Conference Paper

Effectiveness of Android Obfuscation on Evading Anti-malware

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Obfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide their malicious intents and evade anti-malware detection. As variants of known malware have been regularly found on the Google Play Store, transformed malware attacks are a real problem that security solutions today need to address. It has been proven that mainstream security tools installed on smartphones are mainly signature-based; our work focuses on evaluating the efficiency of a composite of obfuscation techniques in evading anti-malware detection. We further verified the trend of transformed malware in evading detection, with a larger and more updated database of known malware. This is also the first work to-date that presents the instability of some anti-malware tools (AMTs) against obfuscated malware. This work also proved that current mainstream AMTs do not build up resilience against obfuscation methods, but instead try to update the signature database on created variants.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... The authors used different obfuscation techniques to evaluate the anti-malware tools, using only one of the obfuscation methods at a time. Chua & Balachandran (2018) proposed an automated framework consisting of four obfuscation techniques (i.e., try-catch, method overloading, opaque predicate, and switch statement obfuscation) was developed. VirusTotal API is used to identify the malware samples. ...
... In the above literature as shown in Table 2, most of the related works (Preda & Maggi, 2017;Hammad, Garcia & Malek, 2018;Bakour, Ünver & Ghanem, 2019;Chua & Balachandran, 2018;Balachandran et al., 2016) use a limited number of obfuscation techniques and their combinations. In Chua & Balachandran (2018), only basic four obfuscation techniques (i.e., try-catch, method overloading, opaque predicate, and switch statement obfuscation) are used. ...
... In the above literature as shown in Table 2, most of the related works (Preda & Maggi, 2017;Hammad, Garcia & Malek, 2018;Bakour, Ünver & Ghanem, 2019;Chua & Balachandran, 2018;Balachandran et al., 2016) use a limited number of obfuscation techniques and their combinations. In Chua & Balachandran (2018), only basic four obfuscation techniques (i.e., try-catch, method overloading, opaque predicate, and switch statement obfuscation) are used. However, the combinations of these techniques are not experimented with to evaluate the anti-malware tools. ...
Article
Full-text available
The Android mobile platform is the most popular and dominates the cell phone market. With the increasing use of Android, malware developers have become active in circumventing security measures by using various obfuscation techniques. The obfuscation techniques are used to hide the malicious code in the Android applications to evade detection by anti-malware tools. Some attackers use the obfuscation techniques in isolation, while some attackers use a mixed approach ( i.e ., employing multiple obfuscation techniques simultaneously). Therefore, it is crucial to analyze the impact of the different obfuscation techniques, both when they are used in isolation and when they are combined as hybrid techniques. Several studies have suggested that the obfuscation techniques may be more effective when used in a mixed pattern. However, in most of the related works, the obfuscation techniques used for analysis are either based on individual or a combination of primitive obfuscation techniques. In this work, we provide a comprehensive evaluation of anti-malware tools to gauge the impact of complex hybrid code-obfuscations techniques on malware detection capabilities of the prominent anti-malware tools. The evaluation results show that the inter-category-wise hybridized code obfuscation results in more evasion as compared to the individual or simple hybridized code obfuscations (using multiple and similar code obfuscations) which most of the existing related work employed for the evaluation. Obfuscation techniques significantly impact the detection rate of any anti-malware tool. The remarkable result i.e ., almost 100% best detection rate is observed for the seven out of 10 tools when analyzed using the individual obfuscation techniques, four out of 10 tools on category-wise obfuscation, and not a single anti-malware tool attained full detection ( i.e ., 100%) for inter-category obfuscations.
... Specifically, we focused on precision (PR), recall (RC), F1 and False Positive Rate (FPR). 5 The Factorization Machine, Multi-Layer Perceptron and Naive Bayes models all produce probabilities that a given sample is malware. If this probability was greater than a certain threshold, 0.5 in this experiment unless otherwise stated, it was classified as malware for the purposes of cross-validation and out-of-sample test results. ...
... Finally, in our experiments, we observed failures for some files, more with malware samples than clean files. This is expected as malware samples may use some additional techniques such as code obfuscation [5] that may lead to decompiling failures. While this limits the effectiveness of Android malware detection schemes that extract features from apk files, it is a fault of the decompiling tools available, is tangential to the main topic of this paper, but may also serve as an avenue for future research. ...
