Skip to main content

“Andromaly”: a behavioral malware detection framework for android devices


This article presents Andromaly—a framework for detecting malware on Android mobile devices. The proposed framework realizes a Host-based Malware Detection System that continuously monitors various features and events obtained from the mobile device and then applies Machine Learning anomaly detectors to classify the collected data as normal (benign) or abnormal (malicious). Since no malicious applications are yet available for Android, we developed four malicious applications, and evaluated Andromaly’s ability to detect new malware based on samples of known malware. We evaluated several combinations of anomaly detection algorithms, feature selection method and the number of top features in order to find the combination that yields the best performance in detecting new malware on Android. Empirical results suggest that the proposed framework is effective in detecting malware on mobile devices in general and on Android in particular.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7



  2. Also known as Detection Rate in the intrusion detection community.

  3. Also known as False Alarm Rate in the intrusion detection community.

  4. Android uses a proprietary format for Java bytecode called.dex (Dalvik Executable), designed to be more compact and memory-efficient than regular Java class files.




  • Adam, P. F., Chaudhuri, A., & Foster, J. S. (2009). SCanDroid: Automated security certification of android applications. In IEEE symposium of security and privacy.

  • Bose, A., Hu, X., Shin, K. G., & Park, T. (2008). Behavioral detection of malware on mobile handsets. In Proc. of the 6th international conference on mobile systems, applications, and services.

  • Botha, R. A., Furnell, S. M., & Clarke, N. L. (2009). From desktop to mobile: Examining the security experience. Computer & Security, 28, 130–137.

    Article  Google Scholar 

  • Buennemeyer, T. K., et al. (2008). Mobile device profiling and intrusion detection using smart batteries. In International conference on system sciences (pp. 296–296).

  • Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, 41(3), 1–58.

    Article  Google Scholar 

  • Chaudhuri, A. (2009). Language-based security on android. In ACM workshop on programming languages and analysis for security (PLAS) (pp. 1–7).

  • Cheng, J., Wong, S. H., Yang, H., & Lu, S. (2007). SmartSiren: Virus detection and alert for smartphones. In Proceedings of the 5th international conference on mobile systems, applications and services.

  • Dagon, C., Martin, T., & Starner, T. (2004). Mobile phones as computing devices the viruses are coming. Pervasive Computing, 3, 11–15.

    Article  Google Scholar 

  • Domingos, P., & Pazzani, M. (1997). On the optimality of simple Bayesian classifier under zero-one loss. Machine Learning, 29, 103–130.

    Article  MATH  Google Scholar 

  • Egele, M., Krugel, C., Kirda, E., Yin, H., & Song, D. (2007). Dynamic spyware analysis. In USENIX annual technical conference (pp. 233–246).

  • Emm, D. (2006). Mobile malware – new avenues. Network Security, 2006(11), 4–6.

    Article  Google Scholar 

  • Enck, W., Ongtang, M., & McDaniel, P. (2008). Mitigating android software misuse before it happens. Tech. report NAS-TR-0094–2008, Network and Security Research Ctr., Dept. Computer Science and Eng., Pennsylvania State Univ.

  • Enck, W., Ongtang, M., & McDaniel, P. (2009). Understanding android security. IEEE Security & Privacy Magazine, 7(1), 50–57.

    Article  Google Scholar 

  • Endler, D. (1998). Intrusion detection: Applying machine learning to solaris audit data. In Proceedings of the 14th annual computer security applications conference.

  • Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., & Vazquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1–2), 18–28.

    Article  Google Scholar 

  • Golub, T., et al. (1999). Molecular classification of cancer: Class discovery and class prediction by gene expression monitoring. Science, 286, 531–537.

    Article  Google Scholar 

  • Griffin, K., Schneider, S., Hu, X., & Chiueh, T. (2009). Automatic generation of string signatures for malware detection. In Proc. of the 12th international symposium on recent advances in intrusion detection.

  • Gryaznov, D. (1999). Scanners of the year 2000: Heuritics. The 5th international virus bulletin.

