CatchMe: Android Malicious Code Localisation

Malware in mobile ecosystems has become a serious concern for all stakeholders, including users, developers, security analysts and market maintainers. Indeed, contrary to traditional desktop platforms, mobile systems such as Android are overwhelmed by

1. Millions of applications, hundreds of which offering the same functionalities,
2. The high similarity between apps in terms of layout and code due to pervasive use of libraries,
3. The availability of frameworks for automating the construction, optimization and obfuscation of apps.

With the PhD proposal entitled CatchMe, we envision to contribute in the research directions of automatically and precisely localizing malicious piece of code in Android apps. CatchMe aims for a practical, scalable and accurate approach to localize such malicious code by implementing a multi-level localisation process inspired by existing bug localisation approaches.

In particular, CatchMe follows a three step approach:

• First, we build a large ground truth of pair of Android apps (X,Y) where Y is the malicious version of X. To that end, both piggybacked apps and apps with lineage will be investigated.
• Second, we investigate this ground truth to better understand malware and extract features that characterize malicious code and the interaction of these codes with the rest of the app.
• Third, we develop a multi- level, practical, scalable and accurate approach to locate malicious code. The approach will first leverage the features extracted from the previous step to localize malicious packages or components. Then, a more fine-grained localization (e.g., at a method or statement level) will be performed by using techniques borrowed from the bug detection domain (e.g., code density, energy in call graph edges, etc.).