... Many recent papers have tried to find malicious behavior patterns through control flow graphs or call graphs, although these can be obfuscated by ''method overloading'' [5]. AppContext [38] classifies applications using machine learning based on the contexts that trigger security-sensitive behaviors. ...
Article
Full-text available
As the popularity of Android smart phones has increased in recent years, so too has the number of malicious applications. Due to the potential for data theft that mobile phone users face, the detection of malware on Android devices has become an increasingly important issue for the field of cyber security. Traditional methods like signature-based routines are unable to protect users from the ever-increasing sophistication and rapid behavior changes in new types of Android malware. Therefore, a great deal of effort has been made recently to use machine learning models and methods to characterize and generalize the malicious behavior patterns of mobile apps for malware detection. In this paper, we propose a novel and highly reliable classifier for Android Malware detection based on a Factorization Machine architecture and the extraction of Android app features from manifest files and source code. Our results indicate that the numerical feature representation of an app typically results in a long and highly sparse vector and that the interactions among different features are critical to revealing malicious behavior patterns. After performing an extensive performance evaluation, our proposed method achieved a test result of 100.00% precision score on the DREBIN dataset and 99.22% precision score with only 1.10% false positive rate on the AMD dataset. These metrics match the performance of state-of-the-art machine-learning-based Android malware detection methods and several commercial antivirus engines with the benefit of training up to 50 times faster.
... Obfuscation refers to changing the structure of code so that the semantics of code are concealed from analysts. It has been stated by Ref. [16] that modern anti-malware tools are unable to detect obfuscated malicious applications; therefore, analyzing obfuscation is a key challenge in malware detection. Many studies such as Refs. ...
... Many studies such as Refs. [16][17][18] have estimated the effect of obfuscation on the detection accuracy of anti malware products. It has been stated by Ref. [10] that the performance of anti-malware tools is downgraded by a significant percentage when the samples are obfuscated. ...
Article
Full-text available
The widespread use of obfuscation techniques in malware creation is a challenging problem for detection systems. Obfuscation is also being applied in applications of an Android platform for changing the signature of known applications and hiding the semantics of suspicious new applications. Obfuscation significantly affects static analysis schemes as the structure of the application is not a true representative of its behavior or is totally incomprehensible in case of encryption. The design of obfuscation independent schemes for malware detection and categorization is a critical task in designing malware detection schemes. The focus of this study is to find and evaluate features that are representative of the application’s behavior as well as independent of most obfuscation techniques. It has been found that memory-based features extracted from kernel task structure contain much information about the working of the application and are not affected by obfuscation schemes as they model the run time behavior of the application. In this study, an application’s profile is generated from the kernel task structure of the process in memory. All extracted features of the kernel task structure are thoroughly analyzed for their significance in classification. The proposed system is then tested for different obfuscation schemes in order to determine the effectiveness against malicious obfuscated applications. The results reveal that the proposed solution is able to detect the obfuscated malicious applications accurately.
... This group consists of 15 studies. [8]- [10], [13], [16]- [21] DROIDcat dataset (http://www.people.vcu.edu/~rashidib/Res_fi les/DroidCatDataset.htm) [22] Generator Malware GVDG (https://hackforums.net) [12] Genome (http://www.malgenomeproject.org/) ...
... Literature API/web [25], [27], [28], [45] Android [8], [9], [21]- [24], [33], [10], [13], [14], [16]- [20] Cognitive Radio [44] Linux [47] PDF [49] Windows [2], [12], [36]- [43], [46], [47], [15], [48], [26], [29]- [32], [34], [35] There are two limitations to this study. Firstly, we use the general terms of malware to define the malware itself. ...
... For example, Graziano et al. [34] use VirusTotal's detection rate as one of their features to train their system. For the rest nine papers, the authors submit samples to VirusTotal, to show their detection techniques outperform VirusTotal engines [53,80], or to confirm that they have identified important security issues [19,50,56], or to demonstrate the effectiveness of malware obfuscations [25,52,54,86]. ...
... The waiting time varies from ten days [58] to more than two years [18]. Others submit the files multiple times to see the differences [25,41,67,79,83]. ...
... With time, the techniques to avoid detection have grown in complexity and sophistication [2]. For example, Chua et al. [8] proposed a framework to automatically obfuscate Android applications' source code using method overloading, opaque predicates, try-catch, and switch statement obfuscation, creating several versions of the same malware. Also, machine learning approaches have been used to create evading malware [9], based on a corpus of pre-existing malware [5]. ...