  • Guo, C., Wang, H. J., & Zhu, W. (2004). Smart-phone attacks and defenses. In HotNets III.

  • Hwang, S. S., Cho, S., & Park, S. (2009). Keystroke dynamics-based authentication for mobile devices. Computer & Security, 28, 85–93.

    Article  Google Scholar 

  • Imam, I. F., Michalski, R. S., & Kerschberg, L. (1993). Discovering attribute dependence in databases by integrating symbolic learning and statistical analysis techniques. In Proceeding of the AAAI-93 workshop on knowledge discovery in databases.

  • Jacob, G., Debar, H., & Filiol, E. (2008). Behavioral detection of malware: From a survey towards an established taxonomy. Journal in Computer Virology, 4, 251–266.

    Article  Google Scholar 

  • Jacoby, G. A., & Davis, N. J. (2004). Battery-based intrusion detection. In Global telecommunications conference (GLOBECOM’04).

  • Jain, A. K., Murty, M. N., & Flynn, P. J. (1999). Data clustering. ACM Computing Surveys, 31(3):264–296.

    Article  Google Scholar 

  • John, G. H., & Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. In Proc. of the conference on uncertainty in artificial intelligence (pp. 338–345).

  • Kim, H., Smith, J., & Shin, K. G. (2008). Detecting energy-greedy anomalies and mobile malware variants. In Proceeding of the 6th international conference on mobile systems, applications, and services.

  • Koong, K. S., Liu, L. C., Bai, S., & Lin, B. (2008). Identity theft in the USA: Evidence from 2002 to 2006. International Journal of Mobile Communications, 6(2), 199–216.

    Article  Google Scholar 

  • Leavitt, N. (2005). Mobile phones: The next frontier for hackers? Computer, 38(4), 20–23.

    Article  Google Scholar 

  • Lee, W., & Xiang, D. (2001). Information-theoretic measures for anomaly detection. In Proc. of the IEEE symposium on security and privacy (pp. 130–143).

  • Lee, W., Stolfo, S., & Mok, K. (1999). A data mining framework for building intrusion detection models. In Proc. of the 1999 IEEE symposium on security and privacy. Oakland.

  • Lee, W., Fan, W., Miller, M., Stolfo, S., & Zadok, E. (2002). Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security, 10(1–2), 5–22.

    Google Scholar 

  • Menahem, E., Shabtai, A., Rokach, L., & Elovici, Y. (2008). Improving malware detection by applying multi-inducer ensemble. Computational Statistics and Data Analysis, 53(4), 1483–1494.

    Article  MathSciNet  Google Scholar 

  • Miettinen, M., Halonen, P., & Hätönen, K. (2006). Host-based intrusion detection for advanced mobile devices. In Proc. of the 20th international conference on advanced information networking and applications.

  • Mitchell, T. (1997). Machine learning. New York: McGraw-Hill.

    MATH  Google Scholar 

  • Moreau, Y., Preneel, B., Burge, P., Shawe-Taylor, J., Stoermann, C., & Cooke, C. (1997). Novel techniques for fraud detection in mobile telecommunication networks. In ACTS mobile summit.

  • Moser, A., Kruegel, C., & Kirda, E. (2007). Limits of static analysis for malware detection. In Annual computer security applications conference (pp. 421–430).

  • Moskovitch, R., Elovici, Y., & Rokach, L. (2008). Detection of unknown computer worms based on behavioral classification of the host. Computational Statistics and Data Analysis, 52(9), 4544–4566.

    Article  MATH  MathSciNet  Google Scholar 

  • Muthukumaran, D., et al. (2008). Measuring integrity on mobile phone systems. In Proceedings of the 13th ACM symposium on access control models and technologies.

  • Nash, D. C., et al. (2005). Towards an intrusion detection system for battery exhaustion attacks on mobile computing devices. In Pervasive computing and communications workshops.

  • Neter, J., Kutner, M. H., Nachtsheim, C. J., & Wasserman, W. (1996). Applied linear statistical models. McGraw-Hill.

