[Retracted] Security Hardened and Privacy Preserved Android Malware Detection Using Fuzzy Hash of Reverse Engineered Source Code

Ali, Hasnat; Batool, Komal; Yousaf, Muhammad; Islam Satti, Muhammad; Naseer, Salman; Zahid, Saleem; Gardezi, Akber Abid; Shafiq, Muhammad; Choi, Jin-Ghoo

doi:https://doi.org/10.1155/2022/7972230

Security and Communication Networks

On this page

Abstract Introduction Related Work Implementation Results Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Research Article Retraction

!

This article has been Retracted. To view the article details, please click the ‘Retraction’ tab above.

Special Issue

Security Hardened and Privacy Preserved Vehicle-to-Everything (V2X) Communication 2021

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 7972230 | https://doi.org/10.1155/2022/7972230

[Retracted] Security Hardened and Privacy Preserved Android Malware Detection Using Fuzzy Hash of Reverse Engineered Source Code

Hasnat Ali,¹Komal Batool,¹Muhammad Yousaf,¹Muhammad Islam Satti,¹Salman Naseer,²Saleem Zahid,³Akber Abid Gardezi,⁴Muhammad Shafiq,⁵and Jin-Ghoo Choi⁵

Academic Editor: Jegatha Deborah

Received26 Apr 2022

Revised15 Jul 2022

Accepted26 Aug 2022

Published12 Sept 2022

Abstract

The risk of malware has increased drastically in recent years due to advances in the IT industry but it also increased the need for malware analysis and prevention. Hackers inject malicious code using awful applications. In this research, a framework is proposed to identify malicious Android applications based on repacked malicious code. The sensitive features of android applications are extracted using source code. These extracted features are compared with existing malware signatures to identify repacked malicious android applications. Experiments are performed using 3490 android-based malware samples belonging to 21 different malware families. A threshold value for malware categorization is defined using fuzzy logic. If the fuzzy comparison match is greater than 40%, the application is malicious. Meanwhile, if the match is greater than 10% and less than 40%, the application is suspicious otherwise benign. Furthermore, the proposed framework presents around 74% of the repacked malware compared to other similar approaches.

1. Introduction

The Usage of the Internet and information sharing is no longer safe for users. With the increase in usage of the Internet and data transmission speed, private users need to secure sensitive information from hackers. Among various cyber-attacks, hackers targeted organizations, and malicious attacks are one of the techniques used to exploit system vulnerabilities. The increase in the use of android smartphones for individuals also increases the android malware and malware attacks. According to the International Data Corporation (ADC) report [1], android holds 86.8% of the total market share in mobile phones and tablets. Juniper networks study [2] states that 92% of mobile malware target the android platform. McAfee collected 2.47 million new mobile malware samples and a total of 3.73 million malware samples in 2019. The increase in malware was nearly 200% till the end of 2017 [3–5]. In [3], 34 applications have their Web pages available in the cache. Additional information such as the approximate number of installs, last updated date, and rating is easily available. Most of these applications were last updated in August and October 2019. These malicious applications have an average rating of 4.4 with an average download of 4.2 to 17.4 million from the Google play store. These applications have different malicious packages like com.picklieapps.player, com.musicalplayer.stonetemples, etc., [6]. Malware is exploiting vulnerabilities in software to infect and control its victims. Therefore, security companies/firms required a framework that could detect malicious programs and protect their customers and their data. In the current era of technology, electronic data has an important role in our lives. The use of android applications for different purposes like banking, carting services, online shopping, etc., are some of the common examples of electronic data. In banking applications, android.banker.A2f8a package is used for android banking malware [4, 7]. This package is designed for stealing login credentials, hijacking SMSs, uploading contact lists and SMSs on a malicious server, displaying an overlay screen (to capture details) on top of legitimate applications, and carrying out other such malicious activities. The manual analysis and classification of these malware samples into families require a lot of human effort and time-consuming activity. Many solutions have been proposed against the security threats mobile phones are facing and are implemented in the paradigm of antivirus [8, 9]. Recently, the malware authors are using the existing malicious code and packages [6] to achieve their goal whereas on the other hand the attackers usually use the existing lawful applications. They inject malicious code into the applications for achieving their goal. Many android applications are found on the android third-party apps store [10] which utilize malicious code with slight changes. The work in [11] diagnoses malicious packages and families concerning different variants of applications of the same family.

