Soft Computing

, Volume 21, Issue 24, pp 7405–7415 | Cite as

MOCDroid: multi-objective evolutionary classifier for Android malware detection

  • Alejandro Martín
  • Héctor D. Menéndez
  • David CamachoEmail author
Methodologies and Application


Malware threats are growing, while at the same time, concealment strategies are being used to make them undetectable for current commercial antivirus. Android is one of the target architectures where these problems are specially alarming due to the wide extension of the platform in different everyday devices. The detection is specially relevant for Android markets in order to ensure that all the software they offer is clean. However, obfuscation has proven to be effective at evading the detection process. In this paper, we leverage third-party calls to bypass the effects of these concealment strategies, since they cannot be obfuscated. We combine clustering and multi-objective optimisation to generate a classifier based on specific behaviours defined by third-party call groups. The optimiser ensures that these groups are related to malicious or benign behaviours cleaning any non-discriminative pattern. This tool, named MOCDroid, achieves an accuracy of 95.15 % in test with 1.69 % of false positives with real apps extracted from the wild, overcoming all commercial antivirus engines from VirusTotal.


Android Malware Clustering Classification 



This work has been supported by the next research projects: EphemeCH (TIN2014-56494-C4-4-P) Spanish Ministry of Economy and Competitivity, CIBERDINE S2013/ICE-3095, both under the European Regional Development Fund FEDER and SeMaMatch EP/K032623/1.

Compliance with ethical standards

Conflict of interest

Alejandro Martín, Héctor D. Menéndez and David Camacho declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.


