Fast Identification of Obfuscation and Mobile Advertising in Mobile Malware

The presence of mobile malware on Android devices is indisputable. For static analysis of mobile malware, the nature of the source code is of particular interest as it determines the amount of resources required for an in-depth analysis. On the one hand, the more obfuscation is used in the code, the more time is needed for static analysis. On the other hand, correct identification of various benign third party libraries can considerably speed up static analysis as these libraries can be omitted. In this paper we focus on very fast identification of Identifier renaming, Reflection, Encryption, and mobile Advertising (IREA) in mobile malware. We propose heuristics for detecting IREA in mobile malware and provide a chronological quantitative analysis of IREA in mobile malware gathered between October 2009 and July 2014. The chronological quantitative analysis reveals general facts about the evolution of mobile malware, e.g. that identifier renaming is still on the rise, reflection hit its peak in 2012 and that more than 10% of mobile malware employ third party libraries for mobile advertising and encryption purposes.