Geodesic
Automated static analysis and classification of Android malware using permission and API calls models
Prikladnaâ diskretnaâ matematika, no. 2 (2017), pp. 84-105.

Voir la notice de l'article provenant de la source Math-Net.Ru

In this paper, we propose a heuristic approach to static analysis of Android applications based on matching suspicious applications with the predefined malware models. Static models are built from Android capabilities and Android Framework API call chains used by the application. All of the analysis steps and model construction are fully automated. Therefore, the method can be easily deployed as one of the automated checks provided by mobile application marketplaces or other interested organizations. Using the proposed method, we analyzed the Drebin and ISCX malware collections in order to find possible relationships and dependencies between samples in collections, and a large fraction of Google Play apps collected between 2013 and 2016 representing benign data. Analysis results show that a combination of relatively simple static features represented by permissions and API call chains is enough to perform binary classification between malware and benign apps, and even find the corresponding malware family, with an appropriate false positive rate of about 3 %. Malware collections exploration results show that modern Android malware rarely uses obfuscation or encryption techniques to make static analysis more difficult, which is quite the opposite of what we see in the case of the “Wintel” endpoint platform family. We also provide the experiment-based comparison with the previously proposed state-of-the-art Android malware detection method adagio. This method outperforms our proposed method in resulting detection coverage (98 vs 91 % of malicious samples are covered) while at the same time causing a significant number of false alarms corresponding to 9.3 % of benign applications on average.
Keywords: static analysis, Android malware. 
@article{PDM_2017_2_a6,
     author = {A. A. Skovoroda and D. Y. Gamayunov},
     title = {Automated static analysis and classification of {Android} malware using permission and {API} calls models},
     journal = {Prikladna\^a diskretna\^a matematika},
     pages = {84--105},
     publisher = {mathdoc},
     number = {2},
     year = {2017},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDM_2017_2_a6/}
}
TY  - JOUR
AU  - A. A. Skovoroda
AU  - D. Y. Gamayunov
TI  - Automated static analysis and classification of Android malware using permission and API calls models
JO  - Prikladnaâ diskretnaâ matematika
PY  - 2017
SP  - 84
EP  - 105
IS  - 2
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/PDM_2017_2_a6/
LA  - ru
ID  - PDM_2017_2_a6
ER  - 
%0 Journal Article
%A A. A. Skovoroda
%A D. Y. Gamayunov
%T Automated static analysis and classification of Android malware using permission and API calls models
%J Prikladnaâ diskretnaâ matematika
%D 2017
%P 84-105
%N 2
%I mathdoc
%U http://geodesic.mathdoc.fr/item/PDM_2017_2_a6/
%G ru
%F PDM_2017_2_a6
A. A. Skovoroda; D. Y. Gamayunov. Automated static analysis and classification of Android malware using permission and API calls models. Prikladnaâ diskretnaâ matematika, no. 2 (2017), pp. 84-105. http://geodesic.mathdoc.fr/item/PDM_2017_2_a6/

[1] Skovoroda A., Gamayunov D., “Securing mobile devices: malware mitigation methods”, J. Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 6:2 (2015), 78–97

[2] Egele M., Kruegel C., Kirda E., Vigna G., “PiOS: Detecting privacy leaks in iOS applications”, Proc. 18th Annual Network and Distributed System Security Symposium, NDSS, San Diego, CA, USA, 2011 http://www.eurecom.fr/publication/3282

[3] Enck W., Gilbert P., Chun B.-G., et al., “TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones”, Proc. 9th USENIX Conf. Design and Implementation, OSDI'10, USENIX Association, Vancouver, BC, Canada, 2010, 1–6

[4] Shabtai A., Tenenboim-Chekina L., Mimran D., et al., “Mobile malware detection through analysis of deviations in application network behavior”, Computers Security, 43 (2014), 1–18 | DOI

[5] Kim H., Smith J., Shin K. G., “Detecting energy-greedy anomalies and mobile malware variants”, Proc. 6th Intern. Conf. Applications, and Services, MobiSys'08, ACM, Breckenridge, CO, USA, 2008, 239–252

[6] Grace M., Zhou Y., Zhang Q., et al., “RiskRanker: scalable and accurate zero-day android malware detection”, Proc. 10th Intern. Conf. Applications, and Services, MobiSys'12, ACM, Low Wood Bay, Lake District, UK, 2012, 281–294

[7] Feng Y., Anand S., Dillig I., Aiken A., “Apposcopy: Semantics-based detection of android malware through static analysis”, Proc. 22nd ACM SIGSOFT Intern. Symp., FSE 2014, ACM, New York, NY, USA, 2014, 576–587 | DOI

[8] Tam K., Feizollah A., Anuar N. B., et al., “The evolution of android malware and android analysis techniques”, ACM Comput. Surv., 49:4 (2017), Article No. 76 | DOI | MR

