Skip to main content
SpringerLink
Log in

Identification of malicious android app using manifest and opcode features

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

In this paper, we propose a statistical approach for smartphone malware detection. A set of features such as hardware, permission, application components, filtered intents, opcodes and strings are extracted from the samples to form a vector space model. Feature selection methods such as Entropy based Category Coverage Difference (ECCD) and Weighted Mutual Information (WI) are used to choose the prominent features. The performance of the system is analyzed using classifiers, Random Forest, Rotation Forest and Support Vector Machine (SVM). The system was evaluated on individual models as well as Meta feature space model for both malware and benign features. It was observed that the meta feature space model with malware features provide the best results for both feature selection. For ECCD, Random Forest classifier performs better [Dataset 1—0.972, Dataset 2—0.976 and Dataset 3—0.969] whereas in the case of WI, SVM gives highest F-measure [Dataset 1—0.993, Dataset 2—0.994 and Dataset 3—0.992]. From the overall analysis on the system, we conclude that the malware model outperforms it’s benign counterpart and also that WI is a better feature selection technique compared to ECCD.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. Androguard. http://code.google.com/p/androguard/. Accessed 7 Dec 2014

  2. Android Malware Genome Project. http://www.malware-genomeproject. Accessed 5 May 2014

  3. Apk File Format. http://www.file-extensions.org/article/android-apk-file-format-description. Accessed 7 Dec 2014

  4. Drebin Dataset. http://user.cs.uni-goettingen.de/~darp/drebin/. Accessed 2 Jan 2015

  5. Gartner. http://www.gartner.com/newsroom/id/3010017. Accessed 8 Jan 2015

  6. Google Play store. https://play.google.com/store?hl=en. Accessed 5 May 2014

  7. Smali/Baksmali. http://code.google.com/p/smali/. Accessed 5 May 2014

  8. WEKA-Open Source Machine Learning Software. http://www.cs.waikato.ac.nz/ml/weka. Accessed 8 Jan 2015

  9. Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in Android. In: Security and Privacy in Communication Networks, pp. 86–103. Springer, Berlin (2013)

  10. Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of Android malware in your pocket. In: Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS) (2014)

  11. Aung, Z., Zaw, W.: Permission-based Android malware detection. Int. J. Sci. Technol. Res. 2(3), 228–234 (2013)

    Google Scholar 

  12. Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)

    Article  MATH  Google Scholar 

  13. Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for Android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 15–26, ACM (2011)

  14. Canfora, G., De Lorenzo, A., Medvet, E., Mercaldo, F., Visaggio, C.A.: Effectiveness of opcode ngrams for detection of multi family Android malware. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 333–340. IEEE (2015)

  15. Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: MAST: Triage for market-scale mobile malware analysis. In: Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 13–24. ACM (2013)

  16. Chang, C.C., Lin, C. J.: LIBSVM: a library for support vector machines. ACM Trans. Intell. Syst. Technol. 2(3), 1–27 (2011)

  17. Enck, W., Ongtang, M., McDaniel, P.D.: On lightweight mobile phone application certification. In: ACM Conference on Computer and Communications Security, pp. 235–245. ACM (2009)

  18. Feizollah, A., Anuar, N.B., Salleh, R., Wahab, A.: A review on feature selection in mobile malware detection. Digital Investig. 13, 22–37 (2015)

    Article  Google Scholar 

  19. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 627–638 (2011)

  20. Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild. In: Proceedings of ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 3–14 (2011)

  21. Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of Android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 576–587 (2014)

  22. Kang, B., Kang, B.J., Kim, J., Im, E.G.: Android malware classification method: Dalvik bytecode frequency analysis. In: Proceedings of the 2013 research in adaptive and convergent systems, pp. 349–350. ACM (2013)

  23. Kang, H., Jang, J.-W., Mohaisen, A., Kim, H.K.: Detecting and classifying Android malware using static analysis along with creator information. Int. J. Distrib. Sens. Netw. (2015). doi:10.1155/2015/479174

  24. Kim, D., Kwak, J., Ryou, J.: DWroidDump: executable code extraction from Android applications for malware analysis. Int. J. Distrib. Sens. Netw. (2014). doi:10.1155/2015/379682

  25. Largeron, C., Moulin, C., Géry, M.: Entropy based feature selection for text categorization. In: Proceedings of the 2011 ACM Symposium on Applied Computing, pp. 924–928. ACM (2011)

