DroidFDR: Automatic Classification of Android Malware Using Model Checking

Android faces an increasing threat of malware attacks. The few existing formal detection methods have drawbacks such as complex code modeling, incomplete and inaccurate expression of family properties, and excessive manual participation. To this end, this paper proposes a formal detection method, called DroidFDR, for Android malware classification based on communicating sequential processes (CSP). In this method, the APK file of an application is converted to an easy-to-analyze representation, namely Jimple, in order to model the code behavior with CSP. The process describing the behavior of a sample is inputted to an FDR model checker to be simplified and verified against a process that is automatically abstracted from the malware to express the property of a family. The sample is classified by detecting whether it has the typical behavior of any family property. DroidFDR can capture the behavioral characteristics of malicious code such as control flow, data flow, procedure calls, and API calls. The experimental results show that the automated method can characterize the behavior patterns of applications from the structure level, with a high family classification accuracy of 99.06% in comparison with another formal detection method.

Automated summary

This paper proposes a formal detection method called DroidFDR for Android malware classification based on communicating sequential processes. The method converts the APK file of an application to Jimple representation to model the code behavior with CSP. The behavior of a sample is inputted to an FDR model checker to be simplified and verified against a process abstracted from the malware to express the family property. DroidFDR can capture the behavioral characteristics of malicious code and achieve high family classification accuracy.