Preprint
Full-text available
WebAssembly is a binary format that has become an essential component of the web nowadays. Providing a faster alternative to JavaScript in the browser, this new technology has been embraced from its early days to create cryptomalware. This has triggered a solid effort to propose defenses that can detect WebAssembly malware. Yet, no defensive work has assumed that attackers would use evasion techniques. In this paper, we study how to evade WebAssembly cryptomalware detectors. We propose a novel evasion technique based on a state-of-the-art WebAssembly binary diversifier. We use the worldwide authoritative VirusTotal as malware detector to evaluate our technique. Our results demonstrate that it is possible to automatically generate variants of WebAssembly cryptomalware, which evade the considered strong detector. Remarkably, the variants introduce limited performance overhead. Our experiments also provide novel insights about which WebAssembly code transformations are the best suited for malware evasion. This provides insights for the community to improve the state of the art of WebAssembly malware detection.
... Chua and Balachandran [20] presented a detailed framework having various obfuscation techniques like switch function, method overloading, try-catch function, and opaque predicate. The latest malware use these techniques to bypass the detection of AMTs as listed on VirusTotal [21]. ...
... The NTSC report published in 2020 2 reported that 27% of organizations globally were impacted by malware attacks sent via Android mobile devices. In recent times, we have seen malware producers employ techniques such as obfuscation , Chua and Balachandran [2018], Bacci et al. [2018] and repackaging Song et al. [2017], Lee et al. [2019], , mostly through the change of static features Zhu et al. [2018], Sun et al. [2017], Hu et al. [2014] to avoid detection. Realizing the trend in the growth of mobile-based malware attacks, there have been numerous Artificial Intelligence (AI)-based defense techniques proposed Vasan et al. [2020], Luo and Lo [2017], , Makandar and Patrot [2018], Hsiao et al. [2019], Singh et al. [2019]. ...
Preprint
Full-text available
Malware authors apply different obfuscation techniques on the generic feature of malware (i.e., unique malware signature) to create new variants to avoid detection. Existing Siamese Neural Network (SNN) based malware detection methods fail to correctly classify different malware families when similar generic features are shared across multiple malware variants resulting in high false-positive rates. To address this issue, we propose a novel Task-Aware Meta Learning-based Siamese Neural Network resilient against obfuscated malware while able to detect malware trained with one or a few training samples. Using entropy features of each malware signature alongside image features as task inputs, our task-aware meta leaner generates the parameters for the feature layers to more accurately adjust the feature embedding for different malware families. In addition, our model utilizes meta-learning with the extracted features of a pre-trained network (e.g., VGG-16) to avoid the bias typically associated with a model trained with a limited number of training samples. Our proposed approach is highly effective in recognizing unique malware signatures, thus correctly classifying malware samples that belong to the same malware family even in the presence of obfuscation technique applied to malware. Our experimental results, validated with N-way on N-shot learning, show that our model is highly effective in classification accuracy exceeding the rate>91% compared to other similar methods.
... e permission mechanism of Android is coarse-grained, and users are usually ignorant of the sought permissions. Hackers also proposed the attacks that can bypass the permission mechanism [1][2][3]. As a result, the effective detection of malware is very important to mitigate security threats in the Android ecosystem. ...
Article
Full-text available
The malicious APK (Android Application Package) makers use some techniques such as code obfuscation and code encryption to avoid existing detection methods, which poses new challenges for accurate virus detection and makes it more and more difficult to detect the malicious code. A report indicates that a new malicious app for Android is created every 10 seconds. To combat this serious malware activity, a scalable malware detection approach is needed, which can effectively and efficiently identify the malware apps. Common static detection methods often rely on Hash matching and analysis of viruses, which cannot quickly detect new malicious Android applications and their variants. In this paper, a malicious Android application detection method is proposed, which is implemented by the deep network fusion model. The hybrid model only needs to use the sample training model to achieve high accuracy in the identification of the malicious applications, which is more suitable for the detection of the new malicious Android applications than the existing methods. This method extracts the static features in the core code of the Android application by decompiling APK files, then performs code vectorization processing, and uses the deep learning network for classification and discrimination. Our experiments with a data set containing 10,170 apps show that the decisions from the hybrid model can increase the malware detection rate significantly on a real device, which verifies the superiority of this method in the detection of malicious codes.
... Chua and Balachandran [20] presented a detailed framework having various obfuscation techniques like switch function, method overloading, try-catch function, and opaque predicate. The latest malware use these techniques to bypass detection of AMTs as listed on VirusTotal [21]. ...
