Android Malware Detection Based on Static Analysis of Characteristic Tree

The number of mobile malware is greatly increasing and the malware detection malware has become a critical problem. Android is fast becoming the most popular mobile platform resulting in quick increase in malware targeting the platform. Current static-analysis practice on Android application package (APK) mainly uses the features such as signature, md5 hash, permissions, data flows, API (Application Programming Interface) calls and etc. Extracted from the manifest file and the code. Such features lack consideration on the APK code organizations and object hierarchy, and thus they may be ineffective in detecting and predicting an APK´S application behaviors and maliciousness. Our research aims to find and implement a novel API-usage characterization approach for Android APK on different layers of resolutions, namely packages, classes, functions and APIs. A tree structure called "Characteristic Tree" is used to contain such API-usage information on different layers of the tree structure, and a comparison algorithm is designed for calculating characteristic-tree similarity. This new detection method detection provides more meticulous insights in classifying and detecting Android malware of different types and code families. The variations in API-usage on different code layers imply code functionalities and application behaviors, and thus they can be used to improve current static-analysis method in malware detection and signature generation. Realistic malware packet samples of various types and families were used to validate the proposed approach, and results were discussed for its performance and future improvement.