DroidExec: Root exploit malware recognition against wide variability via folding redundant function-relation graph

DroidExec is a novel root exploit recognition to reduce the influence of wide variability, which usually affects the Android malware detection rate, because of Android applications´s various properties. In Android, a specific malware family (e.g., root exploit malware), and thus its implementation may be influenced by the campaign it is serving, and thus producing wide variability, leading its samples to appear to match a wider range of potential families. In this paper, we propose a similarity recognition named as DroidExec, reducing wide variability via folding redundant function-relation graph based on Bipartite Graph Conceptual Matching of graph edit distance. We compute the multiple square roots for each 2×2 block in the cost matrix to conceptually cripple the wide variability. In the experiments, we measure the applications´s opcode structural similarity for clustering Android malware. Empirical validation shows that DroidExec can effectively filter surplus and various behaviors, which can improve the precision/recall rate from 82%/95% to 83%/97%, respectively.