  26. Peng, H., Gates, C.S., Sarma, B.P., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I. : Using probabilistic generative models for ranking risks of Android apps. In: ACM Conference on Computer and Communications Security, pp. 241–252. ACM (2012)

  27. Rastogi, V., Chen, Y., Jiang, X.: DroidChameleon: evaluating Android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 329–334. ACM (2013)

  28. Rodriguez, J.J., Kuncheva, L.I., Alonso, C.J.: Rotation forest: a new classifier ensemble method. IEEE Trans. Pattern Anal. Mach. Intell. 28(10), 1619–1630 (2006)

    Article  Google Scholar 

  29. Sarma, B.P., Li, N., Gates, C.S., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Android permissions: a perspective combining risks and benefits. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, pp. 13–22. ACM (2012)

  30. Schaffernicht, E., Gross, H.-M.: Weighted mutual information for feature selection. In: Artificial Neural Networks and Machine Learning-ICANN, pp. 181–188. Springer, Berlin (2011)

  31. Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: Andromaly: a behavioral malware detection framework for Android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)

    Article  Google Scholar 

  32. Spreitzenbarth, M., Freiling, F. C., Echtler, F., Schreck, T., Hoffmann, J.: Mobile-sandbox: having a deeper look into Android applications. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1808–1815. ACM (2013)

  33. Varsha, M.V., Vinod, P., Dhanya, K.A.: Heterogeneous feature space for Android malware detection. In: Proceedings of 8th IEEE International Conference on Contemporary Computing (IC3-2015), Jaypee Institute of Information Technology, Noida (2015)

  34. Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in Android applications for malicious application detection. IEEE Trans. Inf. Forensics Secur. 9(11), 1869–1882 (2014)

    Article  Google Scholar 

  35. Wu, D.-J., Mao, C. -H., Wei, T. -E., Lee, H. -M., Wu, K. -P.: DroidMat: Android malware detection through manifest and API calls tracing. In: Proceedings of Asia Joint Conference on Information Security (Asia JCIS), pp. 62–69 (2012)

  36. Zhou, Y., Jiang, X.: Dissecting Android malware: characterization and evolution. In: IEEE Symposium on Security and Privacy, pp. 95–109. IEEE Computer Society (2012)

  37. Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware Android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS ’14), pp. 1105–1116 (2014)

  38. Chinese market. http://shouji.baidu.com/s?wd=shareit&data_type=app&f=header_app. Accessed 5 May 2014

  39. Android App. Store. http://www.9apps.com/. Accessed 5 May 2014

  40. http://contagiodump.blogspot.in/. Accessed 15 Jan 2015

  41. Alternate App stores. http://www.ubergizmo.com/articles/google-play-store-alternatives/. Accessed 5 May 2014

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, SCMS School of Engineering and Technology, Ernakulam, Kerala, India

    M. V. Varsha & P. Vinod

  2. Centre for Cyber Security, Amrita School of Engineering, Amrita Vishwa Vidyapeetham University, Coimbatore, Tamilnadu, India

    K. A. Dhanya

Authors
  1. M. V. Varsha
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. P. Vinod
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. K. A. Dhanya
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to P. Vinod.

Appendix: Test results for dataset 2 and dataset 3

Appendix: Test results for dataset 2 and dataset 3

See Tables 21, 22, 23, 24, 25, 26, 27 and 28.

Table 21 Performance with manifest features (malware) in prediction phase using ECCD in Dataset 2
Full size table
Table 22 Evaluation metrics for manifest features (malware) in predicting samples in test set using ECCD in Dataset 3
Full size table
Table 23 Evaluation metrics with manifest features (benign) in predicting samples using ECCD in Dataset 2
Full size table
Table 24 Evaluation metrics for manifest features (benign) in prediction phase using ECCD in Dataset 3
Full size table
Table 25 Performance with manifest features (malware) in prediction phase using WI in Dataset 2
Full size table
Table 26 Evaluation metrics for manifest features (malware) in predicting samples in test set using WI in Dataset 3
Full size table
Table 27 Evaluation metrics with manifest features (benign) in predicting samples in test set using WI in Dataset 2
Full size table
Table 28 Evaluation metrics for manifest features (benign) in prediction phase using WI in Dataset 3
Full size table

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Varsha, M.V., Vinod, P. & Dhanya, K.A. Identification of malicious android app using manifest and opcode features. J Comput Virol Hack Tech 13, 125–138 (2017). https://doi.org/10.1007/s11416-016-0277-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-016-0277-z

Keywords

Search

Navigation