In this work, we provide a solution for malware (repacked) detection using static analysis with fuzzy hashes. Two approaches are used for malware analysis, i.e., static analysis [12] and dynamic analysis [13]. In this study, our focus is on the static analysis of malware with the help of fuzzy hashes. Android static analysis [12] judges the behavior of android applications without executing them which is not harmful to an android device. In this technique, reverse engineering of the android application is performed for the inspection of java code. However, android dynamic analysis [13] requires the execution of the android application. In dynamic analysis, the behavior of a malicious entity is observed without installing it on the host machine. Basic dynamic analysis practices include executing the malware and observing its behavior on the host to eliminate the infection and produce effective signatures. The advanced dynamic analysis uses a debugger to inspect the internal state of a running malicious application [5]. In this work, we have used the static analysis technique for code inspection and sensitive feature identification.

The main contributions of this work are as follows:(1)A framework is proposed to identify malicious Android applications based on repacked malicious code. After performing the static analysis on the android malware dataset [14], we find that 71.11% of malware is repacked.(2)A promising threshold value is identified for android malware detection.

The remaining paper is organized as follows. Section 2 provides an overview of related work. Section 3 covers the proposed methodology used for malware classification. The implementation of our proposed solution is discussed in Section 4. Section 5 presents the results and Section 6 concludes this study.

Information security is one of the hot topics nowadays and a lot of work has been done in this field. As our major focus is on android devices so we analyzed the related work of malware analysis for android devices. The static analysis of android malware detection with machine learning was discussed in [13, 15–17]. Many dynamic analysis techniques were used for malware analysis which included the detection of malicious network traffic of mobile devices for malware detection. The frameworks proposed in [15, 16] monitored the performance of the battery and generated an alarm by using the threshold value. According to [17], android malware analysis cannot be performed on smartphones because of their limited power resources. In the same context, the author in [18] claimed through experiments that the dynamic analysis is not satisfactory for malware detection on smartphones. Hybrid analysis was employed in [19] for malware detection which included characterizing malware using deep learning techniques.

The scope of the existing research on static and dynamic analysis for android applications has three dimensions, i.e., (1) required permissions, (2) sensitive APIs, and (3) dynamic behaviors. The approach in [13] utilized the first and second dimensions with machine learning algorithms. The permission system was used to predict the malicious modules and prior knowledge of known malware was applied to find variants of malware families. All the android applications run in limited access sandbox. If an application wants to use information outside of its sandbox, then the application must get permission from another sandbox. It may be possible that the permission generates any harmful impact on that application, operating system, or user. The application gets access to reading or writing user private data (for example, contacts or e-mails), reading and writing other application files, performing network access and transferring critical data, and so on. Manifest (Android-Manifest.xml) file has all the permissions of an application and the user approves each permission at runtime. The researchers found a useful tool for the android permission model based on manifest files which were used to detect whether an application is malicious or not [19].

Enck et al. [8] proposed a Kirin framework for analyzing the permissions of an application at installation time and manually formulated rules for the detection of malicious applications. The Kirin framework performed lightweight certification of applications to mitigate malware at install time. The idea of Kirin is based on android’s required permissions with nine sets of rules. To evaluate their framework, a dataset of 311 android applications of 16 different categories was used from which only 12 applications failed to pass the defined security rules. Igarashi proposed a system named DroidDetector [13] to analyze malicious APKs by using a machine learning approach to both static and dynamic techniques of malware detection. The static approach emphasizes parsing the two files Android-Manifest.xml and class.dex by considering 120 API calls for malware detection. From these 120 API calls, 59 contained malicious API calls. The DroidDetector [13] achieved 89.03% detection accuracy in the static analysis with a limited dataset of 150 malicious applications. The increase in the dataset affected the performance of this model due to the deep learning technique. Portokalidis et al. [20] proposed an effective technique named permission usage to detect malware in android (PUMA) for detecting Android malware. The author has analyzed the permission model of malicious and benign applications and observed different categories of applications. For evaluations, the authors gathered a collection of 1811 benign android applications of different types and 249 known malicious applications. The PUMA detected 80% of malicious applications. The [21] article provides the datasets of the malicious and benign antimalware as well as a specially designed multilayer perceptron neural network that is being used to detect antimalwares. Our statistical analysis and optimized algorithm give optimal results and have marginally better accuracy up to 7 percent.

