Android application classification using common functions

摘要

Known malicious Android applications are collected and their functions are extracted. Similarity values are calculated between pairs of functions and those functions with a low similarity value are grouped together and assigned a unique similarity identifier. A common set of functions or common set of similarity identifiers are identified within the applications. If at least one function in the common set is determined to be malicious then the common set is added to a blacklist database either by adding functions or by adding similarity identifiers. To classify an unknown Android application, first the functions in the application are extracted. These functions are then compared to the set of functions identified in the blacklist database. If each function in the set of functions is present (either by matching or by similarity) in the group of extracted functions from the unknown application then the unknown application is classified as malicious.

主权项

1. A method of creating a blacklist to detect malicious software, said method comprising:
receiving a plurality of known malicious software applications, each of said applications including a plurality of functions; extracting said functions from said malicious applications; comparing said functions to one another by comparing instructions of each of said functions and calculating a similarity value for each of said comparisons, each of said functions being compared with the remaining of said functions; clustering those of said compared functions that have a similarity value that is less than a threshold value together and determining that said clustered functions are similar to one another; determining at least one set of said functions that are in common between greater than at least three of said malicious applications, wherein one of said functions in said set is deemed to be present in one of said malicious applications because a similar function is present in said one malicious application, even though said one of said functions is not present in all of said malicious applications; determining that each of said functions in said set of functions is malicious before performing the step of adding; and adding an indication of said set of functions to a blacklist database, wherein said set of functions identifies a malicious application.