Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1109/sp.2012.16

2012-01-01

Abstract:The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Xi Xiao,Xianni Xiao,Yong Jiang,Xuejiao Liu,Runguo Ye

DOI: https://doi.org/10.1002/ett.3016

IF: 3.6

2016-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:With the popularity of Android devices, mobile malware in Android has became more prevalent. Malware causes lots of harm to users, such as stealing personal information and using too much battery or CPU. Detecting mobile malware is the main task in Android security. In this work, we use a dynamic analysis method to distinguish malware with system call sequences. At first, we track the system calls of applications under different events. Then two different feature models, the frequency vector and the co‐occurrence matrix, are employed to extract features from the system call sequence. Finally, we apply Adaptive Regularization Of Weight Vectors and other machine learning algorithms to identify Android malware based on the aforementioned two models, respectively. We evaluate our method with 1189 benign applications and 1227 malicious applications. The experiment results show that the co‐occurrence matrix can achieve a much better detection rate than the frequency vector. Our best detection rate is 97.7per cent with false positive rate being 1.34per cent, which is better than those of the existing methods. Copyright © 2016 John Wiley & Sons, Ltd.

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Xi Xiao,Peng Fu,Xianni Xiao,Yong Jiang,Qing Li,Runiu Lu

DOI: https://doi.org/10.1109/iccsnt.2015.7490915

2015-01-01

Abstract:Malware in Android has enjoyed a prevalence as Android has taken up a primary market in the mobile devices. In this paper, Adaptive Regularization Of Weights (AROW) and Support Vector Machine (SVM) are used to identify malware with both the static and dynamic analysis. Permissions, control flow graphs and system calls are taken as the application's classification features. Single features, the combination of permissions and control flow graphs, and the combination of the three features are all analyzed thoroughly. Compared with the previous work, AROW and SVM with the combination of the features could increase the TPR and decrease the FPR. Furthermore, the results of AROW and SVM are profoundly evaluated in this paper. As regard to the single features, SVM could perform better with the feature of permissions or system calls, while AROW provides a better result with control flow graphs. For the combination of the features, AROW gives a better result than SVM.

Haipeng Zhang,Shudong Li,Xiaobo Wu,Weihong Han,Laifu Wang

DOI: https://doi.org/10.1109/DSC53577.2021.00100

2021-01-01

Abstract:With the popularity of smartphones, android quickly occupied the market, and at the same time, millions of android malware increase every year, which caused great losses to users. so it's crucial to detect unknown android malware efficiently before install it. Machine learning has achieved outstanding performance in many fields, and so does android malware detection. Nowadays, many methods of detecting android malware based on machine learning have been proposed. These methods can be classified as dynamic analysis, static analysis, and hybrid analysis according to what kind of features they use. the dynamic analysis will waste a lot of time because it requires running software. What's more, it's hard to get all malicious behaviors because of Anti-Sandbox technology, which means malware might change its behavior to avoid detecting when malware is running in Sandbox. In this paper, we proposed a new android malware detection approach using multi-features and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm. The static features we use cover permissions and API calls of each android application and the size of the android application package. We used BOW(bag of words) to process permission feature, standardization to process packages size feature, and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm to handle API calls features. Machine-learning algorithms including AdaBoost, LinearSVC, GaussianNB are used for Classification. The experimental results on public datasets demonstrated our system could detect android malware efficiently.

Shubham Shakya,Mayank Dave

DOI: https://doi.org/10.48550/arXiv.2208.06130

2022-08-12

Abstract:With the increasing popularity of Android in the last decade, Android is popular among users as well as attackers. The vast number of android users grabs the attention of attackers on android. Due to the continuous evolution of the variety and attacking techniques of android malware, our detection methods should need an update too. Most of the researcher's works are based on static features, and very few focus on dynamic features. In this paper, we are filling the literature gap by detecting android malware using System calls. We are running the malicious app in a monitored and controlled environment using an emulator to detect malware. Malicious behavior is activated with some simulated events during its runtime to activate its hostile behavior. Logs collected during the app's runtime are analyzed and fed to different machine learning models for Detection and Family classification of Malware. The result indicates that K-Nearest Neighbor and the Decision Tree gave the highest accuracy in malware detection and Family Classification respectively.

