Journal of Intelligent Information Systems

, Volume 38, Issue 1, pp 161–190 | Cite as

“Andromaly”: a behavioral malware detection framework for android devices

  • Asaf ShabtaiEmail author
  • Uri Kanonov
  • Yuval Elovici
  • Chanan Glezer
  • Yael Weiss


This article presents Andromaly—a framework for detecting malware on Android mobile devices. The proposed framework realizes a Host-based Malware Detection System that continuously monitors various features and events obtained from the mobile device and then applies Machine Learning anomaly detectors to classify the collected data as normal (benign) or abnormal (malicious). Since no malicious applications are yet available for Android, we developed four malicious applications, and evaluated Andromaly’s ability to detect new malware based on samples of known malware. We evaluated several combinations of anomaly detection algorithms, feature selection method and the number of top features in order to find the combination that yields the best performance in detecting new malware on Android. Empirical results suggest that the proposed framework is effective in detecting malware on mobile devices in general and on Android in particular.


Mobile devices Machine learning Malware Security Android 


  1. Adam, P. F., Chaudhuri, A., & Foster, J. S. (2009). SCanDroid: Automated security certification of android applications. In IEEE symposium of security and privacy.Google Scholar
  2. Bose, A., Hu, X., Shin, K. G., & Park, T. (2008). Behavioral detection of malware on mobile handsets. In Proc. of the 6th international conference on mobile systems, applications, and services.Google Scholar
  3. Botha, R. A., Furnell, S. M., & Clarke, N. L. (2009). From desktop to mobile: Examining the security experience. Computer & Security, 28, 130–137.CrossRefGoogle Scholar
  4. Buennemeyer, T. K., et al. (2008). Mobile device profiling and intrusion detection using smart batteries. In International conference on system sciences (pp. 296–296).Google Scholar
  5. Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, 41(3), 1–58.CrossRefGoogle Scholar
  6. Chaudhuri, A. (2009). Language-based security on android. In ACM workshop on programming languages and analysis for security (PLAS) (pp. 1–7).Google Scholar
  7. Cheng, J., Wong, S. H., Yang, H., & Lu, S. (2007). SmartSiren: Virus detection and alert for smartphones. In Proceedings of the 5th international conference on mobile systems, applications and services.Google Scholar
  8. Dagon, C., Martin, T., & Starner, T. (2004). Mobile phones as computing devices the viruses are coming. Pervasive Computing, 3, 11–15.CrossRefGoogle Scholar
  9. Domingos, P., & Pazzani, M. (1997). On the optimality of simple Bayesian classifier under zero-one loss. Machine Learning, 29, 103–130.CrossRefzbMATHGoogle Scholar
  10. Egele, M., Krugel, C., Kirda, E., Yin, H., & Song, D. (2007). Dynamic spyware analysis. In USENIX annual technical conference (pp. 233–246).Google Scholar
  11. Emm, D. (2006). Mobile malware – new avenues. Network Security, 2006(11), 4–6.CrossRefGoogle Scholar
  12. Enck, W., Ongtang, M., & McDaniel, P. (2008). Mitigating android software misuse before it happens. Tech. report NAS-TR-0094–2008, Network and Security Research Ctr., Dept. Computer Science and Eng., Pennsylvania State Univ.Google Scholar
  13. Enck, W., Ongtang, M., & McDaniel, P. (2009). Understanding android security. IEEE Security & Privacy Magazine, 7(1), 50–57.CrossRefGoogle Scholar
  14. Endler, D. (1998). Intrusion detection: Applying machine learning to solaris audit data. In Proceedings of the 14th annual computer security applications conference.Google Scholar
  15. Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., & Vazquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1–2), 18–28.CrossRefGoogle Scholar
  16. Golub, T., et al. (1999). Molecular classification of cancer: Class discovery and class prediction by gene expression monitoring. Science, 286, 531–537.CrossRefGoogle Scholar
