Automatically Learning Android Malware Signatures from Few Samples

We propose a new technique for Android malware detection that combines the respective strengths of learningand signature-based approaches. Our approach uses a new learning algorithm based on Maximum Satisfiability (MaxSAT) to automatically synthesize semantic malware signatures from very few instances of a malware family. Our key insight is that the common functionality of a malware family can be summarized by patterns on the inter-component call graph (ICCG) representation of Android applications. Our approach synthesizes malware signatures by detecting maximally suspicious common subgraphs (MSCS) of a set of ICCGs using MaxSAT. We have implemented our approach in a tool called ASTROID, which is integrated into the existing APPOSCOPY tool for malware detection. Our experiments show that ASTROID can automatically infer better signatures than manually-written ones and outperforms state-of-the-art Android malware detectors such as DREBIN and MASSVET with respect to accuracy, false positives, and interpretability. Furthermore, ASTROID is very precise — in a corpus of 10,495 Google Play store apps, ASTROID only reported 8 as suspicious, and they were all in fact malicious.