GRAMAC: A Graph Based Android Malware Classification Mechanism

Android malware analysis has been an active area of research as the number and types of Android malwares have increased dramatically. Most of the previous works have used the permission-based model, behavioural analysis, and code analysis to identify the family of a malware. Code Analysis is weak against the obfuscated approach as it does not involve real-time execution of the application. The behavioural analysis captures the runtime behaviour but is weak when it comes to obfuscated applications. The permission-based model only uses manifest files for analysing malwares. In this paper, we propose a novel graph signature-based malware classification mechanism. The proposed graph signature uses sensitive API calls to capture the flow of control which helps to find a caller-callee relationship between the sensitive APIs and the nodes incident on them. A dataset of graph signatures of widely known malware families is then created. A new application's graph signature is compared with graph signatures in the dataset and the application is classified into the respective malware family or declared as goodware/unknown. Experiments with 15 malware families from the AMD dataset and a total of 400 applications gave an average accuracy of 0.97 with an error rate of 0.03.