  17. Griffin, K., Schneider, S., Hu, X., & Chiueh, T. (2009). Automatic generation of string signatures for malware detection. In Proc. of the 12th international symposium on recent advances in intrusion detection.Google Scholar
  18. Gryaznov, D. (1999). Scanners of the year 2000: Heuritics. The 5th international virus bulletin.Google Scholar
  19. Guo, C., Wang, H. J., & Zhu, W. (2004). Smart-phone attacks and defenses. In HotNets III.Google Scholar
  20. Hwang, S. S., Cho, S., & Park, S. (2009). Keystroke dynamics-based authentication for mobile devices. Computer & Security, 28, 85–93.CrossRefGoogle Scholar
  21. Imam, I. F., Michalski, R. S., & Kerschberg, L. (1993). Discovering attribute dependence in databases by integrating symbolic learning and statistical analysis techniques. In Proceeding of the AAAI-93 workshop on knowledge discovery in databases.Google Scholar
  22. Jacob, G., Debar, H., & Filiol, E. (2008). Behavioral detection of malware: From a survey towards an established taxonomy. Journal in Computer Virology, 4, 251–266.CrossRefGoogle Scholar
  23. Jacoby, G. A., & Davis, N. J. (2004). Battery-based intrusion detection. In Global telecommunications conference (GLOBECOM’04).Google Scholar
  24. Jain, A. K., Murty, M. N., & Flynn, P. J. (1999). Data clustering. ACM Computing Surveys, 31(3):264–296.CrossRefGoogle Scholar
  25. John, G. H., & Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. In Proc. of the conference on uncertainty in artificial intelligence (pp. 338–345).Google Scholar
  26. Kim, H., Smith, J., & Shin, K. G. (2008). Detecting energy-greedy anomalies and mobile malware variants. In Proceeding of the 6th international conference on mobile systems, applications, and services.Google Scholar
  27. Koong, K. S., Liu, L. C., Bai, S., & Lin, B. (2008). Identity theft in the USA: Evidence from 2002 to 2006. International Journal of Mobile Communications, 6(2), 199–216.CrossRefGoogle Scholar
  28. Leavitt, N. (2005). Mobile phones: The next frontier for hackers? Computer, 38(4), 20–23.CrossRefGoogle Scholar
  29. Lee, W., & Xiang, D. (2001). Information-theoretic measures for anomaly detection. In Proc. of the IEEE symposium on security and privacy (pp. 130–143).Google Scholar
  30. Lee, W., Stolfo, S., & Mok, K. (1999). A data mining framework for building intrusion detection models. In Proc. of the 1999 IEEE symposium on security and privacy. Oakland.Google Scholar
  31. Lee, W., Fan, W., Miller, M., Stolfo, S., & Zadok, E. (2002). Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security, 10(1–2), 5–22.Google Scholar
  32. Menahem, E., Shabtai, A., Rokach, L., & Elovici, Y. (2008). Improving malware detection by applying multi-inducer ensemble. Computational Statistics and Data Analysis, 53(4), 1483–1494.CrossRefMathSciNetGoogle Scholar
  33. Miettinen, M., Halonen, P., & Hätönen, K. (2006). Host-based intrusion detection for advanced mobile devices. In Proc. of the 20th international conference on advanced information networking and applications.Google Scholar
  34. Mitchell, T. (1997). Machine learning. New York: McGraw-Hill.zbMATHGoogle Scholar
  35. Moreau, Y., Preneel, B., Burge, P., Shawe-Taylor, J., Stoermann, C., & Cooke, C. (1997). Novel techniques for fraud detection in mobile telecommunication networks. In ACTS mobile summit.Google Scholar
  36. Moser, A., Kruegel, C., & Kirda, E. (2007). Limits of static analysis for malware detection. In Annual computer security applications conference (pp. 421–430).Google Scholar
  37. Moskovitch, R., Elovici, Y., & Rokach, L. (2008). Detection of unknown computer worms based on behavioral classification of the host. Computational Statistics and Data Analysis, 52(9), 4544–4566.CrossRefzbMATHMathSciNetGoogle Scholar
  38. Muthukumaran, D., et al. (2008). Measuring integrity on mobile phone systems. In Proceedings of the 13th ACM symposium on access control models and technologies.Google Scholar
  39. Nash, D. C., et al. (2005). Towards an intrusion detection system for battery exhaustion attacks on mobile computing devices. In Pervasive computing and communications workshops.Google Scholar
