Malware developers are progressively using advanced techniques to defeat malware detection tools. One such technique commonly observed in recent malware samples consists of hiding and obfuscating modules containing malicious functionality in places that static analysis tools overlook. In this paper, we describe a dynamic analysis approach for detecting such hidden or obfuscated malware components distributed as parts of an app package. The key idea is behavioral differences between the original app and a number of automatically generated versions of it, where a number of modifications (faults) have been carefully injected. The differential signature is analyzed through a pattern-matching process driven by rules that relate different types of hidden functionalities with patterns found in the signature. A thorough justification and a description of the proposed model are provided.
Read full abstract