Android currently represents the most widespread operating system focused on mobile devices. It is not surprising that the majority of malware is created to perpetrate attacks targeting mobile devices equipped with this operating systems. In the mobile malware landscape, there exists a plethora of malware families exhibiting different malicious behaviors. One of the recent threat in this landscape is represented by the HummingBad malware, able to perpetrate multiple attacks for obtain root credentials and to silently install applications on the infected device. From these considerations, in this paper we discuss two different methodologies aimed to detect malicious samples targeting Android environment. In detail the first approach is based on machine learning technique, while the second one is a model checking based approach. Moreover, the model checking approach is able to localize the malicious behaviour of the application under analysis code, in terms of package, class and method. We evaluate the effectiveness of both the designed methods on real-world samples belonging to the HummingBad malware family, one of the most recent and aggressive behaviour embed into malicious Android applications.

Android目前代表着最广泛的针对移动设备的操作系统。毫不奇怪的是，大多数恶意软件都是为了针对安装了此操作系统的移动设备的攻击而进行的。在移动恶意软件领域，存在大量表现出不同恶意行为的恶意软件家族。HummingBad代表了这一景观中最近的威胁之一恶意软件，能够进行多种攻击以获得根凭据，并在受感染的设备上以静默方式安装应用程序。基于这些考虑，本文将讨论两种不同的方法，这些方法旨在检测针对Android环境的恶意样本。详细地说，第一种方法是基于机器学习技术的，而第二种方法是基于模型检查的方法。此外，模型检查方法能够根据软件包，类和方法来在分析代码下定位应用程序的恶意行为。我们评估这两种设计方法对HummingBad恶意软件家族的真实样本的有效性，该样本是嵌入到恶意Android应用程序中的最新且具有攻击性的行为之一。