Shen et al. [15] proposed a framework to present a new behavior-based anomaly detection system for detecting meaningful deviations in a mobile application’s network behavior. They attempted to detect a new type of mobile malware with self-updating capabilities. The false-negative ratio of malware is monitored with network traffic and its behavior. Lai et al. [2] proposed a framework using function call graphs, which were used to find similarities between samples while being more robust against certain obfuscation strategies. With this framework, the android malware detection rate was 89% but had the class imbalanced and imperfect dataset classification. Kumar [22] proposed a framework for the characterization of existing android malware. In their technique, best-case detection is 79.6% and worst-case detection is 20.2%. As the framework generated the fuzzy hash of all applications, therefore, the major changes were not detectable through this framework. Shabtai et al. [18] focused on algorithms and tools to protect applications from product tampering and piracy while facilitating valid product updates. Android applications are vulnerable to tampering because of bytecode. Therefore, the algorithm proposed in Shabtai et al. [18] was based on a customized similarity distance, which returned a value between 0 and 1 with the limitation of burdensome code inspection and detection only at the class level.

Deborah et al. propose the Felder-Silverman learning model using Fuzzy rules to handle the uncertainty in online learning style [23]. Roussev proposed a system based on text mining and information retrieval techniques for malware analysis and named it DENDROID [24]. It was motivated by a statistical analysis of the code structures based on the text mining approach. The DENDROID [24] automatically classified smartphone malware samples and analyzed families based on the code structures found in them.

This research [25] highlights the Internet of things enabled smart devices framework for accurate estimation of child mortality. This research [26] represents signature-based authentication and detection using a key agreement ad hoc network. This article [27] proposes a solution of key management and key distribution for secure group communication in mobile and cloud network. The author [28] presents an idea related to a secure multifactor authenticated key agreement scheme for industrial IoT. Their proposed system has the limitation of burdensome code inspection as code chunks are only based on functions and are vulnerable to code obfuscation. Desnos et al. [29] presented guidelines for the use of fuzzy hash. They suggested which fuzzy hash is best to use based on the situation and also demonstrated the implementation of several presented fuzzy hashes. In this work, we propose a strategy based on fuzzy hashing to detect Android malware.

2.1. Fuzzy Hashes

Cryptographic hashes play an important role in digital forensics for the integrity checking of a file or folder. Using cryptographic hash such as MD5, SHA1, SHA256, etc., is a sequence of characters that is generated using an algorithm that computes a file or folder for integrity checking. Two different files must have two different hashes whereas two same files must have the same hash value. If one of the files changes on a single line, although these two files have the same content, the hash value of these files must be changed. Fuzzy hashes [29, 30] are a mechanism for computing the similarity between two different hashes. A similarity source is computed using a fuzzy hash if the two files are approximately similar. Different similarity hash algorithms are available in the literature [20, 30–33]. In this research, we use the ssdeep fuzzy hash because NIST recommends SSDEEP as the standard fuzzy hash [32]. SSDEEP hash utilizes the bytewise, syntactic, and semantic strategies in the algorithm. Byte-wise matching relies on the byte sequence of the object. Byte-wise functions are also known as similarity hashing [31]. Syntactic matching depends on the inward structure of the item. Thus, it is arranging subordinates yet does not translate the substance of the item to deliver results [31]. Semantic matching relies on the contextual attributes of the object. One of the examples of semantic matching is the similarity of the content of JPG and PNG images in which their byte structures are different due to encoding but the pictures are the same [31].

3. Proposed Methodology

The proposed methodology has four phases as shown in Figure 1. The first phase is to detect the possibility of malicious activity in an android application. As recommended in [17], 20 sensitive android permissions are used negatively which can cause serious harm to a device as shown in Figure 2.

Android applications must request permission to access sensitive user data (such as contacts and SMS) as well as certain system features (such as camera and Internet). Depending on the feature, the system might grant the permission automatically or might prompt the user to approve the request. It might be possible that the application which gets permission to send SMS is fake permission and for promoting other companies from sim cards. These sensitive permissions allow access to read phone numbers, location, media access, etc. AndroMalShare [6] is an online android malware dataset source. It has 85,171 android malware samples from various families with a statistical chart of the top 20 rights granted by android malware as depicted in Figure 2. After reversing an application into Java code, sensitive permissions are searched from the manifest file as listed in Figure 2. In phase 2, if any of the mentioned permission is found, then the package names of the application from the source code are extracted in the second phase. In the third phase, these names are matched with known malware package names.

