Abstract
Using a novel dataset of Android banking trojans (ABTs), other Android malware, and goodware, we develop the \sf {DBank}DBank system to predict whether a given Android APK is a banking trojan or not. We introduce the novel concept of a Triadic Suspicion Graph (TSG for short) which contains three kinds of nodes: goodware, banking trojans, and API packages. We develop a novel feature space based on two classes of scores derived from TSGs: suspicion scores (SUS) and suspicion ranks (SR) - the latter yields a family of features that generalize PageRank. While TSG features (based on SUS/SR scores) provide very high predictive accuracy on their own in predicting recent (2016-2017) ABTs, we show that the combination of TSG features with previously studied lightweight static and dynamic features in the literature yields the highest accuracy in distinguishing ABTs from goodware, while preserving the same accuracy of prior feature combinations in distinguishing ABTs from other Android malware. In particular, \sf {DBank}DBank's overall accuracy in predicting whether an APK is a banking trojan or not is up to 99.9% AUC with 0.3% false positive rate. Moreover, we have already reported two unlabeled APKs from VirusTotal (which \sf {DBank}DBank has detected as ABTs) to the Google Android Security Team - in one case, we discovered it before any of the 63 anti-virus products on VirusTotal did, and in the other case, we beat 62 of 63 anti-viruses on VirusTotal. This suggests that \sf {DBank}DBank is capable of making new discoveries in the wild before other established vendors. We also show that our novel TSG features have some interesting defensive properties as they are robust to knowledge of the training set by an adversary: even if the adversary uses 90% of our training set and uses the exact TSG features that we use, it is difficult for him to infer \sf {DBank}DBank's predictions on APKs. We additionally identify the features that best separate and characterize ABTs from goodware as well as from other Android malware. Finally, we develop a detailed data-driven analysis of five major recent ABT families: FakeToken, Svpeng, Asacub, BankBot, and Marcher, and identify the features that best separate them from goodware and other-malware.
| Original language | English (US) |
|---|---|
| Article number | 8684321 |
| Pages (from-to) | 1378-1393 |
| Number of pages | 16 |
| Journal | IEEE Transactions on Dependable and Secure Computing |
| Volume | 18 |
| Issue number | 3 |
| DOIs | |
| State | Published - May 1 2021 |
Funding
We thank the anonymous referees for their excellent comments and suggestions. We additionally thank Salvador Mandujano and Sai Deep Tetali of the Google Android Security Team for excellent suggestions and comments on our work. Parts of the work were funded by: US Army Research Office grant W911NF1410358, ONR grants N00014-18-1-2670, N00014-16-12896, and N000141612739; NATO Science for Peace and Security grant SPS G5319; UK EPSRC grant EP/L022710/2.
Keywords
- Android banking trojans
- graph models
- machine learning
- malware
ASJC Scopus subject areas
- General Computer Science
- Electrical and Electronic Engineering