A temporal analysis and evaluation of fuzzy hashing algorithms for Android malware analysis

Abstract

Fuzzy hashing has been utilised in digital forensics and malware analysis for malware detection, malware variant classification, file clustering, document similarity detection, embedded object detection and fragment detection. Previous research considered the efficacy of fuzzy hashing at a point in time for malware classification and did not specifically address the problem of malware evolution. Android malware presents a significant cybersecurity threat, and since malware is constantly mutating, a temporal analysis of the effectiveness of fuzzy hashing techniques for Android malware detection and classification contributes to understanding the value of fuzzy hashes in the evolution of malware. Through experimental examination, this study sought to determine whether or not fuzzy hashes are always effective, how quickly malware is evolving, and how malware evolution affects fuzzy hashing. Comparisons are made between the performance of different fuzzy hashing algorithms and the distinction between hashes at the file and class levels. Experiments with known malware family and analysis with over 4500 APK files, including 100 benign samples collected from 2012 - 2022 were conducted using various fuzzy hashing algorithms, file-level and section-level similarity hashing, symbolic and raw opcode hashing, and optimisations for improving fuzzy hashing comparisons. The performance of the methods was evaluated using detection and false positive rates. The results show that fuzzy hashing algorithms remain a valuable technique that demonstrates robustness to malware evolution with 10-year detection rates of over 80%.