Article
In the past few years, Android security is enhanced and state-of-the-art anti-malware tools have been introduced to counter Android malware. These tools use both static and dynamic analysis techniques to detect malicious applications. Despite these, the attack surface against Android phones has risen exponentially and malware detection tools are failed to counter sophisticated threats. Therefore, it is a need to audit and evaluate Anti Malware Solutions (AMTs). In our research, we have analyzed various Android malware evasion techniques, along with their pros and cons. Moreover, we conducted a detailed comparison of existing anti-malware tools and measured their efficacy against the discussed evasion techniques. Finally, a more sophisticated anti-malware evasion technique is proposed that uses exhaustive obfuscation and remote code execution to audit static and dynamic detection capabilities of AMTs. The proposed technique is practically validated and results prove that it evades all known anti-malware solutions. This technique can be utilized by anti-malware solution providers for making their products more resilient and powerful.
... Hence, the coders have learned that hash evaded using the packing technique for payload the malwares in the compressing layer [1]. The existing familiar methods have widely adopted many static and dynamic methods for recovering the payloads in a packed code, but they are not usually as effective as expected [2]. If the given malware is either packed or encrypted, it is a challenging task to analyze them. ...
Article
Full-text available
Repacked mobile applications and obfuscation attacks constitute a sig-nificant threat to the Android technological ecosystem. A novel method using the Constant Key Point Selection and Limited Binary Pattern Feature (CKPS: LBP) extraction-based Hashing has been proposed to identify repacked Android applications in previous works. Although the approach was efficient in detecting the repacked Android apps, it was not suitable for detecting obfuscation attacks. Additionally, the time complexity needed improvement. This paper presents an optimization technique using Scalable Bivariant Feature Transformation extract optimum feature-points extraction, and the Harris method applied for optimized image hashing. The experiments produced better results than the CKPS: LBP method in terms of execution time. Further, the proposed method is extended to detect obfuscation of malware attacks by detecting the packed executables, which is the initial step in obfuscation attack detection.
... Evasion and obfuscation techniques [48][49] deploy by malware to elude detection has made Google play store insecure despite the tremendous effort of Google and the associated companies to review Android applications to avoid malware distribution. Android malware keep emerging daily. ...
Article
Full-text available
The emergence and rapid development in complexity and popularity of Android mobile phones has created proportionate destructive effects from the world of cyber-attack. Android based device platform is experiencing great threats from different attack angles such as DoS, Botnets, phishing, social engineering, malware and others. Among these threats, malware attacks on android phones has become a daily occurrence. This is due to the fact that Android has millions of user, high computational abilities, popularity, and other essential attributes. These factors influence cybercriminals (especially malware writers) to focus on Android for financial gain, political interest, and revenge. This calls for effective techniques that could detect these malicious applications on android devices. This paper aims to provide a systematic review of the malware detection techniques used for android devices. The results show that most detection techniques are not very effective to detect zero-day malware and other variants that deploy obfuscation to evade detection. The critical appraisal of the study identified some of the limitations in the detection techniques that need improvement for better detection.
... Besides the above techniques, java reflection techniques and bytecode encryptions are the strongest obfuscation techniques employed by them for evasion. Melissa et al. [2] proposed a variety of powerful obfuscation techniques to generate large malware variants that evade antimalwares. The antimalwares that employ signature based detection cannot identify obfuscated malwares due to the complex camouflaging techniques. ...
... Static structure analysis can reveal all possible execution paths in a scalable manner, not just those actually followed. Static checkers have, however, faced problems in disassembling the executable code and identifying complex obfuscation (Moser, Kruegel, & Kirda, 2007;Chua & Balachandran, 2018) when attempting to reconstruct the original malware code. ...
Thesis
Full-text available
Modern antivirus systems (AVSs) are not able to detect new polymorphic malware variants until they emerge, even when signatures of one or more variants belonging to a specific polymorphic malware family are known. Polymorphic malware can transform into functionally identical variants of themselves. Polymorphism changes the order of the viral code but not typically the code itself to avoid signature-based detection. Current AVSs detect malware by adopting signatures based on the most essential parts of a known virus, such as execution traces, instruction sequences, etc. Virus writers exploit the weaknesses of malware signature databases by creating new variants using the same engine employed by an already existing polymorphic malware family. In this thesis, virus detection and signature extraction techniques are presented. These techniques were developed by exploring string matching techniques traditionally employed in biosequence analysis. The main contribution of these matching techniques is to extract syntactic patterns (i.e. conserved regions/sequences) from semantically rich polymorphic hex code. These extracted syntactic patterns act as signatures and are used in the identification of polymorphic malware variants belonging to the same family. Moreover, these extracted syntactic patterns can help in identifying new variants that make simple alterations to their newly generated variants. The string matching approaches presented in this thesis may revolutionise our knowledge of polymorphic variant generation and give rise to a new era of string-based syntactic AVSs.
