Conditional Context-Aware Detection for Android Malicious Virtualization Apps
Android virtualization applications is host applications and support dynamic loading of functional modules required by users in the form of plugins.Malicious developers use the above application features to hide their real attack in-tents in plugin applications for avoiding detection against the host applications.However,plugins are numerous and difficult to obtain and analyze,and existing pattern-based Android malicious virtualization application detection solutions have the problem of limited detectable application types.We propose a method based on contexts of conditional statements for de-tecting Android malicious virtualization applications and implement a prototype tools named MVFinder.The method takes the contextual environment in the Android virtualized application code that triggers loading or calling behaviors of plugin programs as the entry point to uncover the hidden maliciousness,for avoiding the need to consume a large amount of re-sources to try to obtain different kinds of plugin programs in real time or to parse the loading and running mode of the pl-ugins one by one.At the same time,the method leverages the anomaly detection technique to discover data samples that dif-fer significantly from the conditional contexts of most benignware,and thus identify the targeted malware,for avoiding the limitations of detecting with predefined rules.The experimental results show that this method outperforms the current repre-sentative schemes including VAHunt,Drebin,and Difuzer,in terms of accuracy and F1 score for detecting Android mali-cious virtualization application.Compared to VAHunt,MVFinder achieves identification of variants of HummingBad and PluginPhantom malicious application families.
mobile securityAndroid virtualization applicationsmalicious codecontextual informationstatic anal-ysisoutlier detection
万方数据
维普
