An exploratory study on the evolution of Android malware quality

In the context of software engineering, product software quality measures how well a software artifact is designed and coded. Software products must satisfy nonfunctional properties (eg, reliability, usability, understandability, and maintainability), in order to make maintenance and evolution sustainable in the long period. Software evolution is an issue of interest for the malware writers, too, for 2 reasons. First, to evade detection with the minimum effort, malware writers use to produce "variants," which are obtained by applying little changes to existing malware. Morevoer, recent studies demonstrated that malware is increasingly improving evasion strategies and infection mechanisms and is using more and more complex payloads. This suggests that malware writers are devoting relevant efforts and skills for producing high-quality software. For this reason, we wonder whether malware writers are devoting effort to improve the structural quality of their code, too, as it happens in the development of goodware. To investigate this question, we (1) characterize a dataset containing about 20 000 Android applications, divided into goodware and malware ones, relying on the Android API version they require, and (2) compute software quality metrics, divided into 4 categories (ie, dimensional, complexity, object-oriented, and Android-oriented metrics) for apps belonging to each population. We then identify evolution trends of these metrics in malware and goodware. The results of our study demonstrate that goodware and malicious applications exhibit similar evolution trends for some of the quality indicators, suggesting that malware writers care about the overall quality of their code. Code quality could be considered an indirect measure of how many and how fast variants of existing malware will be released in the wild.