Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

Christopher S. Gates,Ninghui Li,Hao Peng,Bhaskar Sarma,Yuan Qi,Rahul Potharaju,Cristina Nita-Rotaru,Ian Molloy

DOI: https://doi.org/10.1109/tdsc.2014.2302293

2014-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:One of Android's main defense mechanisms against malicious apps is a risk communication mechanism which, before a user installs an app, warns the user about the permissions the app requires, trusting that the user will make the right decision. This approach has been shown to be ineffective as it presents the risk information of each app in a “stand-alone” fashion and in a way that requires too much technical knowledge and time to distill useful information. We discuss the desired properties of risk signals and relative risk scores for Android apps in order to generate another metric that users can utilize when choosing apps. We present a wide range of techniques to generate both risk signals and risk scores that are based on heuristics as well as principled machine learning techniques. Experimental results conducted using real-world data sets show that these methods can effectively identify malware as very risky, are simple to understand, and easy to use.

Hasan Alkahtani,Theyazn H. H. Aldhyani

DOI: https://doi.org/10.3390/s22062268

IF: 3.9

2022-03-15

Sensors

Abstract:With the rapid expansion of the use of smartphone devices, malicious attacks against Android mobile devices have increased. The Android system adopted a wide range of sensitive applications such as banking applications; therefore, it is becoming the target of malware that exploits the vulnerabilities of the security system. A few studies proposed models for the detection of mobile malware. Nevertheless, improvements are required to achieve maximum efficiency and performance. Hence, we implemented machine learning and deep learning approaches to detect Android-directed malicious attacks. The support vector machine (SVM), k-nearest neighbors (KNN), linear discriminant analysis (LDA), long short-term memory (LSTM), convolution neural network-long short-term memory (CNN-LSTM), and autoencoder algorithms were applied to identify malware in mobile environments. The cybersecurity system was tested with two Android mobile benchmark datasets. The correlation was calculated to find the high-percentage significant features of these systems in the protection against attacks. The machine learning and deep learning algorithms successfully detected the malware on Android applications. The SVM algorithm achieved the highest accuracy (100%) using the CICAndMal2017 dataset. The LSTM model also achieved a high percentage accuracy (99.40%) using the Drebin dataset. Additionally, by calculating the mean error, mean square error, root mean square error, and Pearson correlation, we found a strong relationship between the predicted values and the target values in the validation phase. The correlation coefficient for the SVM method was R2 = 100% using the CICAndMal2017 dataset, and LSTM achieved R2 = 97.39% in the Drebin dataset. Our results were compared with existing security systems, showing that the SVM, LSTM, and CNN-LSTM algorithms are of high efficiency in the detection of malware in the Android environment.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yiming Jing,Gail-Joon Ahn,Ziming Zhao,Hongxin Hu

DOI: https://doi.org/10.1109/tdsc.2014.2366457

2015-09-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Mobile operating systems, such as Apple's iOS and Google's Android, have supported a ballooning market of feature-rich mobile applications. However, helping users understand and mitigate security risks of mobile applications is still an ongoing challenge. While recent work has developed various techniques to reveal suspicious behaviors of mobile applications, there exists little work to answer the following question: are those behaviors necessarily inappropriate? In this paper, we seek an approach to cope with such a challenge and present a continuous and automated risk assessment framework called RiskMon that uses machine-learned ranking to assess risks incurred by users' mobile applications, especially Android applications. RiskMon combines users' coarse expectations and runtime behaviors of trusted applications to generate a risk assessment baseline that captures appropriate behaviors of applications. With the baseline, RiskMon assigns a risk score on every access attempt on sensitive information and ranks applications by their cumulative risk scores. Furthermore, we demonstrate how RiskMon supports risk mitigation with automated permission revocation. We also discuss a proof-of-concept implementation of RiskMon as an extension of the Android mobile platform and provide both system evaluation and usability study of our methodology.

computer science, information systems, software engineering, hardware & architecture

