Composition-Malware: Building Android Malware at Run Time

We present a novel model of malware for Android, named composition-malware, which consists of composing fragments of code hosted on different and scattered locations at run time. An key feature of the model is that the malicious behavior could dynamically change and the payload could be activated under logic or temporal conditions. These characteristics allow a malware written according to this model to evade current malware detection technologies for Android platform, as the evaluation has demonstrated. The aim of the paper is to propose new approaches to malware detection that should be adopted in anti-malware tools for blocking a composition-malware.