If the package name is a direct match, then the fuzzy hash of matched package is computed. The computed package is matched with the known malware fuzzy hash signatures in the fourth phase. The application is declared malicious if the fuzzy hash match is greater than 40%. If the match is less than 40% and greater than 10%, the application is declared suspicious otherwise nonmalicious. In case, if package names are not directly matched with extracted packages of application then the fuzzy hash of each package is computed individually. After extracting the fuzzy hashes, all the fuzzy hashes are matched with known fuzzy hash signatures. If the fuzzy hash match is greater than 40% from any one of the extracted packages, the application is declared malicious. If the match is less than 40% and greater than 10%, the application is declared suspicious otherwise nonmalicious.

4. Implementation

This section explains the implementation of the proposed methodology, the requirements, and the details of the experiments. The implementation design is shown in Figure 1. The detailed algorithms are shown in Algorithms 1–4. The algorithm in Algorithm 1 shows the reverse engineering process, the algorithm in Algorithm 2 depicts the process of sensitive feature identification, the algorithm in Algorithm 3 describes malware detection and the algorithm in Algorithm 4 categorizes the applications into three categories, i.e., malicious, non-malicious, and suspicious. The details of the algorithms are as follows:

	Input: (i) Path of malicious apk files
	(ii) Path of malicious jar files
	Output: Conversion of.dex file from APK file
	Steps
(1)	FUNCTION DEX2JARExtractor (PathOfAPKFiles, PathOfJarFile)
(2)	FOR A = 0 to until all the APK files are not reversed from PathOfApkFiles
(3)	BEGIN
(4)	IF PathOfJarFileNotExist
(5)	SET directory path “JobPool/with MD5 of apk file (.txt)”
(6)	Create Directory on PathOfJarFile
(7)	END IF
(8)	Create command using dex2jar.bat–d A and SET into X
(9)	Run command X
(10)	EXCEPTION:
(11)	PRINT Error in File
(12)	END FOR

	Input: (i) Path of jar files
	Output: Get JAVA code from.dex file
	Steps
(1)	FUNCTION JADX-CodeExtractor (PathOfJarFile):
(2)	FOR A = 0 to until all the JAR files are exist on PathOfJarFile
(3)	BEGIN
(4)	SET directory path CODE/JAR File name read
(5)	IF directory Path Not ExistOfJarFileNotExist
(6)	Create Directory on directory path
(7)	END IF
(8)	Create command using jadx–d concatenation with directory path, A SET into X
(9)	Run command X
(10)	EXCEPTION:
(11)	PRINT Error in File
(12)	END FOR

	Input: (i) Path of reversed code
	Output: Get malicious packages and classes form reversed engineered code
	Steps
(1)	FUNCTION getMaliciousPackages (PathOfCodeFolder):
(2)	FOR A = 0 to until all the java files which exist in PathOfCodeFolder
(3)	BEGIN
(4)	Split A variable from “\\” and create a list X
(5)	SET directory path “JobPool/with MD5 of apk file (.txt)”
(6)	IF directory path Not Exist
(7)	Create Directory on directory path
(8)	END IF
(9)	Package_list = getPackage(PathOfCodeFolder)
(10)	Read known malicious packages and class name
(11)	Match package_list with known malicious package if matche
(12)	Create rar file of this malicious package
(13)	EXCEPTION:
(14)	PRINT Error in File
(15)	END FOR

	Input: (i) Malicious Apk file
	Output: Get intents and permissions of APK file
	Steps
(1)	FUNCTION getPermissions (APKFile)
(2)	SET list_of_permission//MF = manifest file
(3)	SET list_of_intents//list_of_permission = P
(4)	FOR all MF belongs to APKFile//list_of_intents = I
(5)	BEGIN
(6)	IF MF = “androidmanifest.xml”
(7)	Read file MF
(8)	P = getPermissions (MF)
(9)	I = getIntents (MF)
(10)	Save list of permissions and intents into an.csv file
(11)	END IF
(12)	EXCEPTION:
(13)	PRINT Error in File
(14)	END FOR

The first phase of implementation is the process of reverse engineering. In his process, we use dex2jar [34] and jadx [35] tools. The process of extracting the java code is manual. The process is automated by using the script in python language [36]. For this purpose, two functions are proposed, the first function is DEX2JARExtractor as shown in Algorithm 1 and the second function is JADX-CodeExtractor as depicted in Algorithm 2. DEX2JARExtractor function extracts all the.dex files of APK files. The algorithm gets two parameters as input, one is the path of APK files and the other one is the path for.jar file replacement.

