Screening smartphone applications using malware family signatures

Jehyun Lee, Suyeon Lee, Heejo Lee

Research output: Contribution to journalArticlepeer-review

30 Citations (Scopus)


The sharp increase in smartphone malware has become one of the most serious security problems. Since the Android platform has taken the dominant position in smartphone popularity, the number of Android malware has grown correspondingly and represents critical threat to the smartphone users. This rise in malware is primarily attributable to the occurrence of variants of existing malware. A set of variants stem from one malware can be considered as one malware family, and malware families cover more than half of the Android malware population. A conventional technique for defeating malware is the use of signature matching which is efficient from a time perspective but not very practical because of its lack of robustness against the malware variants. As a counter approach for handling the issue of variants behavior analysis techniques have been proposed but require extensive time and resources. In this paper, we propose an Android malware detection mechanism that uses automated family signature extraction and family signature matching. Key concept of the mechanism is to extract a set of family representative binary patterns from evaluated family members as a signature and to classify each set of variants into a malware family via an estimation of similarity to the signatures. The proposed family signature and detection mechanism offers more flexible variant detection than does the legacy signature matching, which is strictly dependent on the presence of a specific string. Furthermore, compared with the previous behavior analysis techniques considering family detection, the proposed family signature has higher detection accuracy without the need for the significant overhead of data and control flow analysis. Using the proposed signature, we can detect new variants of known malware efficiently and accurately by static matching. We evaluated our mechanism with 5846 real world Android malware samples belonging to 48 families collected in April 2014 at an anti-virus company; experimental results showed that; our mechanism achieved greater than 97% accuracy in detection of variants. We also demonstrated that the mechanism has a linear time complexity with the number of target applications.

Original languageEnglish
Pages (from-to)234-249
Number of pages16
JournalComputers and Security
Publication statusPublished - 2015 Jul 1

Bibliographical note

Publisher Copyright:
© 2015 Elsevier Ltd


  • Android
  • Family signature
  • Malware
  • Smartphone security
  • Static analysis
  • Variant detection

ASJC Scopus subject areas

  • General Computer Science
  • Law


Dive into the research topics of 'Screening smartphone applications using malware family signatures'. Together they form a unique fingerprint.

Cite this