Lightweight versus obfuscation-resilient malware detection in android applications

  • Ali Aghamohammadi
  • Fathiyeh FaghihEmail author
Original Paper


By increasing growth of mobile applications, providing their security has become significant. Among mobile operating systems, Android is the most popular one, and hence, it has drawn more attention from malware programmers. One of the main challenges in designing a malware detection mechanism is handling obfuscation, where malware programmers try to change malware codes, such that they cannot be detected by malware detectors, while they keep their functionalities. In this paper, we propose an obfuscation-resilient method, called ORDroid, which can detect mutated and transformed malwares. We have used RNN and NLP neural networks for achieving this purpose. Our assumption is that the model is run on a server, before the application is published for end users. Users may get an application from different sources, and hence, it is necessary to design methods that can run on end users’ mobile phones. The challenge that should be considered when designing such methods is the limitation of computation and energy resources on a mobile phone. In the second part of this paper, we propose a lightweight malware detection method, called LightDroid. The main idea of this method is to select a minimal number of features from AndroidManifest file, along with a number of picture-based features from Dalvik executable file in a way that the accuracy of the resulting model is close to the state-of-the-art methods, while its complexity is as low as possible. We have fully implemented our proposed methods, as well as some of the state-of-the-art methods, including Drebin and RevealDroid. The results show that LightDroid is the most lightweight one, with 97.49% accuracy on the test data. Evaluation of ORDroid shows that, considering the overall accuracy of both test and transformed data, our model is the best comparing to the most related methods with the accuracy of 98.07% on the normal and 93.00% on the transformed data.


Android Malware detection Obfuscation Classification 



We are grateful to Dr. Mansour Ahmadi, for sharing his valuable experiences with us during this research.


