Skip to main content
SpringerLink
Log in

LimonDroid: a system coupling three signature-based schemes for profiling Android malware

  • Original Article
  • Published:
Iran Journal of Computer Science Aims and scope Submit manuscript

Abstract

Android remains an interesting target to attackers due to its openness. A contribution in the literature consists of providing similarity measurement such as fuzzy hashing to fight against code obfuscation techniques. Research works in this approach suffer from limited signature database. This work combines fuzzy hashing with YARA rules and VirusTotal signature-based schemes, to improve and consistency of the signature database. It is proposed LimonDroid, an Android system, which mimics Limon, a Desktop security tool that includes such schemes. LimonDroid has been tested with 341 malicious and 300 benign applications on a database of 12925 fuzzy-hashed malware signatures, 62 YARA malware families’ patterns and VirusTotal engine. Our approach gives a true-positive rate of 97.36%, a true negative rate of 98.33% and an accuracy of 97.82%. A comparison with similarity-based solutions reveals that LimonDroid is more efficient for users. The objective is not to propose a detection approach better than those in the literature. Instead, we aim at establishing a robust signature database able to identify malicious trends in Android apps.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. https://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/.

  2. https://www.statista.com/statistics/272014/global-social-networks-ranked-by-number-of-users/.

References

  1. AMD: Android malware dataset (2019). http://amd.arguslab.org/. Accessed 15 Apr 2019

  2. AOSP: Security (2019). https://source.android.com/security/

  3. AppBrain: Top manufacturers (2019). https://www.appbrain.com/stats/top-manufacturers

  4. Arshad, S., Ali, M., Khan, A., Ahmed, M.: Android malware detection & protection: a survey. Int. J. Adv. Comput. Sci. Appl. 7(2), 466 (2016). https://doi.org/10.14569/IJACSA.2016.070262

    Article  Google Scholar 

  5. Atzeni, A., Diaz, F., Marcelli, A., Sanchez, A., Squillero, G., Tonda, A.: Countering android malware: a scalable semi-supervised approach for family-signature generation. IEEE Access 6, 59540–59556 (2018). https://doi.org/10.1109/ACCESS.2018.2874502

    Article  Google Scholar 

  6. Bagnall, R.J., French, G.: The Malware Rating System (MRS)\(^{{\rm TM}}\). In: Proceedings of the 6th International Command and Control Research and Technology Symposium. Annapolis (2001)

  7. Bhat, P., Dutta, K.: A survey on various threats and current state of security in android platform. ACM Comput. Surv. 52(1), 1–35 (2019). https://doi.org/10.1145/3301285

    Article  Google Scholar 

  8. Biondi, F., Dechelle, F., Legay, A.: MASSE: Modular automated syntactic signature extraction. In: Proceedings—2017 IEEE 28th International Symposium on Software Reliability Engineering Workshops, ISSREW 2017, pp. 96–97. IEEE (2017). https://doi.org/10.1109/ISSREW.2017.74

  9. Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for Android. In: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices - SPSM ’11, p. 15. ACM Press, New York, New York, USA (2011). https://doi.org/10.1145/2046614.2046619

  10. Castillo, C.a.: Android malware past , present , and future (2011). http://www.mcafee.com/us/ resources/white-papers/wp-android-malware-past-present-future.pdf. Accessed 23 Oct 2019

  11. Check point: viking horde: a new type of android malware on google play | check point software blog (2019). https://blog.checkpoint.com/2016/05/09/viking-horde-a-new-type-of-android-malware-on-google-play/. Accessed 16 Apr 2019

  12. Damodaran, A., Troia, F.D., Visaggio, C.A., Austin, T.H., Stamp, M.: A comparison of static, dynamic, and hybrid analysis for malware detection. J. Comput. Virol. Hacking Tech. 13(1), 1–12 (2017). https://doi.org/10.1007/s11416-015-0261-z

