Visible to the public MalScan: Fast Market-Wide Mobile Malware Scanning by Social-Network Centrality Analysis

TitleMalScan: Fast Market-Wide Mobile Malware Scanning by Social-Network Centrality Analysis
Publication TypeConference Paper
Year of Publication2019
AuthorsWu, Y., Li, X., Zou, D., Yang, W., Zhang, X., Jin, H.
Conference Name2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE)
Date PublishedNov. 2019
ISBN Number978-1-7281-2508-4
KeywordsAnalysis of variance, Android (operating system), Android malware, Android Malware Detection, API Centrality, fault-tolerant representation, feature extraction, Google-Play app market, graph semantics, graph theory, Human Behavior, invasive software, Lightweight feature, lightweight graph-based approach, MalScan, Malware, malware analysis, Market-wide, market-wide malware scanning, Metrics, mobile computing, mobile malware scanning, privacy, program analysis, program diagnostics, pubcrawl, resilience, Resiliency, Robustness, semantic features, Semantics, social networking (online), social-network-based centrality analysis, static analysis, syntax-based features, transformation attacks, zero-day malware including malware samples

Malware scanning of an app market is expected to be scalable and effective. However, existing approaches use either syntax-based features which can be evaded by transformation attacks or semantic-based features which are usually extracted by performing expensive program analysis. Therefor, in this paper, we propose a lightweight graph-based approach to perform Android malware detection. Instead of traditional heavyweight static analysis, we treat function call graphs of apps as social networks and perform social-network-based centrality analysis to represent the semantic features of the graphs. Our key insight is that centrality provides a succinct and fault-tolerant representation of graph semantics, especially for graphs with certain amount of inaccurate information (e.g., inaccurate call graphs). We implement a prototype system, MalScan, and evaluate it on datasets of 15,285 benign samples and 15,430 malicious samples. Experimental results show that MalScan is capable of detecting Android malware with up to 98% accuracy under one second which is more than 100 times faster than two state-of-the-art approaches, namely MaMaDroid and Drebin. We also demonstrate the feasibility of MalScan on market-wide malware scanning by performing a statistical study on over 3 million apps. Finally, in a corpus of dataset collected from Google-Play app market, MalScan is able to identify 18 zero-day malware including malware samples that can evade detection of existing tools.

Citation Keywu_malscan_2019