Mobile Malware Detection and Mitigation

Abstract

As the number of discovered mobile malicious programs increases every year, the pieces of malware are becoming more advanced, and attacks are becoming more complex. Hence, it is critical to enhance mobile malware mitigation methods and develop new tools and techniques to combat state-of-the-art mobile malware. The uniqueness of smartphones in terms of hardware, software, and energy constraints, poses new challenges to the traditional malware detection methods and renders many techniques ineffective or inefficient for mobile platforms. This thesis offers techniques and tools that can be used in collaboration to mitigate mobile malware, making application marketplaces and user devices more secure. The thesis presents RansomCare, a mobile crypto-ransomware detection and mitigation method to protect mobile user data. RansomCare detects and neutralizes crypto-ransomware on smartphones in real-time, employing dynamic and lightweight static analysis. In case of a crypto-ransomware attack, it recovers lost files while preserving data privacy. We also investigate the threat of advanced mobile crypto-ransomware, which is aware of the existing methods and mimics the data manipulation patterns of legitimate applications. By implementing an Android application called Maskware, we demonstrate that it can evade common data-centric metrics such as file entropy, structure, and data transformation. A solution is proposed to detect and neutralize Maskware. The thesis also offers some solutions to mitigate the widespread of mobile malware. We present CamoDroid, an open-source and extendable dynamic analysis framework resilient against the detection by evasive Android malware. CamoDroid cloaks the existence of the analysis environment and provides a broad view of an application's behavior by monitoring and logging the dangerous API calls executed by the application. We provide an Android Interpretable Malware detection method (AIM). AIM is based on a novel application class modeling and utilizes intelligent hybrid analysis and a neural network classifier. AIM can distinguish malware from benign applications and identifies malicious parts of malware applications utilizing the attention mechanism. The evaluation results show the effectiveness of the proposed methods in mitigating mobile malware.