Maaker: A framework for detecting and defeating evasion techniques in Android malware

Abstract

Dynamic analysis is a prominent approach for understanding the real-behavior of Android malware. Malware mainly use evasions to underperform dynamic analysis. Although different approaches have been proposed to tackle evasive malware, they suffer from several limitations, e.g. most of them use static analysis to detect the evasions which can be defeated by using anti static analysis techniques. On the other hand, to defeat the evasions, they use different execution methods that cause crashes in some cases. To address the challenges of detecting and defeating malware evasions, we propose Maaker, a novel framework that utilizes both static and dynamic analyses through hybrid execution along with a human in the loop approach. Maaker takes advantage of Model Driven Engineering (MDE) to facilitate putting the human in the loop in order to use his/her knowledge to tackle different evasions for extracting the real malicious behavior with little effort. Maaker is compared with Ares, IntelliDroid and Defuzer tools. We used malware samples from AMD dataset to compare the tools regarding some criteria including the number of detected evasions, reached targets, required executions, and the time required to reach the targets. Evaluation results show that Maaker outperforms the three rival tools regarding effectiveness, efficiency, and scalability. © 2023 Elsevier Ltd