The number of Android malware has increased greatly during the last few years. Static analysis is widely used in detecting such malware by analyzing the code without execution. However, the effectiveness of current tools depends on the app model as well as the malware detection algorithm that analyzes the app model. If the model and/or the algorithm is inadequate, then sophisticated attacks that are triggered by a specific sequence of events will not be detected. This paper presents the Dexteroid framework, which is based on reverse-engineered life cycle models that accurately capture the behaviors of Android components. Furthermore, Dexteroid systematically derives event sequences from the models, and uses them to detect attacks launched by specific ordering of events. A prototype implementation of Dexteroid has been used to conduct a series of experiments, which show that the proposed framework is effective and efficient in terms of precision, recall, and execution time.
View on arXiv