Fingerprinting Cyber-Infrastructures of Android Malware

In this chapter, we propose ToGather, an automatic investigation framework for Android malware cyber-infrastructures. In our context, a malware cyber-infrastructure is a set of IP addresses and domain names orchestrated together to serve as a backend for malicious activities, including malicious apps. ToGather framework is a set of techniques and tools together with security feeds, which automatically build a situational awareness about Android malware cyber-infrastructures. ToGather characterizes the cyber-infrastructure starting from Android malware samples to relate the malware to the corresponding network footprint in terms of IPs and domains. ToGather goes even a step further by dividing this cyber-infrastructure into sub-infrastructure components based on the connectivity between nodes. The result is in the segmentation of the global threat network into multiple network communities representing many granular sub-cyber-infrastructures. To this end, ToGather leverages cyber-threat intelligence that is derived from various sources such as spam, Windows malware, darknet, and passive DNS to ascribe cyber-threats to the corresponding cyber-infrastructure. Accordingly, the input of ToGather framework is made of malware samples together with security feeds, while the output represents networks of cyber-infrastructures together with their network footprint, which provides the security practitioner an overview of Android malware cyber-activities on the Internet.