Droidloader: Generating New Datasets to Understand Modern Android Malware Behaviours [INDUSTRY PROJECT]

Alex Hayman


Supervised by Eirini S Anthi; Moderated by Yulia Cherdantseva

Android malware has become a prevalent threat to mobile devices with the rise in banking malware and the increase in malware capabilities. Therefore, significant research has been done on Android malware detection, especially solutions that leverage machine learning. However, most of the training data from which these models learn contain outdated Android malware, making the models less effective at detecting recent unknown malware. This thesis covers the evolution and current threats of Android malware and then explores the static and dynamic analysis methods used in research to extract key data from malware. Critical analysis is then conducted on past academic literature, including the datasets they use to see potential limitations in their research. After that, a design is created for the Droidloader tool, which can generate and analyse new Android malware datasets with careful consideration of the features to implement. The paper then discusses how the design for Droidloader was implemented, explaining certain design choices. After the tool was completed, new datasets were generated and used to plot comparisons between the features in the older datasets to see any behavioural changes. The findings show that there are changes within the malware usage of features between the new and outdated datasets. However, there were a few limitations with this approach, as there was evidence of malware type bias being present in the generated datasets.

This project will be in collaboration with PwC.

Final Report (11/09/2023) [Zip Archive]

Publication Form