Pawan Kumar,Sukhdip Singh

DOI: https://doi.org/10.1007/s11042-024-19517-w

IF: 2.577

2024-06-21

Multimedia Tools and Applications

Abstract:An enormous amount of applications that are available for download permits users to enhance the functionality of the devices with brand-new features, which is a significant factor in the growing popularity of smartphones and tablets. In reality, third-party applications for business and entertainment are abundantly available in official stores, with the majority of them being offered for free. However, vulnerable applications may expose private information (such as emails, global GPS location, financial information, and phone contacts). To overcome these issues, the log files are collected for normalizing and selecting the features related to the behaviour and activities using the Min–Max and Recursive Feature Elimination (RFE) based on the MLP. The selected features are learned by using the ensemble learning algorithm, which is a stacking of Bi-directional Long Short Term Memory (Bi-LSTM), Deep Neural Network (DBN) and Radial Basis Functional Network (RBFN) giving the collected learned features from each algorithm to the Meta classifier for predicting the malware. The ensemble learning algorithm then feeds the gathered learned features from each method to the Meta classifier for malware prediction. The suggested strategy protects users' privacy by alerting them when it detects malicious apps and removing them. Accuracy, Precision, Specificity, and Kappa performance measures are assessed and contrasted with the proposed and current models. The proposed model achieved performance metrics values are 99.78%, 99.56%, 99.85% and 98.89%. Thus, the security testing for Android applications based on behaviour and activities using RFE-MLP and Ensemble classifier performs better than the existing model.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Himanshi Babbar,Shalli Rani,Dipak Kumar Sah,Salman A. AlQahtani,Ali Kashif Bashir

DOI: https://doi.org/10.3390/s23167256

IF: 3.9

2023-08-19

Sensors

Abstract:Predicting attacks in Android malware devices using machine learning for recommender systems-based IoT can be a challenging task. However, it is possible to use various machine-learning techniques to achieve this goal. An internet-based framework is used to predict and recommend Android malware on IoT devices. As the prevalence of Android devices grows, the malware creates new viruses on a regular basis, posing a threat to the central system's security and the privacy of the users. The suggested system uses static analysis to predict the malware in Android apps used by consumer devices. The training of the presented system is used to predict and recommend malicious devices to block them from transmitting the data to the cloud server. By taking into account various machine-learning methods, feature selection is performed and the K-Nearest Neighbor (KNN) machine-learning model is proposed. Testing was carried out on more than 10,000 Android applications to check malicious nodes and recommend that the cloud server block them. The developed model contemplated all four machine-learning algorithms in parallel, i.e., naive Bayes, decision tree, support vector machine, and the K-Nearest Neighbor approach and static analysis as a feature subset selection algorithm, and it achieved the highest prediction rate of 93% to predict the malware in real-world applications of consumer devices to minimize the utilization of energy. The experimental results show that KNN achieves 93%, 95%, 90%, and 92% accuracy, precision, recall and f1 measures, respectively.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Joshua Abah,Waziri O.V,Abdullahi M.B,Arthur U.M,Adewale O.S

DOI: https://doi.org/10.5121/ijnsa.2015.7602

2015-12-14

Abstract:The emergence of mobile platforms with increased storage and computing capabilities and the pervasive use of these platforms for sensitive applications such as online banking, e-commerce and the storage of sensitive information on these mobile devices have led to increasing danger associated with malware targeted at these devices. Detecting such malware presents inimitable challenges as signature-based detection techniques available today are becoming inefficient in detecting new and unknown malware. In this research, a machine learning approach for the detection of malware on Android platforms is presented. The detection system monitors and extracts features from the applications while in execution and uses them to perform in-device detection using a trained K-Nearest Neighbour classifier. Results shows high performance in the detection rate of the classifier with accuracy of 93.75%, low error rate of 6.25% and low false positive rate with ability of detecting real Android malware.

Cryptography and Security

Mateusz Krzysztoń,Bartosz Bok,Marcin Lew,Andrzej Sikora

DOI: https://doi.org/10.3390/s22176562

2022-08-31

Abstract:Currently, Android is the most popular operating system among mobile devices. However, as the number of devices with the Android operating system increases, so does the danger of using them. This is especially important as smartphones increasingly authenticate critical activities(e-banking, e-identity). BotSense Mobile is a tool already integrated with some critical applications (e-banking, e-identity) to increase user safety. In this paper, we focus on the novel functionality of BotSense Mobile: the detection of malware applications on a user device. In addition to the standard blacklist approach, we propose a machine learning-based model for unknown malicious application detection. The lightweight neural network model is deployed on an edge device to avoid sending sensitive user data outside the device. For the same reason, manifest-related features can be used by the detector only. We present a comprehensive empirical analysis of malware detection conducted on recent data (May-June, 2022) from the Koodous platform, which is a collaborative platform where over 70 million Android applications were collected. The research highlighted the problem of machine learning model aging. We evaluated the lightweight model on recent Koodous data and obtained f1=0.77 and high precision (0.9).