  40. Neter, J., Kutner, M. H., Nachtsheim, C. J., & Wasserman, W. (1996). Applied linear statistical models. McGraw-Hill.Google Scholar
  41. Ongtang, M., McLaughlin, S., Enck, W., & McDaniel, P. (2009). Semantically rich application-centric security in android. In Proceedings of the 25th annual computer security applications conference (ACSAC). Honolulu.Google Scholar
  42. Pearl, J. (1988). Probabilistic reasoning in intelligent systems: Networks of plausible inference. Massachusetts: Morgan Kaufmann.Google Scholar
  43. Piercy, M. (2004). Embedded devices next on the virus target list. IEEE Electronics Systems and Software, 2, 42–43.CrossRefGoogle Scholar
  44. Quinlan, J. R. (1993). C4.5: Programs for machine learning. San Francisco: Morgan Kaufmann.Google Scholar
  45. Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Proc. of the conference on detection of intrusions and malware & vulnerability assessment (pp. 108–125).Google Scholar
  46. Russel, S., & Norvig, P. (2002). Artificial intelligence: A modern approach. Prentice Hall.Google Scholar
  47. Samfat, D., & Molva, R. (1997). IDAMN: An intrusion detection architecture for mobile networks. IEEE Journal on Selected Areas in Communications, 15(7), 1373–1380.CrossRefGoogle Scholar
  48. Schmidt, A. D., Schmidt, H. G., Yüksel, K. A., Kiraz, O., Camptepe, S. A., & Albayrak, S. (2008). Enhancing security of linux-based android devices. In Proc. of the 15th international linux system technology conference.Google Scholar
  49. Schmidt, A. D., Peters, F., Lamour, F., Scheel, C., Camtepe, S. A., & Albayrak, S. (2009). Monitoring smartphones for anomaly detection. Mobile Networks and Applications (MONET ), 14(1), 92–106.CrossRefGoogle Scholar
  50. Shabtai, A., Fledel, Y., & Elovici, Y. (2009a). Detecting malicious applications on android by applying machine learning classifiers to static features (Poster). Presented in the 25th annual computer security applications conference (ACSAC). Honolulu, Hawaii.Google Scholar
  51. Shabtai, A., Fledel, Y., Elovici, Y., & Shahar, Y. (2009b). Knowledge-based temporal abstraction in clinical domains. Journal in Computer Virology, 8(3), 267–298.Google Scholar
  52. Shabtai, A., Moskovitch, R., Elovici, Y., & Glezer, C. (2009c). Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey. Information Security Technical Report, 14(1):1–34.CrossRefGoogle Scholar
  53. Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., & Dolev, S. (2009d). Google android: A state-of-the-art review of security mechanisms. CoRR abs/0912.5101.Google Scholar
  54. Shabtai, A., Kanonov, U., & Elovici, Y. (2010a). Intrusion detection on mobile devices using the knowledge based temporal-abstraction method. Journal of Systems and Software, 83(8), 1524–1537.CrossRefGoogle Scholar
  55. Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., & Glezer, C. (2010b) Google android: A comprehensive security assessment. IEEE Security and Privacy Magazine. doi: 10.1109/MSP.2010.2.
  56. Shannon, C. E. (1948). The mathematical theory of communication. The Bell system Technical Journal, 27(3), 379–423.zbMATHMathSciNetGoogle Scholar
  57. Shih, D. H., Lin, B., Chiang, H. S., & Shih, M. H. (2008). Security aspects of mobile phone virus: A critical survey. Industrial Management & Data Systems, 108(4), 478–494.CrossRefGoogle Scholar
  58. Yap, T. S., & Ewe, H. T. (2005). A mobile phone malicious software detection model with behavior checker. Lecture Notes in Computer Science, 3597, 57–65.CrossRefGoogle Scholar
  59. Yin, H., Song, D., Egele, M., Krugel, C., & Kirda, E. (2007). Panorama: Capturing system-wide information flow for malware detection and analysis. In ACM conference on computer and communications security.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  • Asaf Shabtai
    • 1
    Email author
  • Uri Kanonov
    • 1
  • Yuval Elovici
    • 1
  • Chanan Glezer
    • 1
  • Yael Weiss
    • 1
  1. 1.Deutsche Telekom Laboratories at Ben-Gurion University, Department of Information Systems EngineeringBen-Gurion UniversityBe’er ShevaIsrael

Personalised recommendations