Abstract
In this paper, we propose a statistical approach for smartphone malware detection. A set of features such as hardware, permission, application components, filtered intents, opcodes and strings are extracted from the samples to form a vector space model. Feature selection methods such as Entropy based Category Coverage Difference (ECCD) and Weighted Mutual Information (WI) are used to choose the prominent features. The performance of the system is analyzed using classifiers, Random Forest, Rotation Forest and Support Vector Machine (SVM). The system was evaluated on individual models as well as Meta feature space model for both malware and benign features. It was observed that the meta feature space model with malware features provide the best results for both feature selection. For ECCD, Random Forest classifier performs better [Dataset 1—0.972, Dataset 2—0.976 and Dataset 3—0.969] whereas in the case of WI, SVM gives highest F-measure [Dataset 1—0.993, Dataset 2—0.994 and Dataset 3—0.992]. From the overall analysis on the system, we conclude that the malware model outperforms it’s benign counterpart and also that WI is a better feature selection technique compared to ECCD.
Similar content being viewed by others
References
Androguard. http://code.google.com/p/androguard/. Accessed 7 Dec 2014
Android Malware Genome Project. http://www.malware-genomeproject. Accessed 5 May 2014
Apk File Format. http://www.file-extensions.org/article/android-apk-file-format-description. Accessed 7 Dec 2014
Drebin Dataset. http://user.cs.uni-goettingen.de/~darp/drebin/. Accessed 2 Jan 2015
Gartner. http://www.gartner.com/newsroom/id/3010017. Accessed 8 Jan 2015
Google Play store. https://play.google.com/store?hl=en. Accessed 5 May 2014
Smali/Baksmali. http://code.google.com/p/smali/. Accessed 5 May 2014
WEKA-Open Source Machine Learning Software. http://www.cs.waikato.ac.nz/ml/weka. Accessed 8 Jan 2015
Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in Android. In: Security and Privacy in Communication Networks, pp. 86–103. Springer, Berlin (2013)
Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of Android malware in your pocket. In: Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS) (2014)
Aung, Z., Zaw, W.: Permission-based Android malware detection. Int. J. Sci. Technol. Res. 2(3), 228–234 (2013)
Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)
Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for Android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 15–26, ACM (2011)
Canfora, G., De Lorenzo, A., Medvet, E., Mercaldo, F., Visaggio, C.A.: Effectiveness of opcode ngrams for detection of multi family Android malware. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 333–340. IEEE (2015)
Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: MAST: Triage for market-scale mobile malware analysis. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 13–24. ACM (2013)
Chang, C.C., Lin, C. J.: LIBSVM: a library for support vector machines. ACM Trans. Intell. Syst. Technol. 2(3), 1–27 (2011)
Enck, W., Ongtang, M., McDaniel, P.D.: On lightweight mobile phone application certification. In: ACM Conference on Computer and Communications Security, pp. 235–245. ACM (2009)
Feizollah, A., Anuar, N.B., Salleh, R., Wahab, A.: A review on feature selection in mobile malware detection. Digital Investig. 13, 22–37 (2015)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 627–638 (2011)
Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 3–14 (2011)
Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of Android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 576–587 (2014)
Kang, B., Kang, B.J., Kim, J., Im, E.G.: Android malware classification method: Dalvik bytecode frequency analysis. In: Proceedings of the 2013 research in adaptive and convergent systems, pp. 349–350. ACM (2013)
Kang, H., Jang, J.-W., Mohaisen, A., Kim, H.K.: Detecting and classifying Android malware using static analysis along with creator information. Int. J. Distrib. Sens. Netw. (2015). doi:10.1155/2015/479174
Kim, D., Kwak, J., Ryou, J.: DWroidDump: executable code extraction from Android applications for malware analysis. Int. J. Distrib. Sens. Netw. (2014). doi:10.1155/2015/379682
Largeron, C., Moulin, C., Géry, M.: Entropy based feature selection for text categorization. In: Proceedings of the 2011 ACM Symposium on Applied Computing, pp. 924–928. ACM (2011)
Peng, H., Gates, C.S., Sarma, B.P., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I. : Using probabilistic generative models for ranking risks of Android apps. In: ACM Conference on Computer and Communications Security, pp. 241–252. ACM (2012)
Rastogi, V., Chen, Y., Jiang, X.: DroidChameleon: evaluating Android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 329–334. ACM (2013)
Rodriguez, J.J., Kuncheva, L.I., Alonso, C.J.: Rotation forest: a new classifier ensemble method. IEEE Trans. Pattern Anal. Mach. Intell. 28(10), 1619–1630 (2006)
Sarma, B.P., Li, N., Gates, C.S., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Android permissions: a perspective combining risks and benefits. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, pp. 13–22. ACM (2012)
Schaffernicht, E., Gross, H.-M.: Weighted mutual information for feature selection. In: Artificial Neural Networks and Machine Learning-ICANN, pp. 181–188. Springer, Berlin (2011)
Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: Andromaly: a behavioral malware detection framework for Android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)
Spreitzenbarth, M., Freiling, F. C., Echtler, F., Schreck, T., Hoffmann, J.: Mobile-sandbox: having a deeper look into Android applications. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1808–1815. ACM (2013)
Varsha, M.V., Vinod, P., Dhanya, K.A.: Heterogeneous feature space for Android malware detection. In: Proceedings of 8th IEEE International Conference on Contemporary Computing (IC3-2015), Jaypee Institute of Information Technology, Noida (2015)
Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in Android applications for malicious application detection. IEEE Trans. Inf. Forensics Secur. 9(11), 1869–1882 (2014)
Wu, D.-J., Mao, C. -H., Wei, T. -E., Lee, H. -M., Wu, K. -P.: DroidMat: Android malware detection through manifest and API calls tracing. In: Proceedings of Asia Joint Conference on Information Security (Asia JCIS), pp. 62–69 (2012)
Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy, pp. 95–109. IEEE Computer Society (2012)
Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware Android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14), pp. 1105–1116 (2014)
Chinese market. http://shouji.baidu.com/s?wd=shareit&data_type=app&f=header_app. Accessed 5 May 2014
Android App. Store. http://www.9apps.com/. Accessed 5 May 2014
http://contagiodump.blogspot.in/. Accessed 15 Jan 2015
Alternate App stores. http://www.ubergizmo.com/articles/google-play-store-alternatives/. Accessed 5 May 2014
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Varsha, M.V., Vinod, P. & Dhanya, K.A. Identification of malicious android app using manifest and opcode features. J Comput Virol Hack Tech 13, 125–138 (2017). https://doi.org/10.1007/s11416-016-0277-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-016-0277-z