Article
Malware is often hidden in illegitimately cloned software. Android, with over two billions active devices, is one of the most affected platforms because code cloning is quite simple and there are several not controlled markets. Obfuscation is both a cause and a solution to this scenario: a cause because obfuscated malware is harder to detect, a solution because obfuscation of legitimate applications makes code cloning more difficult. A deeper understanding of the obfuscation techniques would lead to more effective and aware use. In the literature, there are few methods of obfuscation detection with limited accuracy. Manual reverse engineering is too time-consuming to achieve this purpose, we need faster and automated techniques. In this work, we propose several deep learning models that can detect and classify the presence of obfuscation in Android applications. In addition to classical ML methods, we leverage natural language processing or image recognition approaches, then with a hybrid model, we exploit the best of each approach. Tests over a large dataset, made using different obfuscation tools, showed improvements compared to previous obfuscation detection methods. We target four obfuscation classes: identifier renaming, string encryption, reflection and class encryption, achieving an average F-measure of 0.985.
Article
Full-text available
Although a previous study shows that existing Anti-malware tools (AMTs) may have high detection rate, the report is based on existing malware and thus it does not imply that AMTs can effectively deal with future malware. It is desirable to have an alternative way of auditing AMTs. In our previous work, we use malware samples from Android malware collection GENOME to summarize a malware meta-model for modularizing the common attack behaviors and evasion techniques in reusable features. We then combine different features with an evolutionary algorithm, in which way we evolve malware for variants. Previous results have shown that the existing AMTs only exhibit detection rate of 20%-30% for 10,000 evolved malware variants. In this paper, based on the modularized attack features, we apply the dynamic code generation and loading techniques to produce malware so that we can audit the AMTs at runtime. We implement our approach, named MYSTIQUE-S, as a service-oriented malware generation system. MYSTIQUE-S automatically selects attack features under various user scenarios and delivers the corresponding malicious payloads at runtime. Relying on dynamic code binding (via service) and loading (via reflection) techniques, MYSTIQUE-S enables dynamic execution of payloads on user devices at runtime. Experimental results on real-world devices show that existing AMTs are incapable of detecting most of our generated malware. Last, we propose the enhancements for existing AMTs.
Conference Paper
Full-text available
Software released to the user has the risk of reverse engineering attacks. Software control flow obfuscation is one of the techniques used to make the reverse engineering of software programs harder. Control flow obfuscation, obscures the control flow of the program so that it is hard for an analyzer to decode the logic of the program. In this paper, we propose an obfuscation algorithm which obscures the control flow across functions. In our method code fragments from each function is stripped from the original function and is stored in another function. Each function will be having code fragments from different functions, thereby creating a function level shuffled version of the original program. Control flow is obscured between and within the function by this method. Experimental results indicate that the algorithm performs well against automated attacks.
Conference Paper
Full-text available
The analogies between computer malware and biological viruses are more than obvious. The very idea of an artificial ecosystem where malicious software can evolve and autonomously find new, more effective ways of attacking legitimate programs and damaging sensitive information is both terrifying and fascinating. The paper proposes two different ways for exploiting an evolutionary algorithm to devise malware: the former targeting heuristic-based anti-virus scanner; the latter optimizing a Trojan attack. Testing the stability of a system against a malware-based attack, or checking the reliability of the heuristic scan of anti-virus software against an original malware application could be interesting for the research community and advantageous to the IT industry. Experimental results shows the feasibility of the proposed approaches on simple real-world test cases.
