ASDroid: Resisting Evolving Android Malware With API Clusters Derived From Source Code

Abstract

Machine learning-based Android malware detection has consistently demonstrated superior results. However, with the continual evolution of the Android framework, the efficacy of the deployed models declines markedly. Existing solutions necessitate frequent and expensive model retraining to resist the constant evolution of malware accompanying Android framework updates. To address this, we introduce a solution called ASDroid, which generalizes specific APIs into similar API clusters to counteract evolving Android malware threats. One primary challenge lies in identifying analogous API clusters that correspond to specific APIs. Our approach involves extracting semantic information from open-source API source code to construct a heterogeneous information graph, and utilizing embedding algorithms to obtain semantic vector representations of APIs. APIs that are close in embedding distance are presumed to have similar semantics. Our dataset encompasses Android applications spanning nine years from 2011 to 2019. In comparison to existing Android malware detection model aging mitigation solutions like APIGraph, SDAC and MaMaDroid, ASDroid demonstrates greater accuracy and more effective at resisting continuously evolving malware.