Kumar, Pawan

DOI: https://doi.org/10.1007/s11042-023-18066-y

IF: 2.577

2024-01-18

Multimedia Tools and Applications

Abstract:Security Testing of Android Applications is a difficult issue. Malicious apps are a threat to the Android platform's security. Traditional solutions are insufficient as the volume of malicious applications grows day by day. Android smartphones are now constantly exposed to new malware because of this predicament. Recent studies have demonstrated that machine learning is effective at spotting Android malware.

computer science, information systems, theory & methods,engineering, electrical & electronic, software engineering

Abdullah Ozbay,Kemal Bicakci

DOI: https://doi.org/10.48550/arXiv.2203.10583

2022-03-20

Cryptography and Security

Abstract:Android devices are equipped with many pre-installed applications which have the capability of tracking and monitoring users. Although applications coming pre-installed pose a great danger to user security and privacy, they have received little attention so far among researchers in the field. In this study, we collect a dataset comprising such applications and make it publicly available. Using this dataset, we analyze tracker SDKs, manifest files and the use of cloud services and report our results. We also conduct a user survey to understand concerns and perceptions of users. Last but not least, we present a risk scoring system which assigns scores for smart phones consolidating our findings based on carefully weighted criteria. With this scoring system, users could give their own trust decisions based on the available concise information about the security and privacy impacts of applications pre-installed on their Android devices.

K. R. Kalphana,S. Aanjankumar,M. Surya,M. S. Ramadevi,K. R. Ramela,T Anitha,N. Nagaprasad,Ramaswamy Krishnaraj

DOI: https://doi.org/10.1038/s41598-024-70544-x

IF: 4.6

2024-09-29

Scientific Reports

Abstract:In recent times, the number of malware on Android mobile phones has been growing, and a new kind of malware is Android ransomware. This research aims to address the emerging concerns about Android ransomware in the mobile sector. Previous studies highlight that the number of new Android ransomware is increasing annually, which poses a huge threat to the privacy of mobile phone users for sensitive data. Various existing techniques are active to detect ransomware and secure the data in the mobile cloud. However, these approaches lack accuracy and detection performance with insecure storage. To resolve this and enhance the security level, the proposed model is presented. This manuscript provides both recognition algorithms based on the deep learning model and secured storage of detected data in the cloud with a secret key to safeguard sensitive user information using the hybrid cryptographic model. Initially, the input APK files and data are preprocessed to extract features. The collection of optimal features is carried out using the Squirrel search optimization process. After that, the Deep Learning-based model, adaptive deep saliency The AlexNet classifier is presented to detect and classify data as malicious or normal. The detected data, which is not malicious, is stored on a cloud server. For secured storage of data in the cloud, a hybrid cryptographic model such as hybrid homomorphic Elliptic Curve Cryptography and Blowfish is employed, which includes key computation and key generation processes. The cryptographic scheme includes encryption and decryption of data, after which the application response is found to attain a decrypted result upon user request. The performance is carried out for both the Deep Learning-based model and the hybrid cryptography-based security model, and the results obtained are 99.89% accuracy in detecting malware compared with traditional models. The effectiveness of the proposed system over other models such as GNN is 94.76%, CNN is 95.76%, and Random Forest is 96%.

multidisciplinary sciences

Junaid Akram,Majid Mumtaz,Gul Jabeen,Ping Luo

DOI: https://doi.org/10.1504/ijics.2021.116310

2021-01-01

International Journal of Information and Computer Security

Abstract:Security researchers and anti-virus industries have speckled stress on an Android malware, which can actually damage your phones and threatens the Android markets. In this paper, we propose and develop DroidMD, a scalable self-improvement based tool, based on auto optimisation of signature set, which detect malicious apps in the market at source code level. A prototype has been developed tested and implemented to detect malware in applications. We implement and evaluate our approach on almost 30,000 applications including 27,000 benign and 3,670 malware applications. DroidMD detects malware in different applications at partial level and full level. It analyses only the applications code, which increase its reliability. Our evaluation of DroidMD demonstrates that our approach is very efficient in detecting malware at large scale with high accuracy of 95.5%.

