Family Identification of AGE-Generated Android Malware Using Tree-Based Feature

Application Generation Engine(AGE) is a development tool that can automatically generate simple Android applications by utilizing some boilerplate codes. People with little software programming background could also develop Android applications by using this tool based on their requirements. The emergence of AGE dramatically improves the ease of developing essential software and lowers the level of programming skills required for app developers. However, it also provides easy access for attackers to quickly develop a large number of malicious applications, which will seriously affect the device and data security of regular users. Since AGE mainly generates applications based on some boilerplate codes, the code structures of malicious apps created by AGE have a high degree of similarity when these apps belong to the same family. Based on the assumption that the package directory structures of the software from the same family are also similar, we designed a novel feature construction method to describe the application. Using this method, we extracted features from the leaf nodes of the smali tree, while each smali tree corresponds to the smali directory of the application. Unlike traditional static feature extraction of applications, the tree-based feature proposed in this paper can effectively counteract problems such as code obfuscation or reflection cause it can adequately reflect the semantic features of the small files. To prove the effectiveness of tree-based features, we also conducted some experiments based on a dataset provided by the enterprise. This dataset contains 1792 AGE-generated applications, and these applications belong to 17 malicious families. We demonstrated that the feature construction method proposed in this paper is usable and can be applied to machine learning classification algorithms for the identification of malicious applications.