Abstract

Assigning family labels to malicious apps is a common practice for grouping together malware with identical behavior. However, recent studies show that apps labeled as belonging to the same family do not necessarily behave similarly: one app may lack or have extra capabilities compared to others in the same family, and, conversely, two apps labeled as belonging to different families may exhibit close behavior. To reveal these inconsistencies, this paper presents AndrEnsemble, a characterization system for Android malware families based on ensembles of sensitive API calls extracted from aggregated call graphs of different families. Our method has several advantages over similar characterization approaches, including a greater reduction ratio with respect to original call graphs, robustness against transformation attacks, and flexibility to be applied at different granularity levels. We experimentally validate our approach and discuss three specific use cases: mobile ransomware, SMS Trojans and banking Trojans. This left us with some interesting findings. First of all, malicious operations in these types of malware are not necessarily exercised by using several sensitive API calls all together. Second, SMS Trojans have larger ensembles of API calls compared to the other types. Last but not least, we identified several samples with identical ensembles though being labeled as part of different families.