DroidClone: Detecting Android Malware Variants by Exposing Code Clones

Abstract

According to the Symantec threat report the total number of new malware variants added in 2013 and 2014 were 252 millions and 317 millions (a 26% increase from 2013) respectively. Mobile malware development in 2013 and 2014 continues to focus exclusively (99%) on the Android platform. For detecting malware, if parts of a mal ware family match parts of a program then this provides us a strong evidence that the program is/contain a malware. Based on this hypothesis, we propose DroidClone that exposes code clones (segments of code that are similar) in Android applications to help detect malware variants. DroidClone uses a new Malware Analysis and Intermediate Language (MAIL) for finding code clones in Android applications. MAIL helps DroidClone to use specific control flow patterns for reducing the effect of obfuscations and provides automation and platform independence. Unlike other works DroidClone is able to detect both bytecode and native code Android mal ware variants. When tested with traditional mal ware variants it achieves a detection rate (DR) of 97.85%, compared to the other two works DroidSim and NiCad that achieved a DR of 89.62% and 83.11 % respectively.