Android Malware Family Labeling: Perspectives from the Industry
Labeling and classifying Android malware is important for identifying new threats, triaging security incidents, and demystifying evasion techniques. To automate the malware classification pipeline, state-of-the-art tools such as AVClass and Euphony unify raw labels from commercial antivirus vendors (i.e., VirusTotal) to produce family labels. These tools are widely used for automatic malware classification in both academic research and industry practice. However, they face significant limitations in real-world industrial scenarios with numerous and dynamically changing samples. For example, our industrial practices revealed that VirusTotal’s results change over time, leading to temporal inconsistencies in family labeling results that rely on label unification, which can severely impact a company’s security posture. Despite this, such issues and challenges remain understudied. In this paper, we present the first systematic measurement study of existing automatic Android malware family labeling systems from various aspects, including label dynamics, consistency, reliability, and etc. Based on a large-scale dataset, we validate that the labeling results of these systems do evolve with time, and such evolution can introduce bias into many previous studies on performance assessments. We also reveal substantial divergence in labeling decisions across different systems when given the same input. Besides, we identify a disclosure priority among families in these systems’ labeling processes, which could threaten the industry by allowing malicious actors to exploit these discrepancies. Our findings could benefit both researchers and industry practitioners for further refinement of automatic malware family labeling systems, contributing to their practical applications.
Tue 29 OctDisplayed time zone: Pacific Time (US & Canada) change
13:30 - 15:00 | AndroidJournal-first Papers / Research Papers / Industry Showcase at Magnoila Chair(s): Ziyao He University of California, Irvine | ||
13:30 15mTalk | How Does Code Optimization Impact Third-party Library Detection for Android Applications? Research Papers Zifan Xie Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Tinghan Li Huazhong University of Science and Technology, Yiding Zhu Huazhong University of Science and Technology, Qinsheng Hou Shandong University; Qi An Xin Group Corp., Hai Jin Huazhong University of Science and Technology Media Attached | ||
13:45 15mTalk | MaskDroid: Robust Android Malware Detection with Masked Graph Representations Research Papers Jingnan Zheng National University of Singapore, Jiahao Liu National University of Singapore, An Zhang , Jun ZENG Huawei, Ziqi Yang Zhejiang University, Zhenkai Liang National University of Singapore, Tat-Seng Chua National University of Singapore | ||
14:00 15mTalk | A Longitudinal Analysis Of Replicas in the Wild Wild Android Research Papers Syeda Mashal Abbas Zaidi University of Waterloo, Shahpar Khan University of Waterloo, Parjanya Vyas University of Waterloo, Yousra Aafer University of Waterloo | ||
14:15 15mTalk | Android Malware Family Labeling: Perspectives from the Industry Industry Showcase Liu Wang Beijing University of Posts and Telecommunications, Haoyu Wang Huazhong University of Science and Technology, Tao Zhang Macau University of Science and Technology, Haitao Xu Zhejiang University, Guozhu Meng Institute of Information Engineering, Chinese Academy of Sciences, Peiming Gao MYbank, Ant Group, Chen Wei MYbank, Ant Group, Yi Wang | ||
14:30 15mTalk | DexBERT: Effective, Task-Agnostic and Fine-grained Representation Learning of Android Bytecode Journal-first Papers Tiezhu Sun University of Luxembourg, Kevin Allix Independent Researcher, Kisub Kim Singapore Management University, Singapore, Xin Zhou Singapore Management University, Singapore, Dongsun Kim Korea University, David Lo Singapore Management University, Tegawendé F. Bissyandé University of Luxembourg, Jacques Klein University of Luxembourg | ||
14:45 15mTalk | Same App, Different Behaviors: Uncovering Device-specific Behaviors in Android Apps Industry Showcase Zikan Dong Beijing University of Posts and Telecommunications, Yanjie Zhao Huazhong University of Science and Technology, Tianming Liu Monash Univerisity, Chao Wang University of Southern California, Guosheng Xu Beijing University of Posts and Telecommunications, Guoai Xu Harbin Institute of Technology, Shenzhen, Lin Zhang The National Computer Emergency Response Team/Coordination Center of China (CNCERT/CC), Haoyu Wang Huazhong University of Science and Technology |