  1. 1.
  2. 2.
    Smartphone OS Market Share. Accessed 9 Dec 2018.
  3. 3.
  4. 4.
    Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C.E.R.T.: Drebin: effective and explainable detection of android malware in your pocket. In: Ndss, vol. 14, pp. 23–26 (2014)Google Scholar
  5. 5.
    Nataraj, L., Karthikeyan, S, Jacob, G., Manjunath, B.S.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, p. 4. ACM (2011)Google Scholar
  6. 6.
    Ahmadi, M., Ulyanov, D., Semenov, S., Trofimov, M., Giacinto, G.: Novel feature extraction, selection and fusion for effective malware family classification. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 183–194. ACM (2016)Google Scholar
  7. 7.
    Saracino, A., Sgandurra, D., Dini, G., Martinelli, F.: Madam: effective and efficient behavior-based android malware detection and prevention. IEEE Trans. Dependable Secure Comput. 15(1), 83–97 (2018)CrossRefGoogle Scholar
  8. 8.
    Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)CrossRefGoogle Scholar
  9. 9.
    Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X.S., Zang, B.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 611–622. ACM (2013)Google Scholar
  10. 10.
    How does Google Play Protect aim to improve Android security? Accessed 9 Dec 2018.
  11. 11.
    Fratantonio, Y., Bianchi, A., Robertson, W., Kirda, E., Kruegel, C., Vigna, G.: Triggerscope: towards detecting logic bombs in android applications. In: Security and Privacy (SP), 2016 IEEE Symposium on, pp. 377–396. IEEE (2016)Google Scholar
  12. 12.
    Hidden App Malware Found on Google Play. Accessed 9 Dec 2018.
  13. 13.
    Crooks infiltrate Google Play with malware in QR reading utilities. Accessed 9 Dec 2018.
  14. 14.
    A Whale of a Tale: HummingBad Returns. Accessed 9 Dec 2018.
  15. 15.
    Garcia, J., Hammad, M., Malek, S.: Lightweight, obfuscation-resilient detection and family identification of android malware. ACM Trans. Softw. Eng. Methodol. 26(3), 11 (2018)CrossRefGoogle Scholar
  16. 16.
    Aung, Z., Zaw, W.: Permission-based android malware detection. Int. J. Sci. Technol. Res. 2(3), 228–234 (2013)Google Scholar
  17. 17.
    Aafer, Y., Du, W., Yin, H.: Droidapiminer: Mining api-level features for robust malware detection in android. In International Conference on Security and Privacy in Communication Systems, pp. 86–103. Springer, Cham (2013)Google Scholar
  18. 18.
    Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Advances in Neural Information Processing Systems, pp. 3111–3119 (2013)Google Scholar
  19. 19.
    Rong, X.: word2vec parameter learning explained. arXiv preprint arXiv:1411.2738 (2014)
  20. 20.
    ProGuard The open source optimizer and obfuscator for Java bytecode. Accessed 9 Dec 2018.
  21. 21.
    DexProtector-Cutting edge obfuscator for Android apps. Accessed 9 Dec 2018.
  22. 22.
    Rastogi, V., Chen, Y., Jiang, X., et al.: Catch me if you can: evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99–108 (2014)CrossRefGoogle Scholar
  23. 23.
    Hidden miners on Google Play. Accessed 9 Dec 2018.
  24. 24.
    Gibert, D.: Convolutional neural networks for malware classification. PhD thesis, MS Thesis, Dept. of Computer Science, UPC (2016)Google Scholar
  25. 25.
  26. 26.
    Chung, J., Gulcehre, C., Cho, K.H., Bengio, Y.: Empirical evaluation of gated recurrent neural networks on sequence modeling. arXiv preprint arXiv:1412.3555 (2014)
  27. 27.
    Dalvik executable format. Accessed 9 Dec 2018.
  28. 28.
    Fereidooni, H., Moonsamy, V., Conti, M., Batina, L.: Efficient classification of android malware in the wild using robust static features. Prot. Mobile Netw. Dev.: Chall. Solut. 1, 181–209 (2016)Google Scholar
  29. 29.
    A deep dive into DEX file format. Accessed 9 Dec 2018.
  30. 30.
    Krizhevsky, A., Sutskever, I., Hinton, G.E.: Imagenet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, pp. 1097–1105 (2012)Google Scholar
  31. 31.
    Desnos, A. et al.: Androguard: reverse engineering, malware and goodware analysis of android applications., p. 153 (2013)
  32. 32.
    RevealDroid Java repository. Accessed 9 Dec 2018.
  33. 33.
    Abadi, M., Barham, P., Chen, J., Chen, Z., Davis, A., Dean, J., Devin, M., Ghemawat, S., Irving, G., Isard, M., et al.: Tensorflow: a system for large-scale machine learning. OSDI 16, 265–283 (2016)Google Scholar
  34. 34.
    Chollet, F. et al.: Keras: The python deep learning library. In: Astrophysics Source Code Library (2018)Google Scholar
  35. 35.
    Jiang, X., Zhou, Y.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy, pp. 95–109. IEEE (2012)Google Scholar
  36. 36.
    Wei, F., Li, Y., Roy, S., Ou, X., Zhou, W.: Deep ground truth analysis of current android malware. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 252–276. Springer, Berlin (2017)CrossRefGoogle Scholar
  37. 37.
    Koodous: an online analysis tools over a vast APKs repository. Accessed 9 Dec 2018.
  38. 38.
    Wang, R.: Flash in the pan? Virus Bull. (1998)Google Scholar
  39. 39.
    Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, Wisconsin Univ-Madison Dept of Computer Sciences (2006)Google Scholar
  40. 40.
    Narouei, M., Ahmadi, M., Giacinto, G., Takabi, H., Sami, A.: DLLMiner: structural mining for malware detection. Secur. Commun. Netw. 8(18), 3311–3322 (2015)CrossRefGoogle Scholar
  41. 41.
    Hu, W., Tan, Y.: Generating adversarial malware examples for black-box attacks based on gan. arXiv preprint arXiv:1702.05983 (2017)
  42. 42.
    Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and api calls. In: Tools with Artificial Intelligence (ICTAI), 2013 IEEE 25th International Conference on, pp. 300–305. IEEE (2013)Google Scholar
  43. 43.
    Gennissen, J., Cavallaro, L., Moonsamy, V., Batina, L.: Gamut: sifting through images to detect android malware (2017)Google Scholar
  44. 44.
    Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 447–458. ACM (2014)Google Scholar
  45. 45.
    Erel. Android tutorial-code obfuscation. [Online; accessed 18 July 2019]
  46. 46.
    Canfora, G., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Leila: formal tool for identifying mobile malicious behaviour. IEEE Trans. Softw. Eng. (2018)Google Scholar
  47. 47.
    Hammad, M.: Self-protection of Android systems from inter-component communication attacks. Ph.D. thesis, UC Irvine (2018)Google Scholar
  48. 48.
    Polakis, I., Diamantaris, M., Petsas, T., Maggi, F., Ioannidis, S.: Powerslave: analyzing the energy consumption of mobile antivirus software. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 165–184. Springer, Berlin (2015)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag France SAS, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Department of Electrical and Computer Engineering, College of EngineeringUniversity of TehranTehranIran

Personalised recommendations