Obfuscated Mobile Malware Detection by Means of Dynamic Analysis and Explainable Deep Learning

With the growth of the mobile market, malicious applications represent a risk to the security of the users. To mitigate this aspect, researchers proposed different techniques to spot and identify unsafe software placed on the market. On the other hand, malicious writers started to develop ever more sophisticated strategies to hide malicious payloads, in particular through the adoption of obfuscation techniques. The latter consists of hiding the behavior and purpose of malware from antimalware. In this paper, we propose and design a method aimed to detect obfuscated malware. The proposed method builds images directly from system call traces obtained from legitimate, malicious, and obfuscated Android applications. In addition, to show that dynamic analysis and deep learning can build resilient models we propose two experiments using a convolutional neural network. In the first experiment, we train and test the model using a dataset composed of malware, while in the second we train the model using the malware dataset but the model is evaluated using a dataset composed of obfuscated malware. Finally, we analyze the malware and obfuscated detection models from the point of view of explainability using two different class activation mapping algorithms, to understand whether the model predictions can be considered resilient.