The daily amount of Android malicious applications (apps) targeting the app repositories is increasing, and their number is overwhelming the process of fingerprinting. To address this issue, we propose an enhanced Cypider framework, a set of techniques and tools aiming to perform a systematic detection of mobile malware by building a scalable and obfuscation resilient similarity network infrastructure of malicious apps. Our approach is based on our proposed concept, namely malicious community, in which we consider malicious instances that share common features are the most likely part of the same malware family. Using this concept, we presumably assume that multiple similar Android apps with different authors are most likely to be malicious. Specifically, Cypider leverages this assumption for the detection of variants of known malware families and zero-day malicious apps. Cypider applies community detection algorithms on the similarity network, which extracts sub-graphs considered as suspicious and possibly malicious communities. Furthermore, we propose a novel fingerprinting technique, namely community fingerprint, based on a one-class machine learning model for each malicious community. Besides, we proposed an enhanced Cypider framework, which requires less memory, ≈ x650%, and less time to build the similarity network, ≈ x700, compared to the original version, without affecting the fingerprinting performance of the framework. We introduce a systematic approach to locate the best threshold on different feature content vectors, which simplifies the overall detection process. Cypider shows excellent results by detecting 60%−80% coverage of the malware dataset in one detection iteration with higher precision 85%−99% in the detected malicious communities. On the other hand, the community fingerprints are promising as we achieved 86%, 93%, and 94% in the detection of the malware family, general malware, and benign apps respectively.
Read full abstract