The algorithm extracts all the.jar files from all APK files using the dex2jar tool [34]. To extract the.dex file, a command of the dex2jar tool is employed and saved all the.dex files into a specific folder. The JADX-CodeExtractor extracts java code from.jar files as shown in Algorithm 2. The algorithm receives one parameter (folder path of.jar files) as input. With the help of jadx [35], the command-line tool extracts all.java files from the.jar file which are extracted by using dex2jar as shown in Algorithm 1.

4.1. Sensitive Features’ Extraction

To extract the sensitive features from extracted java code, the first step is to extract the malicious permissions (listed in Figure 2) from the manifest file. The apktool [37] is used to extract all the manifest files from APK files. Furthermore, the permissions from the manifest files are extracted using the get permission algorithm as shown in Algorithm 4.

The first step in the get permission algorithm is to take the APK file as a parameter. The next step is the declaration of the list of intents and permissions. From steps 3 to 9, the manifest file among all the disintegrated files of APK zip files is checked. If the file is manifest then it saves all the required permissions and intents into a list. The list is then converted to a CSV file with permissions and intents. If the package of an APK file is directly matched with known malicious packages, produce the a.rar file of that package for producing the fuzzy hash signature as shown in Algorithm 3. The first step of the algorithm shown in Algorithm 3 is to get the path of the code folder as a parameter.

The algorithm then reads all the reversed code (java files) from a specific path. It then extracts all the malicious packages and class names from the reversed application. If packages are matched with the known malicious packages then all the classes of those packages are extracted and the.rar file is created for the fuzzy hash.

4.2. Malware Detection

After getting the permission and package names from the source code, the next step is to check the application using features such as permissions and malicious packages as shown in Algorithm 3. If the malicious permission exists, then it checks the malicious package of the source code and creates a compressed.rar file of that specific package. In case, if the malicious package is not found then the program extracts all the packages of that specific source code and creates separate.rar files of these packages. After the creation of.rar files of known and unknown packages, it creates a fuzzy hash of these.rar files for verification.

4.3. Classification

After the creation of fuzzy hashes, the next phase is to classify the application as malicious, nonmalicious, or suspicious. These fuzzy hashes are compared with the known fuzzy hash of malware samples. If the fuzzy hash is matched more than 40%, the application is declared malicious. If the fuzzy hash matches greater than 40% and less than 10%, then the application is suspicious otherwise non-malicious.

5. Experimental Design

5.1. Experiment Setup

The experiments are performed on HP Pavilion series Intel(R) Core(TM) i7-4500U CPU@1.80 GHz 2.40 GHz with 12.0 GB of RAM and Windows 10 platform. The software setups which are used to perform android malware analysis are Python 2.7.15 [36], Dex2jar [34], and Jadx [35]. Dataset selection and experimental results are as follows.

5.2. Dataset Selection

To evaluate the effectiveness of the proposed technique, the experiments are performed on one of the largest online available datasets, i.e., the Derbin android malware dataset [37]. Derbin android malware dataset contains 5,560 android malware applications from 179 different families. The dataset provided by Derbin is not arranged family-wise. The Derbin dataset [14] provides an excel sheet that has MD5 hashes of APK files and corresponding malware with their family name.

The python script is harnessed to categorize the malware family. For experiments, 21 different malware families are selected which contain a large number of samples. The selected malware families, frequency of malware samples, and the selected attributes are shown in Tables 1 and 2 respectively. The selected malware family and the number of samples are shown in Figure 3.

5.3. Analysis of Android Malware Detection

Out of the 179 malware families of the Derbin android malware dataset [37], 21 different malware families are chosen with the highest frequency and a probability of not less than the 33% threshold. Table 1 shows the selected malware families and the total count of samples. Malicious packages [38] are utilized to detect malware. Knowledge of known malware packages and sensitive permissions [6] is necessary for our proposed technique. For our case study, 2300 malware samples are used as a training dataset from 21 different malware families for the creation of malware signatures.