Cryptography and Security

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Chao Ding,Nurbol Luktarhan,Bei Lu,Wenhui Zhang

DOI: https://doi.org/10.3390/e23081009

2021-08-03

Abstract:With the popularity of Android, malware detection and family classification have also become a research focus. Many excellent methods have been proposed by previous authors, but static and dynamic analyses inevitably require complex processes. A hybrid analysis method for detecting Android malware and classifying malware families is presented in this paper, and is partially optimized for multiple-feature data. For static analysis, we use permissions and intent as static features and use three feature selection methods to form a subset of three candidate features. Compared with various models, including k-nearest neighbors and random forest, random forest is the best, with a detection rate of 95.04%, while the chi-square test is the best feature selection method. After using feature selection to explore the critical static features contained in this dataset, we analyzed a subset of important features to gain more insight into the malware. In a dynamic analysis based on network traffic, unlike those that focus on a one-way flow of traffic and work on HTTP protocols and transport layer protocols, we focused on sessions and retained protocol layers. The Res7LSTM model is then used to further classify the malicious and partially benign samples detected in the static detection. The experimental results show that our approach can not only work with fewer static features and guarantee sufficient accuracy, but also improve the detection rate of Android malware family classification from 71.48% in previous work to 99% when cutting the traffic in terms of the sessions and protocols of all layers.

Deqing Zou,Yueming Wu,Siru Yang,Anki Chauhan,Wei Yang,Jiangying Zhong,Shihan Dou,Hai Jin

DOI: https://doi.org/10.1145/3442588

IF: 3.685

2021-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Android, the most popular mobile operating system, has attracted millions of users around the world. Meanwhile, the number of new Android malware instances has grown exponentially in recent years. On the one hand, existing Android malware detection systems have shown that distilling the program semantics into a graph representation and detecting malicious programs by conducting graph matching are able to achieve high accuracy on detecting Android malware. However, these traditional graph-based approaches always perform expensive program analysis and suffer from low scalability on malware detection. On the other hand, because of the high scalability of social network analysis, it has been applied to complete large-scale malware detection. However, the social-network-analysis-based method only considers simple semantic information (i.e., centrality) for achieving market-wide mobile malware scanning, which may limit the detection effectiveness when benign apps show some similar behaviors as malware. In this article, we aim to combine the high accuracy of traditional graph-based method with the high scalability of social-network-analysis--based method for Android malware detection. Instead of using traditional heavyweight static analysis, we treat function call graphs of apps as complex social networks and apply social-network--based centrality analysis to unearth the central nodes within call graphs. After obtaining the central nodes, the average intimacies between sensitive API calls and central nodes are computed to represent the semantic features of the graphs. We implement our approach in a tool called IntDroid and evaluate it on a dataset of 3,988 benign samples and 4,265 malicious samples. Experimental results show that IntDroid is capable of detecting Android malware with an F-measure of 97.1% while maintaining a True-positive Rate of 99.1%. Although the scalability is not as fast as a social-network-analysis--based method (i.e., MalScan ), compared to a traditional graph-based method, IntDroid is more than six times faster than MaMaDroid . Moreover, in a corpus of apps collected from GooglePlay market, IntDroid is able to identify 28 zero-day malware that can evade detection of existing tools, one of which has been downloaded and installed by more than ten million users. This app has also been flagged as malware by six anti-virus scanners in VirusTotal, one of which is Symantec Mobile Insight .

Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

Xi Xiao,Shaofeng Zhang,Francesco Mercaldo,Guangwu Hu,Arun Kumar Sangaiah

DOI: https://doi.org/10.1007/s11042-017-5104-0

IF: 2.577

2017-01-01

Multimedia Tools and Applications

Abstract:As Android-based mobile devices become increasingly popular, malware detection on Android is very crucial nowadays. In this paper, a novel detection method based on deep learning is proposed to distinguish malware from trusted applications. Considering there is some semantic information in system call sequences as the natural language, we treat one system call sequence as a sentence in the language and construct a classifier based on the Long Short-Term Memory (LSTM) language model. In the classifier, at first two LSTM models are trained respectively by the system call sequences from malware and those from benign applications. Then according to these models, two similarity scores are computed. Finally, the classifier determines whether the application under analysis is malicious or trusted by the greater score. Thorough experiments show that our approach can achieve high efficiency and reach high recall of 96.6% with low false positive rate of 9.3%, which is better than the other methods.

