Android, the most popular mobile OS, has around 78% of the mobile marketshare. Due to its popularity, it attracts many malware attacks. In fact, peoplehave discovered around one million new malware samples per quarter, and it wasreported that over 98% of these new malware samples are in fact "derivatives"(or variants) from existing malware families. In this paper, we first show thatruntime behaviors of malware's core functionalities are in fact similar withina malware family. Hence, we propose a framework to combine "runtime behavior"with "static structures" to detect malware variants. We present the design andimplementation of MONET, which has a client and a backend server module. Theclient module is a lightweight, in-device app for behavior monitoring andsignature generation, and we realize this using two novel interceptiontechniques. The backend server is responsible for large scale malwaredetection. We collect 3723 malware samples and top 500 benign apps to carry outextensive experiments of detecting malware variants and defending againstmalware transformation. Our experiments show that MONET can achieve around 99%accuracy in detecting malware variants. Furthermore, it can defend against 10different obfuscation and transformation techniques, while only incurs around7% performance overhead and about 3% battery overhead. More importantly, MONETwill automatically alert users with intrusion details so to prevent furthermalicious behaviors.
展开▼