[9] Yang L., Ganapathy V., Iftode L., “Enhancing mobile malware detection with social collaboration”, Proc. 2011 IEEE Third Intern. Conf. Social Computing, SocialCom, IEEE, Boston, MA, 2011, 572–576

[10] Liu L., Yan G., Zhang X., Chen S., “VirusMeter: preventing your cellphone from spies”, LNCS, 5758, 2009, 244–264

[11] Hoffmann J., Neumann S., Holz T., “Mobile malware detection based on energy fingerprints – a dead end?”, LNCS, 8145, 2013, 348–368

[12] Wong M. Y., Lie D., “Intellidroid: a targeted input generator for the dynamic analysis of android malware”, NDSS, 2016 | DOI

[13] Zhou Y., Wang Z., Zhou W., Jiang X., “Hey, you, get off of my market: detecting malicious apps in official and alternative android markets”, Proc. 19th Annual NDDS Symp., The Internet Society, San Diego, CA, USA, 2012 https://www.internetsociety.org/sites/default/files/07_5.pdf

[14] Aafer Y., Du W., Yin H., “DroidAPIMiner: Mining API-level features for robust malware detection in android”, Security and Privacy in Communication Networks, eds. T. Zia, A. Zomaya, V. Varadharajan, M. Mao, Springer International Publishing, 2013, 86–103 | DOI

[15] Zhang M., Duan Y., Yin H., Zhao Z., “Semantics-aware android malware classification using weighted contextual API dependency graphs”, Proc. ACM SIGSAC Conf., CCS'14, ACM, New York, NY, USA, 2014, 1105–1116

[16] Arp D., Spreitzenbarth M., Huebner M., et al., “Drebin: efficient and explainable detection of android malware in your pocket”, Proc. NDSS Symp., The Internet Society, San Diego, CA, USA, 2014 https://www.internetsociety.org/sites/default/files/11_3_1.pdf

[17] Damshenas M., Dehghantanha A., Choo K., Mahmud R., “M0Droid: an android behavioral-based malware detection model”, J. Inform. Privacy Security, 11:3 (2015), 141–157 | DOI

[18] Aresu M., Ariu D., Ahmadi M., et al., “Clustering android malware families by http traffic”, Proc. MALCON'2015, Fajardo, Puerto Rico, USA, 2015 https://pralab.diee.unica.it/sites/default/files/MALCON_0.pdf

[19] Mariconti E., Onwuzurike L., Andriotis P., et al., Mamadroid: Detecting android malware by building markov chains of behavioral models, 2016, arXiv: 1612.04433

[20] Gascon H., Yamaguchi F., Arp D., Rieck K., “Structural detection of android malware using embedded call graphs”, Proc. AISec'13, ACM, New York, NY, USA, 2013, 45–54

[21] Yang Z., Yang M., Zhang Y., et al., “AppIntent: analyzing sensitive data transmission in android for privacy leakage detection”, Proc. CCS'13, ACM, Berlin, Germany, 2013, 1043–1054

[22] Rosen S., Qian Z., Mao Z. M., “AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users”, Proc. Third ACM Conf. CODASPY'13, ACM, San Antonio, Texas, USA, 2013, 221–232 | DOI

[23] Portokalidis G., Homburg P., Anagnostakis K., Bos H., “Paranoid android: versatile protection for smartphones”, Proc. 26th Annual Conf. ACSAC'10, ACM, Austin, Texas, USA, 2010, 347–356

[24] Burguera I., Zurutuza U., Nadjm-Tehrani S., “Crowdroid: behavior-based malware detection system for android”, Proc. 1st ACM Workshop SPSM'11, ACM, Chicago, Illinois, USA, 2011, 15–26

[25] Permissions, , 2017 http://developer.android.com/intl/ru/guide/topics/security/permissions.html

[26] Androguard, , 2017 https://github.com/androguard/androguard

[27] Au K. W. Y., Zhou Y. F., Huang Z., Lie D., “PScout: analyzing the android permission specification”, Proc. ACM Conf. CCS'12, ACM, New York, NY, USA, 2012, 217–228

[28] Lu L., Li Z., Wu Z., et al., “CHEX: statically vetting android apps for component hijacking vulnerabilities”, Proc. ACM Conf. CCS'12, ACM, New York, NY, USA, 2012, 229–240

[29] Kollektsiya vredonosnykh prilozhenii UNB ISCX Android Botnet, , 2017 http://www.unb.ca/research/iscx/dataset/iscx-android-botnet-dataset.html

[30] DroidBox: Sendboksing Android-prilozhenii, , 2017 http://code.google.com/p/droidbox/

[31] Adagio, , 2017 https://github.com/hgascon/adagio