Modeling Neglected Functions of Android Applications to Effectively Detect Malware

With more than two million applications, Android marketplaces require automatic and scalable methods to efficiently vet apps for the absence of malicious threats. On the other hand, Modern malware is designed by obfuscation characteristics, which causes an enormous growth in the number of malware samples. Classification of this huge number of malware samples on the basis of their behaviors is essential for the computer security community. Although there are a quite good number classification techniques, it is usual that sometimes researchers neglect modeling some parts of applications that might be misused by adversaries. In this thesis, we aim to show how we can improve the accuracy of malware classifiers by considering some neglected functions of Android applications. To this end, first, we do a comprehensive survey on Android security issues with a focus on application analysis. Then, we modeled three important functions of Android applications such as HTTP communication channel, GCM communication channel, and code hiding techniques (e.g., dynamic code loading) to outperform the existing classification techniques. We prove our claim by performing experiments on a large set of Android applications and represent the power of wisely engineered features for having an effective learning-based malware classification system.