Revisiting Static Analysis of Android Malware.

The mobile malware threat is fought by both static and dynamic analysis, two complementary approaches in need of constant sharpening. In this paper, static analysis is revisited to update and deepen knowledge about Android malware, correlate malicious samples through common artifacts, and further understand malware developers' modus operandi. By looking at more than 200,000 malware samples, our study revealed interesting new insights such as: the presence of duplicated permissions in the manifest, the variation of the certificate validity period between malware and benign applications, the pertinence of looking at each sample's certificate file name, and the presence of Android applications nested inside other applications (APKs inside APKs). We also seek to revisit previous findings from related work on Android static analysis in order to confirm or refute them. In some cases, our findings are significantly different from previous work (e.g., diversity of certificates used to sign malware). Therefore, since the Android malware landscape is evolving, we conclude that our overall knowledge must be kept up-to-date.