LimonDroid: Coupling Three Signature-based Schemes for Profiling Android Malware
Abstract
Android remains an interesting target to attackers due to its openness. There is still a big concern to provide efficient solutions. Authors propose similarity measurement such as fuzzy hashing to fight against code obfuscation technique but they suffer from limited signature database. To improve the update and the consistency of the signature database, this work combines fuzzy hashing to YARA rules and VirusTotal signature-based schemes. A Desktop security tool, Limon Sandbox, that includes such schemes, is reverse-engineered and implemented to work on Android. Limon-Droid has been tested with 341 malicious and 300 benign applications on a database of 12925 fuzzy-hashed malware signatures, 62 YARA families’s patterns and VirusTotal engine. Our approach gives a true positive rate of 97.36%, a true negative rate of 98.33% and an accuracy of 97.82%. In addition, the proposed system outperforms permission-based
solutions and is able to reveal obfuscated malicious capabilities inside applications. A comparison with similarity-based solutions reveal that LimonDroid is more efficient for users. It could be able identify profiles of zero-day Android mal-ware due to its database construction.