KTSDroid: A Framework for Android Malware Categorization Using the Kernel Task Structure

Abstract

The penetration of malicious applications in the Android market has enhanced the significance of designing malware mitigation systems for Android. Malware detection systems are being developed by examining applications using static and dynamic analysis techniques. The use of code obfuscation has highlighted the importance of dynamic analysis as many static analysis schemes can be evaded by code obfuscation strategies. In order to record the true working of the application, a volatile memory-based solution for application analysis is presented in this study. Time-based memory dumps are collected after interactions with an application. Process-specific artifacts of the application under analysis are extracted by examining the kernel task structure of memory. The features in the kernel task structure belong to nine broad categories based on their semantics. An important contribution of the study is the analysis of the kernel task structure for determining the set of effective categories and features for Android malware categorization. Three of the most important categories and fourteen valuable features are reported. The proposed system categorizes the applications into five classes: adware, banking Trojans, riskware, SMS Trojans, and benign. The proposed system is able to categorize applications with an average F1-score of 0.984, which is the highest score reported so far for multiclass Android malware categorization with a minimum number of kernel task structure-based features.