DroidNative: Automating and optimizing detection of Android native code malware variants

Shahid Alam*, Zhengyang Qu, Ryan Riley, Yan Chen, Vaibhav Rastogi

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

79 Scopus citations


According to the Symantec and F-Secure threat reports, mobile malware development in 2013 and 2014 has continued to focus almost exclusively (~99%) on the Android platform. Malware writers are applying stealthy mutations (obfuscations) to create malware variants, thwarting detection by signature-based detectors. In addition, the plethora of more sophisticated detectors making use of static analysis techniques to detect such variants operate only at the bytecode level, meaning that malware embedded in native code goes undetected. A recent study shows that 86% of the most popular Android applications contain native code, making native code malware a plausible threat vector. This paper proposes DroidNative, an Android malware detector that uses specific control flow patterns to reduce the effect of obfuscations and provides automation. As far as we know, DroidNative is the first system that builds cross-platform (x86 and ARM) semantic-based signatures at the Android native code level, allowing the system to detect malware embedded in either bytecode or native code. When tested with a dataset of 5490 samples, DroidNative achieves a detection rate (DR) of 93.57% and a false positive rate of 2.7%. When tested with traditional malware variants, it achieves a DR of 99.48%, compared to the DRs of academic and commercial tools that range from 8.33% to 93.22%.

Original languageEnglish (US)
Pages (from-to)230-246
Number of pages17
JournalComputers and Security
StatePublished - Mar 1 2017


  • Android native code
  • Control flow analysis
  • Data mining
  • Malware analysis
  • Malware variant detection

ASJC Scopus subject areas

  • Computer Science(all)
  • Law


Dive into the research topics of 'DroidNative: Automating and optimizing detection of Android native code malware variants'. Together they form a unique fingerprint.

Cite this