    Article  Google Scholar 

  13. Davi, L., Dmitrienko, A., Liebchen, C., Sadeghi, A.R.: Over-the-air cross-platform infection for Breaking mTAN-based online banking authentication (2012)

  14. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. (CSUR) 44(2), 1–42 (2012)

    Article  Google Scholar 

  15. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid. ACM Trans. Comput. Syst. 32(2), 1–29 (2014). https://doi.org/10.1145/2619091

    Article  Google Scholar 

  16. Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM conference on computer and communications security—CCS ’09, p. 235. ACM Press, New York, New York, USA (2009). https://doi.org/10.1145/1653662.1653691

  17. Faruki, P., Bharmal, A., Laxmi, V., Ganmoor, V., Gaur, M.S., Conti, M., Rajarajan, M.: Android security: a survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutorials 17(2), 998–1022 (2015). https://doi.org/10.1109/COMST.2014.2386139

    Article  Google Scholar 

  18. Faruki, P., Ganmoor, V., Laxmi, V., Gaur, M.S., Bharmal, A.: AndroSimilar: robust signature for detecting variants of android malware. In: Proceedings of the 6th International Conference on Security of Information and Networks—SIN ’13, pp. 152–159. ACM Press, New York, New York, USA (2013). https://doi.org/10.1145/2523514.2523539

  19. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security - SOUPS ’12, p. 1. ACM Press, New York, New York, USA (2012). https://doi.org/10.1145/2335356.2335360

  20. GDATA: Some 343 new android malware samples every hour in 2017 (2018). https://www.gdatasoftware.com/blog/2018/02/30491-some-343-new-android-malware-samples-every-hour-in-2017

  21. Google: google find my device (2019). https://www.google.com/android/find?u=0. Accessed 28 July 2019

  22. Google: Google Play Protect: Securing 2 billion users daily (2019). https://www.android.com/play-protect/

  23. Google: google safe browsing (2019). https://safebrowsing.google.com/. Accessed 28 July 2019

  24. Google: SafetyNet attestation API (2019). https://developer.android.com/training/safetynet/attestation. Accessed 28 July 2019

  25. Gopalakrishnan, A., Vineti, E., Mohan, A.K., Sethumadhavan, M.: The art of piecewise hashing: a StepToward better evidence provability. J. Cyber Security Mobility 7(1), 109–130 (2018). https://doi.org/10.13052/jcsm2245-1439.719

    Article  Google Scholar 

  26. HCRL: Andro-Profiler (2019). http://ocslab.hksecurity.net/andro-profiler. Accessed 16 Apr 2019

  27. Kim, J., Yoon, Y., Yi, K., Shin, J., Center, S.: ScanDal: Static analyzer for detecting privacy leaks in android applications. In: MoST, vol. 12 (2012). https://pdfs.semanticscholar.org/7520/336ec2a08ad4fcbc5073082a8318571d679c.pdf. Accessed 17 Apr 2019

  28. Kornblum, J.: Identifying almost identical files using context triggered piecewise hashing. Digital Investigation 3(SUPPL.), 91–97 (2006). https://doi.org/10.1016/j.diin.2006.06.015

    Article  Google Scholar 

  29. Kornblum, J.: ssdeep—Fuzzy Hashing Program (2018)

  30. Li, J., Sun, L., Yan, Q., Li, Z., Srisa-An, W., Ye, H.: Significant permission identification for machine-learning-based android malware detection. IEEE Trans. Indu. Inform. 14(7), 3216–3225 (2018). https://doi.org/10.1109/TII.2017.2789219

    Article  Google Scholar 

  31. Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Veen, V.V.D., Platzer, C.: ANDRUBIS - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In: Proceedings—3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, BADGERS 2014, pp. 3–17. IEEE (2016). https://doi.org/10.1109/BADGERS.2014.7

  32. Monnappa, K.: Limon Sandbox for Analyzing Linux Malwares—Cysinfo (2015). https://cysinfo.com/limon-sandbox-for-analyzing-linux-malwares-2/

