Hey Malware, I Can Find You!

Abstract

Android smartphones are the most widespread in the world. This is the reason why attackers write code more and more aggressive in order to steal data and other important information stored in the phone. One of the most representative malware that implements the typical trojan behaviour in Android environment is the so-called Fake Installer. In this paper we use formal methods, in particular model checking, in order to identify Fake Installer malware. We specify a set of formulae and then we check these on a designed application model, built in CCS, to recognize whether an application is a malware belonging to Fake Installer family or a legitimate sample. We experiment our methodology on 1125 real world samples obtaining very promising results.