Silvia Lucia Sanna,Diego Soi,Davide Maiorca,Giorgio Fumera,Giorgio Giacinto

2024-06-04

Abstract:Android is the most used Operating System worldwide for mobile devices, with hundreds of thousands of apps downloaded daily. Although these apps are primarily written in Java and Kotlin, advanced functionalities such as graphics or cryptography are provided through native C/C++ libraries. These libraries can be affected by common vulnerabilities in C/C++ code (e.g., memory errors such as buffer overflow), through which attackers can read/modify data or execute arbitrary code. The detection and assessment of vulnerabilities in Android native code have only been recently explored by previous research work. In this paper, we propose a fast risk-based approach that provides a risk score related to the native part of an Android application. In this way, before an app is released, the developer can check if the app may contain vulnerabilities in the Native Code and, if present, patch them to publish a more secure application. To this end, we first use fast regular expressions to detect library versions and possible vulnerable functions. Then, we apply scores extracted from a vulnerability database to the analyzed application, thus obtaining a risk score representative of the whole app. We demonstrate the validity of our approach by performing a large-scale analysis on more than $100,000$ applications (but only $40\%$ contained native code) and $15$ popular libraries carrying known vulnerabilities. The attained results show that many applications contain well-known vulnerabilities that miscreants can potentially exploit, posing serious concerns about the security of the whole Android applications landscape.

Cryptography and Security

Xiao-Chuan MIAO,Rui WANG,Lei XU,Wei-Feng ZHANG,Bao-Wen XU

DOI: https://doi.org/10.13328/j.cnki.jos.005177

2017-01-01

Abstract:Android system dominates the mobile operating systems at present.Compared with iOS system,Android system is more open and has lots of third-party markets with loose audit mechanism.Therefore,there are more malwares in Android platform.In this paper,an Android security analysis based on sensitive path identification,which includes the static analysis and machine learning methods,is presented.Firstly,since malicious behaviors in malwares have their trigger conditions,the definition of sensitive path is provided.Secondly,a method is proposed to generate the inter-component call graph based on APK files base in the fact that there are a lot of inter-component call relations in Android applications.Thirdly,since the sensitive paths cannot be directly used as features,a method is designed to abstract the sensitive paths.Finally,493 applications APK files are collected from Android markets and the existing data sets,such as Google Play,Wandoujia and Drebin,to construct a benchmark.Experiments indicate that the proposed method has higher accuracy (97.97％) than the method based on API-feature (90.47％),and its precision,recall and F-measure are also better than API-feature method.Furthermore,the scale of the APK file has influence to the experiment results,especially in analyzing time (when the APK files are within 0-4MB,the average analyzing time is 89 seconds;and when the files become larger,the time increases significantly).

Xi Xiao,Peng Fu,Xianni Xiao,Yong Jiang,Qing Li,Runiu Lu

DOI: https://doi.org/10.1109/iccsnt.2015.7490915

2015-01-01

Abstract:Malware in Android has enjoyed a prevalence as Android has taken up a primary market in the mobile devices. In this paper, Adaptive Regularization Of Weights (AROW) and Support Vector Machine (SVM) are used to identify malware with both the static and dynamic analysis. Permissions, control flow graphs and system calls are taken as the application's classification features. Single features, the combination of permissions and control flow graphs, and the combination of the three features are all analyzed thoroughly. Compared with the previous work, AROW and SVM with the combination of the features could increase the TPR and decrease the FPR. Furthermore, the results of AROW and SVM are profoundly evaluated in this paper. As regard to the single features, SVM could perform better with the feature of permissions or system calls, while AROW provides a better result with control flow graphs. For the combination of the features, AROW gives a better result than SVM.

Ai Gong,Yi Zhong,Weiqin Zou,Yangyang Shi,Chunrong Fang

DOI: https://doi.org/10.1109/qrs51102.2020.00017

2020-01-01

Abstract:With the wide-spread use of Android applications in people’s daily life, it becomes more and more important to timely identify the security problems of these applications. To enrich existing studies in guarding the security and privacy of Android applications, we attempted to predict the security risk levels of Android applications. Specifically, we proposed an approach that incorporated Android code smells into traditional Java code metrics to predict how secure an Android application is. With an evaluation of our technique on 3,680 Android applications, we found that: (1) Android code smells could help improve the performance of security risk prediction of Android applications; (2) By building a Random Forest model based on Android code smells and Java code metrics, we could achieve an Area Under Curve (AUC) of 0.97; (3) Android code smells such as member ignoring method (MIM) and leaking inner class (LIC) have a relatively-large influence on Android security risk prediction, to which developers should pay more attention during their application development.