  33. Ndjeumou, R.: Roger-NDJEUMOU/LimonDroid (2018). https://github.com/Roger-NDJEUMOU/LimonDroid

  34. Odusami, M., Abayomi-Alli, O., Misra, S., Shobayo, O., Damasevicius, R., Maskeliunas, R.: Android malware detection: a survey. In: Communications in Computer and Information Science, vol. 942, pp. 255–266. IEEE (2018). https://doi.org/10.1007/978-3-030-01535-0_19

  35. Offensive security: metasploit unleashed—free online ethical hacking course (2019). https://www.offensive-security.com/metasploit-unleashed/

  36. Park, J., Chun, H., Jung, S.: API and permission-based classification system for android malware analysis. In: International Conference on Information Networking, vol. 2018-Janua, pp. 930–935. IEEE (2018). https://doi.org/10.1109/ICOIN.2018.8343260

  37. Popper, B.: Google announces over 2 billion monthly active devices on Android (2017). https://www.theverge.com/2017/5/17/15654454/android-reaches-2-billion-monthly-active-users. Accessed 18 July 2019

  38. Rastogi, V., Qu, Z., McClurg, J., Cao, Y., Chen, Y.: Uranine: Real-time privacy leakage monitoring without system modification for android. In: Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 164, pp. 256–276. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28865-9_14

  39. Raveendranath, R., Rajamani, V., Babu, A.J., Datta, S.K.: Android malware attacks and countermeasures: current and future directions. In: 2014 International Conference on Control, Instrumentation, Communication and Computational Technologies, ICCICCT 2014, pp. 137–143. IEEE (2014). https://doi.org/10.1109/ICCICCT.2014.6992944

  40. Roussev, V.: Data fingerprinting with similarity digests. In: IFIP Advances in information and communication technology, vol. 337 AICT, pp. 207–226. Springer, Berlin, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15506-2_15

  41. Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G., Álvarez, G.: PUMA: Permission usage to detect malware in android. In: Advances in Intelligent Systems and Computing, vol. 189 AISC, pp. 289–298. Springer, Berlin, Heidelberg (2013). https://doi.org/10.1007/978-3-642-33018-6_30

  42. Sarantinos, N., Benzaïd, C., Arabiat, O., Al-Nemrat, A.: Forensic malware analysis: The value of fuzzy hashing algorithms in identifying similarities. In: Proceedings—15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 10th IEEE International Conference on Big Data Science and Engineering and 14th IEEE International Symposium on Parallel and Distributed Proce, pp. 1782–1787. IEEE (2016). https://doi.org/10.1109/TrustCom.2016.0274

  43. Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inform. Syst. 38(1), 161–190 (2012). https://doi.org/10.1007/s10844-010-0148-x

    Article  Google Scholar 

  44. Smith, C.: Most advanced Android malware threat yet: Backdoor.AndroidOS.Obad.a (2013). https://www.androidauthority.com/advanced-android-malware-threat-backdoor-androidos-obad-a-223800/. Accessed 17 Apr 2019

  45. Sponchioni, R.: Android.Fakedefender.B | Symantec (2013). https://www.symantec.com/security-center/writeup/2013-091013-3953-99. Accessed 15 Apr 2019

  46. Statista: most popular global mobile messenger apps as of december 2014, based on number of monthly active users (2015). http://www.statista.com/statistics/258749/most-popular-global-mobile-messenger-apps/. Accessed 16 Apr 2019

  47. Struse, E., Seifert, J., Üllenbeck, S., Rukzio, E., Wolf, C.: PermissionWatcher: creating user awareness of application permissions in mobile systems. In: International Joint Conference on Ambient Intelligence, pp. 65–80. Springer, Berlin, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34898-3_5

  48. Sylve, J., Case, A., Marziale, L., Richard, G.G.: Acquisition and analysis of volatile memory from android devices. Digital Investigation 8(3–4), 175–184 (2012). https://doi.org/10.1016/j.diin.2011.10.003

