Skip to main content
SpringerLink
Log in

Identifying Android malware using dynamically obtained features

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

The constant evolution of mobile devices’ resources and features turned ordinary phones into powerful and portable computers, leading their users to perform payments, store sensitive information and even to access other accounts on remote machines. This scenario has contributed to the rapid rise of new malware samples targeting mobile platforms. Given that Android is the most widespread mobile operating system and that it provides more options regarding application markets (official and alternative stores), it has been the main target for mobile malware. As such, markets that publish Android applications have been used as a point of infection for many users, who unknowingly download some popular applications that are in fact disguised malware. Hence, there is an urge for techniques to analyze and identify malicious applications before they are published and able to harm users. In this article, we present a system to dynamically identify whether an Android application is malicious or not, based on machine learning and features extracted from Android API calls and system call traces. We evaluated our system with 7,520 apps, 3,780 for training and 3,740 for testing, and obtained a detection rate of 96.66 %.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. These actions generate costs to the user.

  2. Some samples performed actions that seemed to be only useful for the amusement of the author.

  3. https://code.google.com/p/droidbox/wiki/APIMonitor.

  4. This file defines the functions that are monitored.

  5. The lists of API functions and system calls used are presented in http://pastebin.com/T7Yfbksq and http://pastebin.com/5Xyjh8GS.

  6. The lists with the SHA-1 hash values of the samples used can be found at http://pastebin.com/0K9Xxj7U (training/malicious), http://pastebin.com/FCp9pCsK (training/benign), http://pastebin.com/ZwLnDPJd (testing/malicious) and http://pastebin.com/apV32ywX (testing/benign).

References

  1. Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K., Siemens, C.: Drebin: Effective and explainable detection of android malware in your pocket (2014)

  2. Blasing, T., Batyuk, L., Schmidt, A.D., Camtepe, S.A., Albayrak, S.: An android application sandbox system for suspicious software detection. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 55–62. IEEE (2010)

  3. DroidBox: Android application sandbox. https://code.google.com/p/droidbox/ (2011)

  4. Elish, K.O., Yao, D., Ryder, B.G.: User-centric dependence analysis for identifying malicious mobile apps. In: Workshop on Mobile Security Technologies (2012)

  5. Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pp. 1–6. USENIX Association (2010)

  6. Felt, A., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 3–14. ACM (2011)

  7. Gartner: Gartner says worldwide sales of mobile phones declined 3 percent in third quarter of 2012; smartphone sales increased 47 percent. http://www.gartner.com/newsroom/id/2237315 (2012)

  8. Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pp. 281–294. ACM (2012)

  9. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.: The weka data mining software: an update. ACM SIGKDD Explor. Newsl. 11(1), 10–18 (2009)

    Article  Google Scholar 

  10. iSecLab: Andrubis: a tool for analyzing unknown android applications. http://blog.iseclab.org/2012/06/04/andrubis-a-tool-for-analyzing-unknown-android-applications-2/ (2012)

  11. Juniper: Juniper networks mobile threat center third annual mobile threats report: March 2012 through March 2013. http://www.juniper.net/us/en/local/pdf/additional-resources/3rd-jnpr-mobile-threats-report-exec-summary.pdf (2013)

  12. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Computer Security Applications Conference, 2007, ACSAC 2007, Twenty-Third Annual, pp. 421–430. IEEE (2007)

  13. Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Execute this! analyzing unsafe and malicious dynamic code loading in android applications. NDSS 14, 23–26 (2014)

    Google Scholar 

  14. Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G., Alvarez, G.: Puma: Permission usage to detect malware in android. In: CISIS/ICEUTE/SOCO Special Sessions, pp. 289–298 (2012)

  15. Spreitzenbarth, M.: The Evil Inside a Droid—Android Malware: past, present and future. In: E.F.S. Institute (ed.) Proceedings of the 1st Baltic Conference on Network Security & Forensics, pp. 41–59 (2012)

  16. Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., Hoffmann, J.: Mobile-sandbox: having a deeper look into android applications. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1808–1815. ACM (2013)

  17. Su, X., Chuah, M., Tan, G.: Smartphone dual defense protection framework: detecting malicious applications in android markets. In: 2012 Eighth International Conference on Mobile Ad-hoc and Sensor Networks (MSN), pp. 153–160. doi:10.1109/MSN.2012.43 (2012)

  18. VRT: Changing the imei, provider, model, and phone number in the android emulator. http://vrt-blog.snort.org/2013/04/changing-imei-provider-model-and-phone.html (2013)

  19. Wu, D.J., Mao, C.H., Wei, T.E., Lee, H.M., Wu, K.P.: Droidmat: Android malware detection through manifest and api calls tracing. In: Seventh Asia Joint Conference on Information Security (Asia JCIS). doi:10.1109/AsiaJCIS.2012.18 (2012)

  20. Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Conference on Security Symposium. USENIX Association (2012)

  21. Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 93–104. ACM (2012)

  22. Zheng, M., Sun, M., Lui, J.C.: Droidanalytics: a signature based analytic system to collect, extract, analyze and associate android malware. In: Proceedings of The 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 13) (2013)

  23. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (2012)

  24. Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium (2012)

Download references

Acknowledgments

Part of the results presented in this paper were obtained through the project “Evaluation and prevention of security vulnerabilities in smartphones and tablets”, sponsored by Samsung Electronics da Amazônia Ltda., in the framework of law No. 8,248/91.

Author information

Authors and Affiliations

  1. University of Campinas, Campinas, SP, Brazil

    Vitor Monte Afonso, Matheus Favero de Amorim, André Ricardo Abed Grégio & Paulo Lício de Geus

  2. Samsung Institute for Informatics Development (SIDI), Campinas, SP, Brazil

    Glauco Barroso Junquera

Authors
  1. Vitor Monte Afonso
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Matheus Favero de Amorim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. André Ricardo Abed Grégio
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Glauco Barroso Junquera
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Paulo Lício de Geus
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vitor Monte Afonso.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Afonso, V.M., de Amorim, M.F., Grégio, A.R.A. et al. Identifying Android malware using dynamically obtained features. J Comput Virol Hack Tech 11, 9–17 (2015). https://doi.org/10.1007/s11416-014-0226-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-014-0226-7

Keywords

Search

Navigation