Research Centre

[IEEE TrustCom 2015] Identifying Unknown Android Malware with Feature Extractions and Classification Techniques

This paper was presented at IEEE TrustCom in August 2015.

Android malware unfortunately have little dif- ficulty to sneak in marketplaces. While known malware and their variants are nowadays quite well detected by anti-virus scanners, new unknown malware, which are fundamentally different from others (e.g. ”0-day”), remain an issue. To discover such new malware, the SherlockDroid frame- work filters masses of applications and only keeps the most likely to be malicious for future inspection by anti-virus teams. Apart from crawling applications from marketplaces, SherlockDroid extracts code-level features, and then classifies unknown applications with Alligator. Alligator is a classifica- tion tool that efficiently and automatically combines several classification algorithms. To demonstrate the efficiency of our approach, we have extracted properties and classified over 600,000 applica- tions during two crawling campaigns in July 2014 and October 2014, with the detection of one new malware, Android/Odpa.A!tr.spy, and two new riskware. With other findings, this increases SherlockDroid’s ”Hall of Shame” to 9 totally unknown malware and potentially unwanted applications.