    Article  Google Scholar 

  49. Talha, K.A., Alper, D.I., Aydin, C.: APK auditor: permission-based android malware detection system. Digital Investigation 13, 1–14 (2015). https://doi.org/10.1016/j.diin.2015.01.001

    Article  Google Scholar 

  50. Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM symposium on Information, computer and communications security—ASIA CCS ’14, pp. 447–458. ACM Press, New York, New York, USA (2014). https://doi.org/10.1145/2590296.2590325

  51. VirusTotal: VirusTotal (2019). https://www.virustotal.com/gui/home/upload. Accessed 16 Apr 2019

  52. Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in android applications for malicious application detection. IEEE Trans. Inform. Forensics Security 9(11), 1869–1882 (2014). https://doi.org/10.1109/TIFS.2014.2353996

    Article  Google Scholar 

  53. Yan, L.K., Yin, H.: DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In: Proceedings of the 21st USENIX conference on Security symposium, pp. 1–16. USENIX Association Berkeley, CA, USA, Bellevue, WA (2012)

  54. YaraProject: YaraRules Project (2019). https://yararules.com/. Accessed 28 July 2019

  55. YaraRules: yara-rules/rules (2019). https://github.com/Yara-Rules/rules

  56. Zhang, F., Leach, K., Stavrou, A., Wang, H., Sun, K.: Using hardware features for increased debugging transparency. In: Proceedings—IEEE Symposium on Security and Privacy, vol. 2015-July, pp. 55–69 (2015). https://doi.org/10.1109/SP.2015.11

  57. Zheng, C., Xiao, C., Xu, Z.: New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom (2016). https://unit42.paloaltonetworks.com/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/

  58. Zheng, M., Sun, M., Lui, J.C.: Droid analytics: A signature based analytic system to collect, extract, analyze and associate android malware. In: Proceedings - 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2013, pp. 163–171. IEEE (2013). https://doi.org/10.1109/TrustCom.2013.25

  59. Zhou, W., Hu, D., Su, J., Kang, Y.: RuMMS: the latest family of android malware attacking users in Russia via SMS phishing RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing | FireEye Inc (2016)

  60. Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of the second ACM conference on Data and Application Security and Privacy - CODASKY ’12, p. 317. ACM Press, New York, New York, USA (2012). https://doi.org/10.1145/2133601.2133640

  61. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings - IEEE Symposium on Security and Privacy, pp. 95–109. IEEE (2012). https://doi.org/10.1109/SP.2012.16

Download references

Acknowledgements

We convey our unfeigned thanks to Mr. Monnappa K. A., creator of Limon Sandbox, for his great collaboration, and also for providing his work to us.

Author information

Authors and Affiliations

  1. Department of Mathematics and Computer Science, Faculty of Science, University of Ngaoundéré, Ngaoundéré, Cameroon

    Franklin Tchakounté & Roger Corneille Ndjeumou Ngassi

  2. Department of Mathematics and Computer Science, National School of Agro-Industrial Science, University of Ngaoundéré, Ngaoundéré, Cameroon

    Vivient Corneille Kamla

  3. Department of Information and Computing Sciences, Scientific Research Development Institute of Technology, Loganlea, Australia

    Kalum Priyanath Udagepola

Authors
  1. Franklin Tchakounté
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roger Corneille Ndjeumou Ngassi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vivient Corneille Kamla
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kalum Priyanath Udagepola
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Franklin Tchakounté.

Ethics declarations

Conflict of interest

On behalf of all authors, the corresponding author states that there is no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tchakounté, F., Ngassi, R.C.N., Kamla, V.C. et al. LimonDroid: a system coupling three signature-based schemes for profiling Android malware. Iran J Comput Sci 4, 95–114 (2021). https://doi.org/10.1007/s42044-020-00068-w

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s42044-020-00068-w

Keywords

Search

Navigation