5.4. Malware Analysis of Training Dataset

From the selected 2300 malware samples, 2203 reverse-engineered malicious packages are found to be an exact match of the known malicious packages. In the case of the remaining 97 unmatched applications, packages are extracted from their respective source codes to create their.rar files and the fuzzy hash values are computed. If the fuzzy hash value is greater than 40%, the application is malicious. Otherwise, if the fuzzy hash value is greater than 10% and less than 40%, the application is suspicious otherwise nonmalicious.

5.5. Malware Analysis of Testing Dataset

To evaluate the signatures computed in Section 5.3, 380 applications are utilized from the Derbin android malware dataset [37]. To detect malware, each of the 380 applications is tested one by one and compared with known malicious packages. The fuzzy hash is computed by creating a.rar file of the matched package. The results of the test applications are shown in Figure 4. The calculated fuzzy hash is then compared to a known malicious fuzzy hash stored in our database.

6. Experimental Evaluation and Results

The graph for the computed signatures is depicted in Figure 5, in which the x-axis shows the frequency of tests from the database and the y-axis shows the percentage match with the malicious signatures. The graph helps us to identify the threshold value of the fuzzy hash. All values against fuzzy hash comparison can be seen in the graph as presented in Figure 5.

The outcome of the 380 test applications’ fuzzy hash is shown in Figure 5. Based on Figure 5, the threshold value for the fuzzy hash is calculated as shown in Table 3. The proposed framework has detected 56% as malware, 21% as suspicious, and 23% as benign applications. These statistics are shown in Figure 6.

7. Conclusion and Future Work

The repacked samples of android malware are the focus of this study. A static malware identification method is proposed in this work for the repacked malware in android devices. The proposed technique works by distinguishing packages that contain vulnerable code. It has four phases to identify the packages with malicious code. Phase-1 reverses the application and gets the Java code of the application. Meanwhile, malicious package names and permissions of the application are extracted in phase-2. Extracted names of malicious packages are matched with known malware package names in phase-3. If the package name is direct match, then the fuzzy hash of matched package is computed. In phase-4, the computed packaged is matched with the known malware fuzzy hash signatures. The application is declared malicious if the fuzzy hash match is greater than 40%. If the match is less than 40% and greater than 10%, the application is declared suspicious otherwise nonmalicious. To assess the system’s accuracy, the experiments are performed on a dataset comprising 3490 malware samples from 21 different families. We obfuscated 7 malware samples from 7 different families using a popular obfuscation tool Proguard. The first two phases failed to detect these samples whereas obfuscated code is detected in the third Phase. After conducting the tests, it was discovered that 95% of malware samples are at level-1 (i.e., class name and package name matching), while 71.11% of total malware samples are detected as repacked at level-2 (i.e., SSDEEP Fuzzy Hash). There are still loopholes that are still unsolved like zero-day attack prediction. The future work centers around recognizing and consolidating progressively granular level which needs to be improved. The strategy requires more attention in phase-II to study and improve more complex obfuscation techniques.

Data Availability

Since the funding project is not closed and related patents have been evaluated, the simulation data used to support the findings of this study are currently under embargo, while the research findings are commercialized. The data, upon the approval of patents after project closure, can be obtained from the corresponding author.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

