Cluster Computing

, Volume 21, Issue 1, pp 265–275 | Cite as

DroidWard: An Effective Dynamic Analysis Method for Vetting Android Applications

  • Yubin YangEmail author
  • Zongtao Wei
  • Yong Xu
  • Haiwu He
  • Wei Wang


As the number of Android malicious applications has explosively increased, effectively vetting Android applications (apps) has become an emerging issue. Traditional static analysis is ineffective for vetting apps whose code have been obfuscated or encrypted. Dynamic analysis is suitable to deal with the obfuscation and encryption of codes. However, existing dynamic analysis methods cannot effectively vet the applications, as a limited number of dynamic features have been explored from apps that have become increasingly sophisticated. In this work, we propose an effective dynamic analysis method called DroidWard in the aim to extract most relevant and effective features to characterize malicious behavior and to improve the detection accuracy of malicious apps. In addition to using the existing 9 features, DroidWard extracts 6 novel types of effective features from apps through dynamic analysis. DroidWard runs apps, extracts features and identifies benign and malicious apps with Support Vector Machine (SVM), Decision Tree (DTree) and Random Forest. 666 Android apps are used in the experiments and the evaluation results show that DroidWard correctly classifies 98.54% of malicious apps with 1.55% of false positives. Compared to existing work, DroidWard improves the TPR with 16.07% and suppresses the FPR with 1.31% with SVM, indicating that it is more effective than existing methods.


Android security Malware analysis Malware detection Dynamic analysis 



This work was supported in part by the Scientific Research Foundation through the Returned Overseas Chinese Scholars, Ministry of Education of China, under Grant K14C300020, in part by Shanghai Key Laboratory of Integrated Administration Technologies for Information Security, in part by ZTE Corporation, and in part by the 111 Project under Grant B14005.


