Classifying Android Malware Through Subgraph Mining

Current smartphones are based upon the concept of apps, which are lightweight applications that are distributed through on-line marketplaces, such as Google Play (for Android devices). Unfortunately, this market-centric model is affected by several major security and trust issues, due to the fact that anyone can easily create, and deploy through the market, a malicious app that could potentially lead to a massive malware spread. In this paper, we propose a framework to classify Android malware based upon the concept of common patterns of actions executed by malicious applications. The basic idea is to extract, from known malware, a subset of frequent subgraphs of system calls that are executed by most of the malware. This set of subgraphs constitutes a database of known malicious features. Then, when a new application is downloaded from a market, it is first run in a sandbox to monitor its behavior. This will result in an execution trace that may contain some of the subgraphs previously found in malware. The resulting vector of the found subgraphs is given to a classifier that returns its decision in terms of a likely malware or not. Preliminary tests executed both on known good apps and malware confirm the effectiveness and quality of our proposal.