In this paper we present a method f

In this paper we present a method for creating obfuscation
resilient signatures for families of piggybacked malware and a
method for scanning an APK for a particular malware. We achieve
the resiliency by constructing signatures using Android API calls.
Since an application must use a certain set of API calls to perform
a certain behavior, the API calls remain invariant under polymorphic
and renaming obfuscations. Our method has analogue in the
use of Windows API calls to detect Windows malware [12, 30].
Piggybacked malware, however, introduce another challenge separating the injected rider code from the legitimate application.
We take advantage of the fact that piggybacked malware is loosely
coupled with the code of the host application.We present a method
of partitioning an APK into loosely coupled modules, and a method
for identifying the rider modules, given a collection of piggybacked
malware from the same family. When scanning an unlabeled APK
for malware it is first partitioned into loosely coupled modules.
Then the Android API calls made by each module are compared
to the signature of each family. We present the results of two controlled
tests to estimate the expected performance of our method
if deployed in the real-world. To ensure that test results are statistically
significant estimators of the method’s performance, and