Obfuscated Malware Detection in IoT Android Applications Using Markov Images and CNN

Abstract

The threat of malware in the Internet of Things (IoT) is ever-present given that many IoT systems today rely on the Android operating system. There has been a consistent rise in Android malware recently, with new variants adopting sophisticated detection avoidance techniques, including various forms of obfuscation. Hence, there is a need to improve the effectiveness of Android malware detection as obfuscation becomes more prevalent in the wild. In this article, we present a novel approach for obfuscated malware detection in IoT Android applications based on the visualization of app executables with Markov images. The app images are trained using a convolutional neural network (CNN) to detect obfuscated malware and for the identification of the obfuscation type. We evaluate the performance of the proposed system by experimenting with four different classification models using 12000 Android applications. The CNN model created to distinguish between malware and benign apps obtained an accuracy of 99.41%. The model for identifying obfuscated malware from benign applications obtained 99.65% accuracy while the model created to identify obfuscated malware from non-obfuscated malware yielded an accuracy of 99.81%. The model for classifying obfuscated malware into 14 different obfuscation categories obtained an accuracy of 99.67%. These results show that CNN models trained from Markov images generated using application byte code can be highly effective for obfuscated malware detection and classification. Moreover, our proposed system provides a more sustainable and cost-effective method for obfuscated malware detection compared to the manual feature-engineering-based approaches that are more prevalent in the current literature.