Yi-Ming Chen,Tzung-Han Jeng,Yung-Ching Shyong

DOI: https://doi.org/10.1109/ICCCI49374.2020.9145994

2020-06-01

Abstract:Nowadays Android smart mobile devices have become the main target of malware developers, so detecting and preventing Android malware has become an important issue of information security. Therefore, this paper proposes an Android application classification system that combines static permissions and dynamic packet analysis. This system first obtains the static information of Android applications through static analysis, classifies the applications as benign or malicious through machine learning, and avoids excessive dynamic data collection time by filtering out benign applications. Then in the dynamic analysis stage, the malware's network traffic is used to extract multiple types of features, and then machine learning is used to achieve the malware family classification. The experimental results showed that the accuracy rate of the static model for malicious and benign classification was 98.86%. On the other hand, the accuracy of the dynamic model proposed in this paper for family classification of applications is 96%, which is better than 94.33% of DroidClassifier [1]. The final experiment confirmed that the system proposed in this paper can not only save 52.5% of dynamic data collection time but also improve the accuracy of Android application family classification.

Computer Science

Shaofeng Zhang,Xi Xiao

DOI: https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.237

2017-01-01

Abstract:The detection of the malicious application or malware on Android platform is a very concerned issue. Many studies have demonstrated their effect from static property analysis and dynamic analysis. However, their accuracy and efficacy still cannot satisfy the demand. In this paper, we propose CSCdroid, an accurate malware detection approach for Android via contribution-level-based system call (SC) categorization. Different from existing works, which use all SCs to construct feature vectors so as to determine the security of applications, CSCdroid first introduces a concept named contribution to quantitatively evaluate SCs relevance for malware identification. Based on the contribution level, CSCdroid can categorize SCs into two types, determinate SCs and normal SCs. Eventually, CSCdroid builds a Markov chain by replacing all normal SCs with one specific SC in the SC sequence. Then it constructs the target feature vector from the probability matrix and use the Support Vector Machine (SVM) to detect Android malware. Such way can effectively reduce the state number of Markov chains, and cut down the dimension of the feature vectors into the SVM classifier. Our evaluation confirms our approach possesses the malware detection ability with a high accuracy rate.

Dakshinamoorthy Karthikeyan,Arun Sivakumar,Chamundeswari Arumugam

DOI: https://doi.org/10.37394/23209.2022.19.27

2022-11-07

WSEAS TRANSACTIONS ON INFORMATION SCIENCE AND APPLICATIONS

Abstract:In recent years, mobile malware takes anywhere between several hours to several days to screen an app for malicious activity. More than 6000 apps are added to the Google Play Store everyday on average. Security analysts face an uphill battle against malware developers as the complexity of malware and code obfuscation techniques are constantly increasing. Currently, most research focuses on the development and application of machine learning techniques for malware detection. However, their success has been limited due to a lack of depth in the data sets available for training models. This paper uses a new method of Dynamic Analysis for Android apps to extract large amounts of information on the behavior of any app which can then be used for training models or to enable security analysts to take an informed decision quickly.

Sanya Chaba,Rahul Kumar,Rohan Pant,Mayank Dave

DOI: https://doi.org/10.48550/arXiv.1709.08805

2017-09-26

Abstract:Static detection technologies based on signature-based approaches that are widely used in Android platform to detect malicious applications. It can accurately detect malware by extracting signatures from test data and then comparing the test data with the signature samples of virus and benign samples. However, this method is generally unable to detect unknown malware applications. This is because, sometimes, the machine code can be converted into assembly code, which can be easily read and understood by humans. Furthuremore, the attacker can then make sense of the assembly instructions and understand the functioning of the program from the same. Therefore we focus on observing the behaviour of the malicious software while it is actually running on a host system. The dynamic behaviours of an application are conducted by the system call sequences at the end. Hence, we observe the system call log of each application, use the same for the construction of our dataset, and finally use this dataset to classify an unknown application as malicious or benign.

