MOSDroid: Obfuscation-resilient android malware detection using multisets of encoded opcode sequences

Abstract

The rapid proliferation of Android devices has made them a prime target for malware developers, necessitating sophisticated detection techniques. Obfuscation poses a significant challenge in Android malware detection due to the platform’s unique characteristics and widespread usage of obfuscation techniques by malware developers. This work proposes a static Android malware detection approach that is resilient to obfuscation. The method involves extracting method-level opcode sequences and segmenting them into strings, representing methods as Multiset of Encoded Opcode Sequences (MOS). The next step is to encode the Android Application Package (APK) as a set of multisets based on the principle of multiset equality. This encoding provides detailed method representation and efficient APK comparison that optimizes the proposed approach, enhancing detection accuracy and efficiency. The proposed approach employs a strategy for generating a reduced feature subset through filtering and feature selection processes. It further improves efficiency, enhances model performance, prevents overfitting, simplifies interpretation, and optimizes computational resources. The dataset used to evaluate MOSDroid’s performance included Data-MD, a collection of 15,356 Android apps sourced from AndroZoo, and Data-MOS, comprising 10,500 Android apps collected from AndroZoo and Drebin benchmarks. Additionally, 25,990 obfuscated samples derived from these datasets were analysed to assess the impact of obfuscation and resilience. Experimental results demonstrate that the proposed approach is potent and resilient to obfuscation in malware detection, achieving an accuracy of 98.41%, and an AUC of 99.45%.