LimonDroid: a system coupling three signature-based schemes for profiling Android malware

Abstract

Android remains an interesting target to attackers due to its openness. A contribution in the literature consists of providing similarity measurement such as fuzzy hashing to fight against code obfuscation techniques. Research works in this approach suffer from limited signature database. This work combines fuzzy hashing with YARA rules and VirusTotal signature-based schemes, to improve and consistency of the signature database. It is proposed LimonDroid, an Android system, which mimics Limon, a Desktop security tool that includes such schemes. LimonDroid has been tested with 341 malicious and 300 benign applications on a database of 12925 fuzzy-hashed malware signatures, 62 YARA malware families’ patterns and VirusTotal engine. Our approach gives a true-positive rate of 97.36%, a true negative rate of 98.33% and an accuracy of 97.82%. A comparison with similarity-based solutions reveals that LimonDroid is more efficient for users. The objective is not to propose a detection approach better than those in the literature. Instead, we aim at establishing a robust signature database able to identify malicious trends in Android apps.