AndrODet
An Adaptive Android Obfuscation Detector
A Brief Introduction
Obfuscation techniques modify an app’s source (or machine) code in order to make it more difficult to analyze. This is typically applied to protect intellectual property in benign apps, or to hinder the process of extracting actionable information in the case of malware. Since malware analysis often requires considerable resource investment, detecting the particular obfuscation technique used may contribute to apply the right analysis tools; thus, leading to some savings. We have developed AndrODet, a mechanism to detect three popular types of obfuscation in Android applications, namely identifier renaming, string encryption, and control flow obfuscation. AndrODet leverages online learning techniques, thus being suitable for resource-limited environments that need to operate in a continuous manner.
Contributions
- An adaptive online learning system to detect three common types of obfuscation in Android applications
- A comparison between online learning and batch learning systems to detect prevalent Android obfuscations
- Statistical results for different considered features on the biggest collection of obfuscated apps
Publications
AndrODet: An Adaptive Android Obfuscation Detector
O. Mirzaei, J. M. de Fuentes, J. E. Tapiador, L. Gonzáles-Manzano
Future Generation Computer Systems, Elsevier (January 2019) [PDF] [BibTex]
Source Codes
You can download AndrODet from my GitHub profile in here.
News and Updates
TriFlow updates are accessible either from my Twitter account or from my news archive.