Affiliation:
1. Beijing University of Posts and Telecommunications, Beijing, China
2. Huazhong University of Science and Technology, Wuhan, China
3. SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
4. The Hong Kong Polytechnic University, Hong Kong, China
5. Peking University, Beijing, China
Abstract
Mobile malware detection has attracted massive research effort in our community. A reliable and up-to-date malware dataset is critical to evaluate the effectiveness of malware detection approaches. Essentially, the malware ground truth should be manually verified by security experts, and their malicious behaviors should be carefully labelled. Although there are several widely-used malware benchmarks in our community (e.g., MalGenome, Drebin, Piggybacking and AMD, etc.), these benchmarks face several limitations including out-of-date, size, coverage, and reliability issues, etc. In this paper, we first make efforts to create MalRadar, a growing and up-to-date Android malware dataset using the most reliable way, i.e., by collecting malware based on the analysis reports of security experts. We have crawled all the mobile security related reports released by ten leading security companies, and used an automated approach to extract and label the useful ones describing new Android malware and containing Indicators of Compromise (IoC) information. We have successfully compiled MalRadar, a dataset that contains 4,534 unique Android malware samples (including both apks and metadata) released from 2014 to April 2021 by the time of this paper, all of which were manually verified by security experts with detailed behavior analysis. Then we characterize the MalRadar dataset from malware distribution channels, app installation methods, malware activation, malicious behaviors and anti-analysis techniques. We further investigate the malware evolution over the last decade. At last, we measure the effectiveness of commercial anti-virus engines and malware detection techniques on detecting malware in MalRadar. Our dataset can be served as the representative Android malware benchmark in the new era, and our observations can positively contribute to the community and boost a series of research studies on mobile security.
Publisher
Association for Computing Machinery (ACM)
Subject
Computer Networks and Communications,Hardware and Architecture,Safety, Risk, Reliability and Quality,Computer Science (miscellaneous)
Reference74 articles.
1. 2016. Android banking trojan masquerades as Flash Player and bypasses 2FA. https://www.welivesecurity.com/2016/ 03/09/android-trojan-targets-online-banking-users/. 2016. Android banking trojan masquerades as Flash Player and bypasses 2FA. https://www.welivesecurity.com/2016/ 03/09/android-trojan-targets-online-banking-users/.
2. 2016. RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing. https://www. fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html. 2016. RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing. https://www. fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html.
3. 2017. Analyzing Xavier: An Information-Stealing Ad Library on Android. https://blog.trendmicro.com/trendlabssecurity-intelligence/analyzing-xavier-information-stealing-ad-library-android/. 2017. Analyzing Xavier: An Information-Stealing Ad Library on Android. https://blog.trendmicro.com/trendlabssecurity-intelligence/analyzing-xavier-information-stealing-ad-library-android/.
4. 2017. Coin Miner Mobile Malware Returns Hits Google Play. https://blog.trendmicro.com/trendlabs-securityintelligence/coin-miner-mobile-malware-returns-hits-google-play/. 2017. Coin Miner Mobile Malware Returns Hits Google Play. https://blog.trendmicro.com/trendlabs-securityintelligence/coin-miner-mobile-malware-returns-hits-google-play/.
5. 2017. Dvmap: the first Android malware with code injection. https://securelist.com/dvmap-the-first-android-malwarewith-code-injection/78648/. 2017. Dvmap: the first Android malware with code injection. https://securelist.com/dvmap-the-first-android-malwarewith-code-injection/78648/.
Cited by
10 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献