Status: Completed

We present an automated method for extracting familial signatures for Android malware, i.e., signatures that identify malware produced by piggybacking potentially different benign applications with the same (or similar) malicious code. The APK classes that constitute malware code in a repackaged application are separated from the benign code in two steps. First, each APK is partitioned into modules by taking advantage of the fact that malware code is loosely coupled with the benign code. Next, using a linear algorithm, the modules of all the APKs of the same malware family are compared to locate the malicious modules in each APK. Finally, the Android API calls used by the malicious modules are extracted to create a signature. A piggybacked malicious app can be detected by first decomposing it into loosely coupled modules and then matching the Android API calls called by each of the modules against the signatures of the known malware families. Since the signatures are based on Android API calls, they are related to the core malware behavior, and thus are more difficult to alter.