  1. 1.
  2. 2.
    Greenberg, A.: Scanner identifies thousands of malicious Android apps on Google Play, other markets. (2015)
  3. 3.
    Hirst, S.: Lookout Discovers SocialPath Malware in Google Play Store. (2015)
  4. 4.
    Lockheimer, H.: Android and Security. (2014)
  5. 5.
    Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. IEEE Symposium on Security and Privacy, pp. 95–109, 2012Google Scholar
  6. 6.
    Enck, W., Gilbert, P., Han, S., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)CrossRefGoogle Scholar
  7. 7.
    Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: Efficient and comprehensive mobile app classification through static and dynamic analysis. 39th IEEE Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 422–433, 2015Google Scholar
  8. 8.
    Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., et al.: Andrubis–1,000,000 apps later: a view on current Android malware behaviors. Third International IEEE Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), p 3-17, 2014Google Scholar
  9. 9.
    Felt, A. P., Chin, E., Hanna, S., et al.: Android permissions demystified. 18th ACM Conference on Computer and communications security, pp. 627-638, 2011Google Scholar
  10. 10.
    Dietz, M., Shekhar, S., Pisetsky, Y., et al.: QUIRE: lightweight provenance for smart phone operating systems. USENIX Security Symposium, vol. 31, 2011Google Scholar
  11. 11.
    Afonso, V.M., de Amorim, M.F., Grégio, A.R.A., et al.: Identifying Android malware using dynamically obtained features. J. Comput. Virol. Hacking Tech. 11(1), 9–17 (2015)CrossRefGoogle Scholar
  12. 12.
    Wang, W., Guan, X., Zhang, X.: Processing of massive audit data streams for real-time anomaly intrusion detection. Comput. Commun. 31(1), 58–72 (2008)CrossRefGoogle Scholar
  13. 13.
    Wang, W., Liu, J., Pitsilis, G., et al.: Abstracting massive data for lightweight intrusion detection in computer networks. Information Sciences (online first), 2016Google Scholar
  14. 14.
    Wang, W., Guyet, T., Quiniou, R., et al.: Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowl.-Based Syst. 70, 103–117 (2014)CrossRefGoogle Scholar
  15. 15.
    Wang, W., Battiti, R.: Identifying intrusions in computer networks with principal component analysis, First International Conference on Availability, Reliability and Security. IEEE, p 1-8, 2006Google Scholar
  16. 16.
    Zhang, X., Furtlehner, C., Germain-Renaud, C., et al.: Data stream clustering with affinity propagation. IEEE Trans. Knowl. Data Eng. 26(7), 1644–1656 (2014)CrossRefGoogle Scholar
  17. 17.
    Zhang, X.L., Lee, T.M.D., Pitsilis, G.: Securing recommender systems against shilling attacks using social-based clustering. J. Comput. Sci. Technol. 28(4), 616–624 (2013)CrossRefGoogle Scholar
  18. 18.
    Wang, W., Zhang, X., Gombault, S.: Constructing attribute weights from computer audit data for effective intrusion detection. J. Syst. Softw. 82(12), 1974–1981 (2009)CrossRefGoogle Scholar
  19. 19.
    Guan, X., Wang, W., Zhang, X.: Fast intrusion detection based on a non-negative matrix factorization model. J. Netw. Comput. Appl. 32(1), 31–44 (2009)CrossRefGoogle Scholar
  20. 20.
    Wang, W., Guan, X., Zhang, X., Yang, L.: Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Comput. Secur. 25(7), 539–550 (2006)CrossRefGoogle Scholar
  21. 21.
    Huang, X., Li, J., Li, J., et al.: Securely outsourcing attribute-based encryption with checkability. IEEE Trans. Parallel Distrib. Syst. 25(8), 2201–2210 (2014)CrossRefGoogle Scholar
  22. 22.
    Li, J., Li, J., Chen, X., et al.: Identity-based encryption with outsourced revocation in cloud computing. IEEE Trans. Comput. 64(2), 425–437 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Li, J., Li, Y.K., Chen, X., et al.: A hybrid cloud approach for secure authorized deduplication. IEEE Trans. Parallel Distrib. Syst. 26(5), 1206–1216 (2015)CrossRefGoogle Scholar
  24. 24.
    Li, J., Chen, X., Li, M., et al.: Secure deduplication with efficient and reliable convergent key management. IEEE Trans. Parallel Distrib Syst. 25(6), 1615–1625 (2014)CrossRefGoogle Scholar
  25. 25.
    Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android. Technical report, University of Maryland (2009)Google Scholar
  26. 26.
    Pandita, R., Xiao, X., Yang, W., et al.: Whyper: towards automating risk assessment of mobile applications, Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 527-542, 2013Google Scholar
  27. 27.
    Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and api calls. IEEE 25th International Conference on Tools with Artificial Intelligence. IEEE, pp. 300-305, 2013Google Scholar
  28. 28.
    Arp, D., Spreitzenbarth, M., Hubner, M., et al.: DREBIN: effective and explainable detection of android malware in your pocket. In: The 2014 Network and Distributed System Security Symposium (NDSS), pp. 1–12Google Scholar
  29. 29.
    Apvrille, A., Strazzere, T.: Reducing the window of opportunity for Android malware Gotta catch’em all. J. Comput. Virol. 8(1–2), 61–71 (2012)CrossRefGoogle Scholar
  30. 30.
    Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in android applications for malicious application detection. IEEE Transactions on Information Forensics and Security 9, pp. 1869–1882 (2014)Google Scholar
  31. 31.
    Liu X, Liu J, Wang W, Exploring sensor usage behaviors of Android applications based on data flow analysis. IPCCC, p 1-8, 2015Google Scholar
  32. 32.
    Su, D., Wang, W., Wang, X., Liu, J.: Anomadroid: profiling Android applications’ behaviors for identifying unknown malapps. 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom), 2016Google Scholar
  33. 33.
    Liu, X., Zhu, S., Wang, W., Liu, J.: Alde: privacy risk analysis of analytics libraries in the android ecosystem. 12th EAI International Conference on Security and Privacy in Communication Networks (SecureComm), 2016Google Scholar
  34. 34.
    Spreitzenbarth, M., Freiling, F., Echtler, F., et al.: Mobile-sandbox: having a deeper look into android applications. Proceedings of the 28th Annual ACM Symposium on Applied Computing. ACM, pp. 1808-1815, 2013Google Scholar
  35. 35.
  36. 36.
    Apvrille, A.: Apktool: a tool for reverse engineering android apk files.
  37. 37.
    Ho, T.H., Dean, D., Gu, X., et al.: PREC: practical root exploit containment for android devices. Proceedings of the 4th ACM conference on data and application security and privacy. ACM, pp. 187-198, 2014Google Scholar
  38. 38.
    Anzhi Market.
  39. 39.
  40. 40.
    Burges, C.J.C.: A tutorial on support vector machines for pattern recognition. Data Min. Knowl. Discov. 2(2), 121–167 (1998)CrossRefGoogle Scholar
  41. 41.
    Quinlan, J.: C4.5: programs for machine learning. Morgan Kaufmann Publishers, Burlington (1993)Google Scholar
  42. 42.
    Wang, W., Gombault, S., Guyet, T.: Towards fast detecting intrusions: using key attributes of network traffic, Internet Monitoring and Protection, ICIMP’08. The Third International Conference on. IEEE , p 86–91, 2008Google Scholar
  43. 43.
    Wang, W., He, Y., Liu, J., et al.: Constructing important features from massive network traffic for lightweight intrusion detection. IET Inf. Secur. 9(6), 374–379 (2015)CrossRefGoogle Scholar
  44. 44.
    Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)CrossRefzbMATHGoogle Scholar
  45. 45.
    Le Thanh, H.: Analysis of malware families on android mobiles: detection characteristics recognizable by ordinary phone users and how to fix it. J. Inf. Secur. 4(04), 213 (2013)Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  • Yubin Yang
    • 1
    Email author
  • Zongtao Wei
    • 2
  • Yong Xu
    • 1
  • Haiwu He
    • 3
  • Wei Wang
    • 2
  1. 1.School of Computer Science & EngineeringSouth China University of TechnologyGuangzhouChina
  2. 2.School of Computer and Information TechnologyBeijing Jiaotong UniversityBeijingChina
  3. 3.Computer Network Information CenterChinese Academy of SciencesBeijingChina

Personalised recommendations