Cryptography and Security

ZHANG Wen,YAN Han-bing,WEN Wei-ping

DOI: https://doi.org/10.3969/j.issn.1671-1122.2013.01.008

2013-01-01

Abstract:At present, malware is mainly detected through static-based approach, but the recognition rate is low. Based on the mechanism of static detection, this paper gave a behavior-based approach which analysis the behavior of sensitive function in the application. In this way, using the traces of variables and equivalent function matching to determine whether an Android package have malicious behavior. The behavior-based approach improves the accuracy of the static detection. This paper implement a detect tool aim at SMS Trojan and is proved its effectiveness in testing.

T. Möttönen,P. Hannonen,M. Oka

Abstract:

Xiao Xi,Xiao Xianni,Jiang Yong,Li Qing

DOI: https://doi.org/10.1007/978-3-319-23829-6_35

2014-01-01

Abstract:With the rapid development of Android devices, mobile malware in Android becomes more prevalent. Therefore, it is rather important to develop an effective model for malware detection. Permissions, system calls, and control flow graphs have been proved to be important features in detection. In this paper, we utilize both static and dynamic strategies with a text classification method, TMSVM, to identify the mobile malware in these three aspects. At first, features have to be selected. Since the sum of control flow graphs is very large, Chi-Square method is used to get the key graphs. Then features are transformed into vectors and TMSVM is subsequently applied to get the classification result. In the static method, we firstly analyze permissions and control flow graphs respectively and then think of the combination of them. In the dynamic method, the system calls are considered. At last, based on the results of the static method and dynamic method, a hybrid classification model of three layers classification is proposed. Compared with the other methods, our method increases the TPR and decreases the FPR.

Rajan Thangaveloo,Wong Wang Jing,Chiew Kang Leng,Johari Abdullah

DOI: https://doi.org/10.18517/ijaseit.10.2.10238

2020-03-28

Abstract:Android system has become a target for malware developers due to its huge market globally in recent years. The emergence of 5G in the market and limited protocols post a great challenge to the security in Android. Hence, various techniques have been taken by researchers to ensure high security in Android devices. There are three types of analysis namely static, dynamic and hybrid analysis used to detect and analyze the malicious application in Android. Due to evolving nature of the malware, it is very challenging for the existing techniques to detect and analyze it efficiently and accurately. This paper proposed a Dynamic Analysis Technique in Android Malware detection called DATDroid. The proposed technique consists of three phases, which includes feature extraction, feature selection and classification phases. A total of five features namely system call, errors and time of system call process, CPU usage, memory and network packets are extracted. During the classification 70% of the dataset was allocated for training phase and 30% for testing phase using machine learning algorithm. Our experimental results achieved an overall accuracy of 91.7% with lower false positive rates as compared to benchmarked method. DATDroid also achieved higher precision and recall rate of 93.1% and 90.0%, respectively. Hence our proposed technique has proven to be able to classify malware more accurately and reduce misclassification of malware application as benign significantly.

Yongfeng Li,Tong Shen,Xin Sun,Xuerui Pan,Bing Mao

DOI: https://doi.org/10.1007/978-3-319-28865-9_2

2015-01-01

Abstract:With the popularity of Android devices, more and more Android malware are manufactured every year. How to filter out malicious app is a serious problem for app markets. In this paper, we propose DroidADDMiner, an efficient and precise system to detect, classify and characterize Android malware. DroidADDMiner is a machine learning based system that extracts features based on data dependency between sensitive APIs. It extracts API data dependence paths embedded in app to construct feature vectors for machine learning. While DroidSIFT [13] also attempts automated detection of Android applications according to data flow analysis, DroidADDMiner can not only reduce the run time but also characterize malware’s behaviors automatically. We implement DroidADDMiner based on FlowDroid [14] and evaluate it using 5648 malware samples and 14280 benign apps. Experiments show that, for malware detection, DroidADDMiner achieves a 98% detection rate, with a 0.3% false positive rate. For malware classification, the accuracy of classifying malicious apps under their proper family labels is 96%. Although performing data flow analysis, most of the experimental samples can be examined in 60 seconds.