References

M. M. Frank Breitinger, B. Guttman, and D. W. Vassil Roussev, “Approximate Matching: Definition and Terminology”.
View at: Google Scholar
O. S. M. Smartphone, “New android malware found in 144 GooglePlay apps,” https://www.idc.com/promo/smartphone-market-share/os.
View at: Google Scholar
C. Castillo, “New android malware found in 144 GooglePlay apps,” https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/android-malware-grabos-exposed-millions-to-pay-per-install-scam-on-google-play/#similar-articles.
View at: Google Scholar
R. Taheri, M. Ghahramani, R. Javidan, M. Shojafar, Z. Pooranian, and M. Conti, “Similarity-based Android Malware Detection Using Hamming Distance of Static Binary Features,” 2019, https://arxiv.org/abs/1908.05759.
View at: Google Scholar
Y. Pan, X. Ge, C. Fang, and Y. Fan, “A systematic literature review of android malware detection using static analysis,” IEEE Access, vol. 8, pp. 116363–116379, 2020.
View at: Publisher Site | Google Scholar
AndroMalShare, “Project Focused on Sharing Android Malware Samples,” 2019, http://sanddroid.xjtu.edu.cn:8080/.
View at: Google Scholar
B. Mane, “Android Malware for Bank,” https://blogs.quickheal.com/android-banking-trojan-targets-232-apps-including-indian-banks/.
View at: Google Scholar
W. Enck, M. Ongtang, and P. McDaniel, “On lightweight mobile phone application certification,” in Proceedings of the 16th ACM conference on Computer and communications security - CCS ‘09, pp. 235–245, Chicago, Illinois, USA, November 2009.
View at: Publisher Site | Google Scholar
J. Kornblum, “Ssdeep Fuzzy Hash,” 2019, https://ssdeep-project.github.io/ssdeep/index.html.
View at: Google Scholar
D. Nagle, “Google Play Store,” HTML5 Game Engines, pp. 161–168, 2020.
View at: Publisher Site | Google Scholar
M. Zheng, M. Sun, and J. C. S. Lui, “Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware,” in Proceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 163–171, Melbourne, VIC, Australia, July 2013.
View at: Publisher Site | Google Scholar
V. H. G. Moia and M. A. A. Henriques, “Similarity digest search: a survey and comparative analysis of strategies to perform known file filtering using approximate matching,” Security and Communication Networks, vol. 2017, Article ID 1306802, pp. 1–17, 2017.
View at: Publisher Site | Google Scholar
Y. Igarashi, “Forest of pressure: ogawa Shinsuke and postwar Japanese documentary,” Choice Rev. Online, vol. 45, no. 02, pp. 45–0765, 2007.
View at: Publisher Site | Google Scholar
G. H. Lai, Y. H. Lee, T. H. Chu, and T. H. Cheng, “A Structure Similarity-Based Approach to Malicious Android App Detection,” in Proceedings of the Pacific Asia Conf. Inf. Syst. PACIS 2015 - Proc, June 2015.
View at: Google Scholar
F. Shen, J. D. Vecchio, A. Mohaisen, S. Y. Ko, and L. Ziarek, “Android malware detection using complex-flows,” IEEE Transactions on Mobile Computing, vol. 18, no. 6, pp. 1231–1245, 2019.
View at: Publisher Site | Google Scholar
Z. Yuan, Y. Lu, and Y. Xue, “Droiddetector: android malware characterization and detection using deep learning,” Tsinghua Science and Technology, vol. 21, no. 1, pp. 114–123, 2016.
View at: Publisher Site | Google Scholar
A. Lee and T. Atkison, “A comparison of fuzzy hashes: evaluation, guidelines, and future suggestions,” in Proceedings of the SouthEast Conference, pp. 18–25, Kennesaw, GA, USA, April 2017.
View at: Publisher Site | Google Scholar
A. Shabtai, L. Tenenboim-Chekina, D. Mimran, L. Rokach, B. Shapira, and Y. Elovici, “Mobile malware detection through analysis of deviations in application network behavior,” Computers & Security, vol. 43, pp. 1–18, 2014.
View at: Publisher Site | Google Scholar
H. Kim, J. Smith, and K. G. Shin, “Detecting energy-greedy anomalies and mobile malware variants,” in Proceeding of the 6th international conference on Mobile systems, applications, and services - MobiSys ‘08, pp. 239–252, Breckenridge, CO, USA, June 2008.
View at: Publisher Site | Google Scholar
G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos, “Paranoid android: versatile protection for smartphones,” in Proceedings of the 26th Annual Computer Security Applications Conference on - ACSAC ‘10, pp. 347–356, Austin, Texas, USA, December 2010.
View at: Publisher Site | Google Scholar
S. Seraj, S. Khodambashi, M. Pavlidis, and N. Polatidis, “HamDroid: permission-based harmful android anti-malware detection using neural networks,” Neural Computing & Applications, vol. 34, no. 18, pp. 15165–15174, 2022.
