Detecting zero-day sophisticated malware is like searching for a needle in the haystack, not knowing what the needle looks like. This paper describes Android Malicious Flow Visualization Toolbox that empowers a human analyst to detect such malware. Detecting sophisticated malware requires systematic exploration of the code to identify potentially malignant code, conceiving plausible malware hypotheses, and gathering evidence from the code to prove or refute each hypothesis. We describe interactive visualizations of program artifacts to understand and analyze complex Android semantics used by an app. The toolbox incorporates visualization capabilities that work together cohesively, and provides a mechanism to easily add new capabilities.
We present case studies of detecting Android malware with confidentiality and integrity breaches. We report the accuracy and efficiency achieved by our team of analysts by using the toolbox, while auditing 77 sophisticated Android apps provided by Defense Advanced Research Projects Agency (DARPA).
Venue: IEEE Symposium on Visualization for Cyber Security (VizSec 2017), Phoenix, AZ, USA, October 2, 2017.
Authors: Ganesh Ram Santhanam, Benjamin Holland, Suresh Kothari, Jon Mathews
Paper (PDF): VIZSEC2017-AMFVT.pdf
Toolbox URL: https://kcsl.github.io/AMFVT/