DroidClone: Attack of the Android Malware Clones - A Step Towards Stopping Them

Shahid Alam1 and Ibrahim Sogukpinar2

  1. Department of Computer Engineering, Adana Alparslan Turkes Science and Technology University, Adana, Turkey
    salam@atu.edu.tr
  2. Department of Computer Engineering, Gebze Technical University, Gebze, Turkey
    ispinar@gtu.edu.tr

Abstract

Code clones are frequent in use because they can be created fast with little effort and expense. Especially for malware writers, it is easier to create a clone of the original than writing a new malware. According to the recent Symantec threat reports, Android continues to be the most targeted mobile platform, and the number of new mobile malware clones grew by 54%. There is a need to develop techniques and tools to stop this attack of Android malware clones. To stop this attack, we propose DroidClone that exposes code clones (segments of code that are similar) in Android applications to help detect malware. DroidClone is the first such effort uses specific control flow patterns for reducing the effect of obfuscations and detect clones that are syntactically different but semantically similar up to a threshold. DroidClone is independent of the programming language of the code clones. When evaluated with real malware and benign Android applications, DroidClone obtained a detection rate of 94.2% and false positive rate of 5.6%. DroidClone, when tested against various obfuscations, was able to successfully provide resistance against all the trivial (Renaming methods, parameters, and nop insertion, etc) and some non-trivial (Call graph manipulation and function indirection, etc.) obfuscations.

Key words

Android, Code Clones, MAIL, Malware Analysis and Detection, TF-IDF, Machine Learning

Digital Object Identifier (DOI)

https://doi.org/10.2298/CSIS200301042M

Publication information

Volume 18, Issue 1 (January 2021)
Year of Publication: 2021
ISSN: 2406-1018 (Online)
Publisher: ComSIS Consortium

Full text

DownloadAvailable in PDF
Portable Document Format

How to cite

Alam, S., Sogukpinar, I.: DroidClone: Attack of the Android Malware Clones - A Step Towards Stopping Them. Computer Science and Information Systems, Vol. 18, No. 1, 43–66. (2021), https://doi.org/10.2298/CSIS200301042M