfuscation to calculates the weight of opcode features. Then we convert the opcode features into the sequences according to the opcode encoding mapping rules and convert the sequences into grayscale images to achieve feature visualization. A deep learning detection model combined with image enhancement, Resnet, and global average pooling layer is designed to detect malware variants. What is more, MGOPDroid can be deployed on mobile devices, supports real-time monitoring of application installation and update behavior, and automatically detect malware. Experiments show that the malware detection accuracy for unobfuscated samples is 96.35%, and is 94.55% for the obfuscated malware. And malware family classification accuracy is 95.31%, while after obfuscating, the classification accuracy rate is 89.96%. On mobile devices, the average time to detect a single application is 3.211 s. Compared with the previous advanced methods, MGOPDroid has obvious advantages in anti-obfuscation effect and efficiency.