Conference Paper
Full-text available
Malicious applications pose a threat to the security of the Android platform. The growing amount and diversity of these applications render conventional defenses largely ineffective and thus Android smartphones often remain un-protected from novel malware. In this paper, we propose DREBIN, a lightweight method for detection of Android malware that enables identifying malicious applications di-rectly on the smartphone. As the limited resources impede monitoring applications at run-time, DREBIN performs a broad static analysis, gathering as many features of an ap-plication as possible. These features are embedded in a joint vector space, such that typical patterns indicative for malware can be automatically identified and used for ex-plaining the decisions of our method. In an evaluation with 123,453 applications and 5,560 malware samples DREBIN outperforms several related approaches and detects 94% of the malware with few false alarms, where the explana-tions provided for each detection reveal relevant properties of the detected malware. On five popular smartphones, the method requires 10 seconds for an analysis on average, ren-dering it suitable for checking downloaded applications di-rectly on the device.
Article
Android apps are vulnerable to reverse engineering, which makes app tampering and repackaging relatively easy. While obfuscation is widely known to make reverse engineering harder, there is still a lack of Android obfuscation solution that realizes effective control-flow obfuscation, and make the resulting obfuscated apps sufficiently more complex from the app execution flow's viewpoint. This paper presents our control-flow obfuscation techniques for Android apps at the Dalvik bytecode level. Our three proposed schemes go beyond simple control-flow transformations employed by existing Android obfuscators, and make it difficult for static analysis to determine the actual app control flows. To realize this, we also address a previously-unsolved register-type conflict problem that can be raised by the verifier module of the Android runtime system by means of a type separation technique. Our analysis and experimentation show that the schemes can offer effective obfuscation with reasonable performance and size overheads. Combined with the existing data and layout obfuscation techniques, our schemes can offer attractive measures to hinder reverse engineering and code analysis on Android apps, and help safeguard Android app developers' heavy investment in their apps.
Conference Paper
Smartphones in general and Android in particular are increasingly shifting into the focus of cybercriminals. For understanding the threat to security and privacy it is important for security researchers to analyze malicious software written for these systems. The exploding number of Android malware calls for automation in the analysis. In this paper, we present Mobile-Sandbox, a system designed to automatically analyze Android applications in two novel ways: (1) it combines static and dynamic analysis, i.e., results of static analysis are used to guide dynamic analysis and extend coverage of executed code, and (2) it uses specific techniques to log calls to native (i.e., "non-Java") APIs. We evaluated the system on more than 36,000 applications from Asian third-party mobile markets and found that 24% of all applications actually use native calls in their code.
Conference Paper
Mobile malware threats have recently become a real concern. In this paper, we evaluate the state-of-the-art commercial mobile antimalware products for Android and test how resistant they are against various common obfuscation techniques (even with known malware). Such an evaluation is important for not only measuring the available defense against mobile malware threats but also proposing effective, next-generation solutions. We developed DroidChameleon, a systematic framework with various transformation techniques, and used it for our study. Our results on ten popular commercial anti-malware applications for Android are worrisome: none of these tools is resistant against common malware transformation techniques. Moreover, the transformations are simple in most cases and anti-malware tools make little effort to provide transformation-resilient detection. Finally, in the light of our results, we propose possible remedies for improving the current state of malware detection on mobile devices.
Is mobile anti-virus even necessary?
  • G Hatchimonji
G. Hatchimonji. Is mobile anti-virus even necessary?, September 2013.
Ransomware recap: Slocker copycats wannacry
  • Trendmicro
TrendMicro. Ransomware recap: Slocker copycats wannacry, July 2017.
The evil inside a droid - android malware: Past, present and future
  • M Spreitzenbarth
  • Spreitzenbarth M.
M. Spreitzenbarth. The evil inside a droid -android malware: Past, present and future. In Proceedings of the BALTIC CON-FERENCE Network Security and Forensics, 2012.
Virustotal public api v2.0
  • Virustotal
VirusTotal. Virustotal public api v2.0, September 2012.
Smartphone os market share
  • Inc
  • Research
Inc. IDC Research. Smartphone os market share, August 2016.
Contagio mobile: Mobile malware minidump
  • M Parkour
  • Parkour M.
M. Parkour. Contagio mobile: Mobile malware minidump, July 2017.
Control flow obfuscation for android applications
  • V Balachandran
V. Balachandran et al. Control flow obfuscation for android applications. IEEE International Conference on Systems, Man and Cybernetics, pages 463-469, Dec 2014.
VirusTotal. Virustotal public api v2
  • Virustotal
Hatchimonji. Is mobile anti-virus even necessary?
  • G Hatchimonji
  • Hatchimonji G.
Inc. IDC Research. Smartphone os market share
  • Inc
  • Research
  • Inc
Effective and explainable detection of android malware in your pocket . Symposium on Network and Distributed System Security
  • A Daniel
  • Daniel A.