A machine learning approach for detecting and categorizing evasion sources in Android malware

Abstract

Evasion techniques are used by some Android malware to hide their malicious behavior and to hinder their execution during the dynamic analysis process. Many tools tackle such evasions by using a manually created list of API functions (as sources of evasions) to detect these evasions. As an important consequence, no matter how good the tool is, it can only guarantee to defeat these evasions and extract the real behavior of the malware if its list of evasion sources is complete. This way, if some evasion sources are missing from the list or when similar API functions are used, the dynamic analysis can be hindered. In this paper, we propose a machine learning approach to detect and categorize various evasion sources in Android malware. The proposed approach uses a manually collected training dataset to train two classifiers. The first classifier is used to detect the evasion nature of the Android API methods, while the second classifier is used to categorize the detected evasion sources into predefined categories. We applied the proposed approach to a large number of methods extracted from Android API 27. The proposed approach could detect hundreds of evasions with accuracy of 92.8% for the first classifier and 90.5% for the second classifier. The evaluation for 500 real-world samples showed that many of the evasions are detected by our approach, are not considered by the state-of-the-art dynamic analysis frameworks that are indeed used by malware samples. © 2021 IEEE.