Android Malware Detection using Multi-Flows and API Patterns

This project proposes a new technique for detecting mobile malware based on information flow analysis. Our approach focuses on the structure of information flows we gather in our analysis, and the patterns of behavior present in information flows. Our analysis not only gathers simple flows that have a single source and a single sink, but also Multi-Flows that either start from a single source and flow to multiple sinks, or start from multiple sources and flow to a single sink. This analysis captures more complex behavior that both recent malware and recent benign applications exhibit. We leverage N-gram analysis to understand both unique and common behavioral patterns present in Multi-Flows. Our tool leverages N-gram analysis over sequences of API calls that occur along control flow paths in Multi-Flows to precisely analyze Multi-Flows with respect to app behavior. We show the precision of our technique by applying it on 5 different data sets with the total of 6,214 apps---these data sets consist of older generation benign and malicious apps as well as recent benign and malicious apps, showing the effectiveness of our approach across different generations of apps.