Automatic removal of malicious code fragments from infected host software

Abstract

At a time when mobile security is of paramount importance, this project aims to investigate how, instead of quarantining malware samples upon detection, modifications to the application can be made such that only the malicious sections of the application’s code are removed. By analysing the malware and removing the malicious section, the application will hence be safe to use.

Firstly, the project examines how malware runs and steals information on Android Operating Systems. Using the results of this analysis, the project then develops a program named AndroidMalwareModifier, which aids in the cleaning of suspicious applications and the subsequent removal of the malicious sections of the code. AndroidMalwareModifier thus leaves the application’s main functionalities intact and runnable, removing any traces of the malicious code.

This report also summarizes the test results of using AndroidMalwareModifier to analyse a malware dataset provided by the Android Malware Genome Project. The test results also showed the efficiency of AndroidMalwareModifier on the malware dataset, where 74% of the malware samples tested were successfully modified. The other 26% failed the modification due to outlying exploits not covered by AndroidMalwareModifier, such as malware that aims to bloat devices rather than stealing information.

Lastly, this project explains the technical process of removing the malicious code from these applications in hopes that further research can be conducted to allow AndroidMalwareModifier to modify and clean several new malware types that may appear in the future.