Detection of Android Malicious Obfuscation Applications Based on Multi-class Features

In recent years, obfuscation technology is more and more widely utilized by Android applications (apps). Legitimate app developers employ this technology to protect their intellectual property. However, malicious app (malapp) authors obfuscate their apps to increase the difficulty of reverse-analysis-engineer and to evade signature-based detection. Static analysis method is the main approach to detect malapps. Unfortunately, many static analysis techniques are easily thwarted by obfuscation technology. How to detect obfuscated malapps effectively is thus a big challenge. In this work, we construct a model that detects obfuscated malapps, including obfuscation detection and malapp detection. The module of obfuscation detection extracts the identifier names of classes and methods of apps as features, employing n-gram to generate a fixed-length feature vector for each app. Then it applies Support Vector Machine (SVM) for classifying apps into obfuscation or non-obfuscation. In term of the module of malapp detection, we firstly extract many kinds of features from the APK (Android package) file with static analysis technology, such as Permission, Intent and so on. Then we use SVM to evaluate the performance of this module. Extensive experimental results demonstrate the effectiveness of our methods. The accuracy of obfuscation detection reaches 90.91%, and the F-score arrives at 0.91. Besides, our malapp detection module can exactly detect 97.32% apps.