Jing Chen,Chiheng Wang,Kun He,Ziming Zhao,Min Chen,Ruiying Du,Gail-Joon Ahn

DOI: https://doi.org/10.1109/TDSC.2018.2871682

2021-01-01

Abstract:Most of the existing mobile application (app) vetting mechanisms only estimate risks at a coarse-grained level by analyzing app syntax but not semantics. We propose a semantics-aware privacy risk assessment framework (SPRisk), which considers the sensitivity discrepancy of privacy-related factors at semantic level. Our framework can provide qualitative (i.e., risk level) and quantitative (i.e., risk score) assessment results, both of which help users make decisions to install an app or not. Furthermore, to find the reasonable weight distribution of each factor automatically, we exploit a self-learning weight assignment method, which is based on fuzzy clustering and knowledge dependency theory. We implement a prototype system and evaluate the effectiveness of SPRisk with 192,445 normal apps and 7,111 malicious apps. A measurement study further reveals some interesting findings, such as the privacy risk distribution of Google Play Store, the diversity of official and unofficial marketplaces, which provide insights into understanding the seriousness of privacy threat in the Android ecosystem.

Zhiqiang Wang,Gefei Li,Zihan Zhuo,Xiaorui Ren,Yuheng Lin,Jieming Gu

DOI: https://doi.org/10.1155/2022/1289175

IF: 1.968

2022-02-24

Security and Communication Networks

Abstract:Android has become the most popular mobile intelligent operating system with its open platform, diverse applications, and excellent user experience. However, at the same time, more and more attackers take Android as the primary target. The application store, which is the main download source for users, still does not have a complete security authentication mechanism. Given the above problems, we designed an Android application classification model based on multiple semantic features. Firstly, we use analysis tools to automatically extract the application’s dynamic and static features into the text document and use variance and chi-square tests to optimize the features. Combined with natural language processing (NLP), we transform the feature file into a two-dimensional matrix and use the convolution neural network (CNN) to learn features efficiently. Also, to make the model satisfy more application scenarios, we design a dynamic adjustment method according to user requirements, the number of features, and other indicators. The experimental results demonstrate that the detection accuracy of malware is 99.3921%. We also measure this model’s performance in detecting a malware family and benign application, with the classification accuracy of 99.5614% and 99.9046%, respectively.

computer science, information systems,telecommunications

Dhruv Rathi,Rajni Jindal

DOI: https://doi.org/10.48550/arXiv.1805.06620

2018-06-16

Abstract:With the increasing user base of Android devices and advent of technologies such as Internet Banking, delicate user data is prone to be misused by malware and spyware applications. As the app developer community increases, the quality reassurance could not be justified for every application and a possibility of data leakage arises. In this research, with the aim to ensure the application authenticity, Deep Learning methods and Taint Analysis are deployed on the applications. The detection system named DroidMark looks for possible sinks and sources of data leakage in the application by modelling Android lifecycle and callbacks, which is done by Reverse Engineering the APK, further monitoring the suspected processes and collecting data in different states of the application. DroidMark is thus designed to extract features from the applications which are fed to a trained Bayesian Network for classification of Malicious and Regular applications. The results indicate a high accuracy of 96.87% and an error rate of 3.13% in the detection of Malware in Android devices.

Cryptography and Security

Xiaolei Wang,Yuexiang Yang,Yingzhi Zeng

DOI: https://doi.org/10.1186/s40064-015-1356-1

2015-10-07

SpringerPlus

Abstract:As the dominator of the Smartphone operating system market, consequently android has attracted the attention of s malware authors and researcher alike. The number of types of android malware is increasing rapidly regardless of the considerable number of proposed malware analysis systems. In this paper, by taking advantages of low false-positive rate of misuse detection and the ability of anomaly detection to detect zero-day malware, we propose a novel hybrid detection system based on a new open-source framework CuckooDroid, which enables the use of Cuckoo Sandbox's features to analyze Android malware through dynamic and static analysis. Our proposed system mainly consists of two parts: anomaly detection engine performing abnormal apps detection through dynamic analysis; signature detection engine performing known malware detection and classification with the combination of static and dynamic analysis. We evaluate our system using 5560 malware samples and 6000 benign samples. Experiments show that our anomaly detection engine with dynamic analysis is capable of detecting zero-day malware with a low false negative rate (1.16 %) and acceptable false positive rate (1.30 %); it is worth noting that our signature detection engine with hybrid analysis can accurately classify malware samples with an average positive rate 98.94 %. Considering the intensive computing resources required by the static and dynamic analysis, our proposed detection system should be deployed off-device, such as in the Cloud. The app store markets and the ordinary users can access our detection system for malware detection through cloud service.