Obfuscating Function Call Topography to Test Structural Malware Detection against Evasion Attacks

Abstract

The incredible popularity of the Android mobile operating system has resulted in a massive influx of malicious applications for the platform. This malware can come from a number of sources as Google allows the installation of Android App Packages (APKs) from third parties. Even within its own Google Play storefront, however, malicious software can be found. One type of approach to identify malware focuses on the structural properties of the function call graphs (FCGs) extracted from APKs. The aim of this research work is to test the robustness of one example method in this category, named the ACTS (App topologiCal signature through graphleT Sampling) method. By extracting graphlet statistics from a FCG, the ACTS approach is able to efficiently differentiate between benign app samples and malware with good accuracy. In this work, we obfuscate the FCG of malware in several ways, and test the ACTs method against these evasion attacks. The statistical results of running ACTS against unmodified real malware samples is compared with the results of ACTS running against obfuscated versions of those same apps.