  • Ongtang, M., McLaughlin, S., Enck, W., & McDaniel, P. (2009). Semantically rich application-centric security in android. In Proceedings of the 25th annual computer security applications conference (ACSAC). Honolulu.

  • Pearl, J. (1988). Probabilistic reasoning in intelligent systems: Networks of plausible inference. Massachusetts: Morgan Kaufmann.

    Google Scholar 

  • Piercy, M. (2004). Embedded devices next on the virus target list. IEEE Electronics Systems and Software, 2, 42–43.

    Article  Google Scholar 

  • Quinlan, J. R. (1993). C4.5: Programs for machine learning. San Francisco: Morgan Kaufmann.

    Google Scholar 

  • Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Proc. of the conference on detection of intrusions and malware & vulnerability assessment (pp. 108–125).

  • Russel, S., & Norvig, P. (2002). Artificial intelligence: A modern approach. Prentice Hall.

  • Samfat, D., & Molva, R. (1997). IDAMN: An intrusion detection architecture for mobile networks. IEEE Journal on Selected Areas in Communications, 15(7), 1373–1380.

    Article  Google Scholar 

  • Schmidt, A. D., Schmidt, H. G., Yüksel, K. A., Kiraz, O., Camptepe, S. A., & Albayrak, S. (2008). Enhancing security of linux-based android devices. In Proc. of the 15th international linux system technology conference.

  • Schmidt, A. D., Peters, F., Lamour, F., Scheel, C., Camtepe, S. A., & Albayrak, S. (2009). Monitoring smartphones for anomaly detection. Mobile Networks and Applications (MONET ), 14(1), 92–106.

    Article  Google Scholar 

  • Shabtai, A., Fledel, Y., & Elovici, Y. (2009a). Detecting malicious applications on android by applying machine learning classifiers to static features (Poster). Presented in the 25th annual computer security applications conference (ACSAC). Honolulu, Hawaii.

  • Shabtai, A., Fledel, Y., Elovici, Y., & Shahar, Y. (2009b). Knowledge-based temporal abstraction in clinical domains. Journal in Computer Virology, 8(3), 267–298.

    Google Scholar 

  • Shabtai, A., Moskovitch, R., Elovici, Y., & Glezer, C. (2009c). Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey. Information Security Technical Report, 14(1):1–34.

    Article  Google Scholar 

  • Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., & Dolev, S. (2009d). Google android: A state-of-the-art review of security mechanisms. CoRR abs/0912.5101.

  • Shabtai, A., Kanonov, U., & Elovici, Y. (2010a). Intrusion detection on mobile devices using the knowledge based temporal-abstraction method. Journal of Systems and Software, 83(8), 1524–1537.

    Article  Google Scholar 

  • Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., & Glezer, C. (2010b) Google android: A comprehensive security assessment. IEEE Security and Privacy Magazine. doi:10.1109/MSP.2010.2.

  • Shannon, C. E. (1948). The mathematical theory of communication. The Bell system Technical Journal, 27(3), 379–423.

    MATH  MathSciNet  Google Scholar 

  • Shih, D. H., Lin, B., Chiang, H. S., & Shih, M. H. (2008). Security aspects of mobile phone virus: A critical survey. Industrial Management & Data Systems, 108(4), 478–494.

    Article  Google Scholar 

  • Yap, T. S., & Ewe, H. T. (2005). A mobile phone malicious software detection model with behavior checker. Lecture Notes in Computer Science, 3597, 57–65.

    Article  Google Scholar 

  • Yin, H., Song, D., Egele, M., Krugel, C., & Kirda, E. (2007). Panorama: Capturing system-wide information flow for malware detection and analysis. In ACM conference on computer and communications security.

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Asaf Shabtai.



Table 7 List of used applications
Table 8 List of collected features

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Shabtai, A., Kanonov, U., Elovici, Y. et al. “Andromaly”: a behavioral malware detection framework for android devices. J Intell Inf Syst 38, 161–190 (2012).

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI:


  • Mobile devices
  • Machine learning
  • Malware
  • Security
  • Android