Detect Android Malware Variants Using Component Based Topology Graph

Smartphone has experienced explosive growth recently. At present, Android system is the most popular mobile platform and attracts lots of developers as well as malware authors. In order to evade detection, malware authors often apply obfuscation techniques to morph malware. Since traditional malware detectors are based on pure syntax, they may fail to detect obfuscated malware variants. We present a novel signature, topology graph based on Android components, which could model malicious payloads properly and resist against common obfuscation used by hackers. We performe stress test on security tools provided by Virus total with ten kinds of malware families from Android Malware Genome Project. Unfortunately, the result is not optimistic that obfuscated malware samples evade most of security tools. Nevertheless, 86.36% of obfuscated malware samples we tested are caught by our detector with tolerable false positive. The evaluation demonstrates that our approach is able to detect malware variants generated by common obfuscation techniques.