View at: Publisher Site | Google Scholar
A. Kumar, “Static code analysis for android using FindBugs, PMD and checkstyle,” https://medium.com/mindorks/static-code-analysis-for-android-using-findbugs-pmd-and-checkstyle-3a2861834c6a.
View at: Google Scholar
L. J. Deborah, R. Sathiyaseelan, S. Audithan, and P. Vijayakumar, “Fuzzy-logic based learning style prediction in e-learning using web interface information,” Sadhana, vol. 40, no. 2, pp. 379–394, 2015.
View at: Publisher Site | Google Scholar
V. Roussev, “An evaluation of forensic similarity hashes,” Digital Investigation, vol. 8, pp. S34–S41, 2011.
View at: Publisher Site | Google Scholar
M. Islam, M. Usman, A. Mahmood, A. A. Abbasi, and O. Y. Song, “Predictive analytics framework for accurate estimation of child mortality rates for Internet of Things enabled smart healthcare systems,” International Journal of Distributed Sensor Networks, vol. 16, no. 5, Article ID 155014772092889, 2020.
View at: Publisher Site | Google Scholar
A. S. Rajasekaran and M. Islam Satti, “An Anonymous Signature-Based Authentication and Key Agreement Scheme for Vehicular Ad Hoc Networks,” Security and Communication Networks, vol. 2022, Article ID 1222660, 2022.
View at: Publisher Site | Google Scholar
P. Vijayakumar, V. Chang, L. J. Deborah, and B. S. R. Kshatriya, “Key management and key distribution for secure group communication in mobile and cloud network,” Future Generation Computer Systems, vol. 84, pp. 123–125, 2018.
View at: Publisher Site | Google Scholar
R. Vinoth, L. J. Deborah, P. Vijayakumar, and N. Kumar, “Secure multifactor authenticated key agreement scheme for industrial IoT,” IEEE Internet of Things Journal, vol. 8, no. 5, pp. 3801–3811, 2021.
View at: Publisher Site | Google Scholar
A. Desnos, “Android: static analysis using similarity distance,” in Proceedings of the 2012 45th Hawaii International Conference on System Sciences, pp. 5394–5403, Maui, HI, USA, January 2012.
View at: Publisher Site | Google Scholar
S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song, “Juxtapp: a scalable system for detecting code reuse among android applications,” Lecture Notes in Computer Science, vol. 7591, pp. 62–81, 2013.
View at: Publisher Site | Google Scholar
J. A. D. X. Skylot, “Tool to statically analyze apk,” https://github.com/skylot/jadx.
View at: Google Scholar
A. Sourcetoad, “Tool to reverse engineer apk file,” https://ibotpeaches.github.io/Apktool/install/.
View at: Google Scholar
B. Pan, “Dex2jar: reverse engineering tool,” https://sourceforge.net/projects/dex2jar.
View at: Google Scholar
Y. Zhou and X. Jiang, “Dissecting android malware: characterization and evolution,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 95–109, San Francisco, CA, USA, May 2012.
View at: Publisher Site | Google Scholar
G. Suarez-Tangil, J. E. Tapiador, P. Peris-Lopez, and J. Blasco, “Dendroid: a text mining approach to analyzing and classifying code structures in Android malware families,” Expert Systems with Applications, vol. 41, pp. 1104–1117, 2014.
View at: Publisher Site | Google Scholar
P. S. Foundation, “Python 2.7.15,” https://www.python.org/downloads/release/python-2715/.
View at: Google Scholar
T. Bläsing, L. Batyuk, A. D. Schmidt, S. A. Camtepe, and S. Albayrak, “An android application sandbox system for suspicious software detection,” in Proceedings of the 2010 5th International Conference on Malicious and Unwanted Software, pp. 55–62, Nancy, France, October 2010.
View at: Publisher Site | Google Scholar
S. security Company, “Virustotal,” https://www.virustotal.com/gui/.
View at: Google Scholar

Copyright

Copyright © 2022 Hasnat Ali et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Security and Communication Networks

Security Hardened and Privacy Preserved Vehicle-to-Everything (V2X) Communication 2021

[Retracted] Security Hardened and Privacy Preserved Android Malware Detection Using Fuzzy Hash of Reverse Engineered Source Code

Abstract

1. Introduction

2. Related Work

2.1. Fuzzy Hashes

3. Proposed Methodology

4. Implementation

4.1. Sensitive Features’ Extraction

4.2. Malware Detection

4.3. Classification

5. Experimental Design

5.1. Experiment Setup

5.2. Dataset Selection

5.3. Analysis of Android Malware Detection

5.4. Malware Analysis of Training Dataset

5.5. Malware Analysis of Testing Dataset

6. Experimental Evaluation and Results

7. Conclusion and Future Work

Data Availability

Conflicts of Interest

References

Copyright