URefFlow: a unified android malware detection model based on reflective calls

© 2018 IEEE. In Android malware detection, sensitive data-flows provide more accurate information on the application's behavior than regular features such as signatures and permissions. Currently, Android static taint analysis is widely adopted to identify sensitive data-flows because of its high code coverage and low false negative rate. However, existing static taint analysis tools cannot effectively analyze applications that adopt Android reflection mechanism. Reflection mechanism can block the control-flows and data-flows of the application. When constructing a call graph, the call information will point directly to the system's reflection processing method, rather than the actual method invoked by the application. This significantly affects the accurate representation of the application's behavior. To address this issue, this paper proposes a unified Android malware detection model based on reflective calls named URefFlow, in which the reflective call statement is replaced by the non-reflective call statement to make the reflective calls explicit by combining the parameters of the reflective calls into standard function calls. After extracting the complete sensitive data-flows with reflective calls from an application, we analyze the characteristics of these data-flows to determine whether the application is malicious. Evaluation results on thousands of applications show that URefFlow can achieve an impressive detection accuracy of 95.6% with a false positive rate of 0.8%. In addition, the proposed approach complements well with existing static stain analysis techniques.