  1. Aafer Y, Du W, Yin H (2013) Droidapiminer: mining api-level features for robust malware detection in android. Security and privacy in communication networks. Springer, Berlin, pp 86–103CrossRefGoogle Scholar
  2. Arp D, Spreitzenbarth M, Hübner M, Gascon H, Rieck K, Siemens CERT (2014) Drebin: effective and explainable detection of android malware in your pocket. In: Proceedings of the annual symposium on network and distributed system security (NDSS)Google Scholar
  3. Aung Z, Zaw W (2013) Permission-based android malware detection. Int J Sci Technol Res 2(3):228–234Google Scholar
  4. Aycock J (2006) Computer viruses and malware, vol 22. Springer, BerlinGoogle Scholar
  5. Bello-Orgaz G, Jung JJ, Camacho D (2016) Social big data: recent achievements and new challenges. Inf Fusion 28:45–59CrossRefGoogle Scholar
  6. Bello-Orgaz G, Menéndez HD, Camacho D (2012) Adaptive k-means algorithm for overlapped graph clustering. Int J Neural Syst 22(05):1250018CrossRefGoogle Scholar
  7. Brock G, Pihur V, Datta S, Datta S (2008) clValid: an R package for cluster validation. J Stat Softw 25(1):1–22Google Scholar
  8. Collberg C, Thomborson C, Low D (1997) A taxonomy of obfuscating transformations. Technical report, Department of Computer Science, The University of Auckland, New ZealandGoogle Scholar
  9. Gorla A, Tavecchia I, Gross F, Zeller A (2014) Checking app behavior against app descriptions. In: Proceedings of the 36th international conference on software engineering. ACM, pp 1025–1035Google Scholar
  10. Idika N, Mathur AP (2007) A survey of malware detection techniques. Purdue University, pp 48Google Scholar
  11. Isohara T, Takemori K, Kubota A (2011) Kernel-based behavior analysis for android malware detection. In: Computational intelligence and security (CIS), 2011 seventh international conference on. IEEE, pp 1011–1015Google Scholar
  12. Kang B, Kang B, Kim J, Im EG (2013) Android malware classification method: Dalvik bytecode frequency analysis. In: Proceedings of the 2013 research in adaptive and convergent systems, RACS ’13. ACM, New York, pp 349–350Google Scholar
  13. Larose DT (2014) Discovering knowledge in data: an introduction to data mining. Wiley, New YorkCrossRefzbMATHGoogle Scholar
  14. Martín A, Menéndez HD, Camacho D (2016) String-based malware detection for android environments. In: Intelligent distributed computing X—proceedings of the 10th international symposium on intelligent distributed computing—IDC’2016, Paris (in press)Google Scholar
  15. Martín A, Menéndez HD, Camacho D (2016) Studying the influence of static api call for hiding malware. In: MAEB 2016 (XI Congreso Espaol de Metaheursticas, Algoritmos Evolutivos y Bioinspirados (MAEB 2016) (in press)Google Scholar
  16. Martín A, Menéndez HD, Camacho D (2016) Genetic boosting classification for malware detection. In: Evolutionary computation (CEC), 2016 IEEE congress on. IEEEGoogle Scholar
  17. Mas’ ud MZ, Sahib S, Abdollah MF, Selamat SR, Yusof R (2014) Analysis of features selection and machine learning classifier in android malware detection. In: Information science and applications (ICISA), 2014 international conference on. IEEE, pp 1–5Google Scholar
  18. Menendez HD, Barrero DF, Camacho D (2014) A genetic graph-based approach for partitional clustering. Int J Neural Syst 24(03):1430008CrossRefGoogle Scholar
  19. Meyer D, Hornik K, Feinerer I (2008) Text mining infrastructure in R. J Stat Soft 25(5):1–54Google Scholar
  20. Moser A, Kruegel C, Kirda E (2007) Limits of static analysis for malware detection. In: Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual. IEEE, pp 421–430Google Scholar
  21. Petsas T, Voyatzis G, Athanasopoulos E, Polychronakis M, Ioannidis S (2014) Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the seventh European workshop on system security. ACM, p 5Google Scholar
  22. Rastogi V, Chen Y, Jiang X (2013) Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC symposium on information, computer and communications security, ASIA CCS ’13. ACM, New York, pp 329–334Google Scholar
  23. Sahs J, Khan L (2012) A machine learning approach to android malware detection. In: Intelligence and security informatics conference (EISIC), 2012 European, pp 141–147Google Scholar
  24. Shabtai A, Kanonov U, Elovici Y, Glezer C, Weiss Y (2012) Andromaly: a behavioral malware detection framework for android devices. J Intell Inf Syst 38(1):161–190CrossRefGoogle Scholar
  25. Sharma M, Chawla M, Gajrani J (2016) A survey of android malware detection strategy and techniques. In: Proceedings of international conference on ICT for sustainable development. Springer, Berlin, pp 39–51Google Scholar
  26. Sikorski M, Honig A (2012) Practical malware analysis: the hands-on guide to dissecting malicious software. No starch press, San FranciscoGoogle Scholar
  27. Suarez-Tangil G, Tapiador JE, Lombardi F, Di Pietro R (2016) ALTERDROID: differential fault analysis of obfuscated smartphone malware. IEEE Trans Mob Comput 15(4):789–802Google Scholar
  28. Tam K, Khan SJ, Fattori A, Cavallaro L (2015) Copperdroid: automatic reconstruction of android malware behaviors. In: Proceedings of the symposium on network and distributed system security (NDSS)Google Scholar
  29. You I, Yim K (2010) Malware obfuscation techniques: a brief survey. In: 2010 International conference on broadband, wireless computing, communication and applications. IEEE, pp 297–300Google Scholar
  30. Zhang M, Duan Y, Yin H, Zhao Z (2014) Semantics-aware android malware classification using weighted contextual api dependency graphs. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, pp 1105–1116Google Scholar
  31. Zhou Y, Jiang X (2012) Dissecting android malware: characterization and evolution. In: 2012 IEEE symposium on security and privacy, pp 95–109Google Scholar
  32. Zhou Y, Wang Z, Zhou W, Jiang X (2012) Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: NDSSGoogle Scholar
  33. Zitzler E, Laumanns M, Thiele L (2001) SPEA2: improving the strength Pareto evolutionary algorithm. In: Eurogen, vol 3242, no 103, pp 95–100Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.Universidad Autónoma of MadridMadridSpain
  2. 2.University College LondonLondonUK

Personalised recommendations