Evaluating Android Malware Detection System Against Obfuscation and Stealth Techniques

Abstract

Malicious apps targeting the Android OS have grown significantly as a result of its popularity. To stay ahead of malware creators, malware detection systems need to be evaluated against detection evading techniques. Malware authors now frequently use obfuscation and other stealth techniques, to construct malicious applications that can avoid being detected by malware detection systems. When confronted with the same malware samples that have been obfuscated, a highly successful detection system for identifying unobfuscated malware samples might lose its efficiency. Thus, it becomes important to analyze the malware detection systems against obfuscation and other stealth techniques. In this paper, we evaluate CENDroid – an Android malware detection system that uses static analysis and combines clustering and ensemble methods to develop a classifier, against various techniques of evading malware at feature-level as well as classifier-level. Experimental results show that the features used in CENDroid - API tags and permissions, displayed strong robustness against code obfuscation and app hiding techniques. A comparison of obfuscation resilience of API tags and permissions features with code graphs and Androguard is also presented. At the classifier-level, CENDroid could detect all the malware in four test sets created by using obfuscation and app hiding techniques. Thus, CENDroid, being syntax-based, is immune to semantic-level changes that preserve the syntax of the app. This study can also be used as a framework to evaluate any Android malware detection system against obfuscation and stealth techniques, gaining insights into its strengths and weaknesses and informing potential improvements to enhance its effectiveness.