SWORD: Semantic aWare andrOid malwaRe Detector

Malicious android applications have become more advanced and severe threat to user privacy, confidentiality, integrity, money, and device. The process of malware evolution mainly consists of modifications to existing malware using repackaging of apps employing polymorphism, metamorphism and injecting malicious code. The existing dynamic approaches can handle polymorphism, metamorphism and repacking of apps but failed to address code injection at runtime, as it modifies the control/data flow. In this paper, we present a semantic aware dynamic malware detection tool, SWORD. It encapsulates the semantics of Android apps in such a way that makes it resilient towards injection-based evasion techniques. The intuition behind specifying the semantics of apps lies in applying Asymptotic Equipartition Property (AEP) inherited from information theory domain. The semantics of the app are captured using a sequence of system-calls. To assess the efficacy of SWORD, we carried out comprehensive experiments on 6000 execution traces of 2000 applications (1000 malware apps belonging to 119 different families and 1000 benign apps, selected randomly from 12,000 Google Play store apps). We obtain a detection accuracy of 94.2%. Moreover, we show that SWORD can cope with the code injection based evasion techniques.