Skip to main content

SherlockDroid: a research assistant to spot unknown malware in Android marketplaces


With over 1,400,000 Android applications in Google Play alone, and dozens of different marketplaces, Android malware unfortunately have no difficulty to sneak in and silently spread. Known malware and their variants are nowadays quite well detected by anti-virus scanners. Nevertheless, the fundamentally new and unknown malware remain an issue. To assist research teams in the discovery of such new malware, we built an infrastructure, named SherlockDroid, whose goal is to filter out the mass of applications and only keep those which are the most likely to be malicious for future inspection by Anti-virus teams. SherlockDroid consists of marketplace crawlers, code-level property extractors and a classification tool named Alligator which decides whether the sample looks malicious or not, based on some prior learning. In our tests, we extracted properties and classified over 480K applications. During two crawling campaigns in July 2014 and October 2014, SherlockDroid crawled over 120K applications with the detection of one new malware, Android/Odpa.A!tr.spy, and two new riskware. With previous findings, this increases SherlockDroid and Alligator’s “Hall of Shame” to 8 malware and potentially unwanted applications.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3


  1. Mechanical Turk is a web service where registered users get paid to carry out simple tasks.

  2. Respectively,, and

  3. Note this is purely a customizable implementation choice. We might change it in the future if we notice malware commonly bypass those permissions.

  4. We compared with jlibsvm [37]


  1. Harley, D., Lee, A.: Heuristic analysis—detecting unknown viruses. (2007)

  2. Cohen, F.: Computer viruses—theory and experiments. Comput. Secur. 6, 22–35 (1987)

    Article  Google Scholar 

  3. Mills, E.: Users upset after CA anti-virus detects Windows system file as virus (2009).

  4. Popa, B.: AVG anti-virus breaks down Windows XP due to false positive. (2013)

  5. Seltzer, L.: Lessons of the McAfee false positive Fiasco. (2010)

  6. Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. SPSM ’11, pp. 15–26. ACM, New York, NY, USA (2011)

  7. Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: Madam: a multi-level anomaly detector for android malware. Computer Network Security. In: 6th International Conference on Mathematical Methods. Models and Architectures for Computer Network Security, MMM-ACNS, Lecture Notes in Computer Science, vol. 7531, pp. 240–253. Springer, St. Petersburg, Russia (2012)

  8. Xie, L., Zhang, X., Seifert, J.P., Zhu, S.: pBMDS: a behavior-based malware detection system for cellphone devices. In: Proceedings of the third ACM conference on Wireless network security. WiSec ’10, pp. 37–48. ACM, New York, NY, USA (2010)

  9. Lindorder, M., et al.: Andrubis—1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)

  10. Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI’10, pp. 1–6. USENIX Association, Berkeley, CA, USA (2010). URL

  11. Lindorfer, M.e.a.: AndRadar: fast discovery of android applications in alternative markets. In: Proceedings of the 11th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) (2014)

  12. Viennot, N., Garcia, E., Nieh, J.: A measurement study of google play. In: The 2014 ACM International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS ’14, pp. 221–233. ACM, New York, NY, USA (2014)

  13. Aung, Z., Zaw, W.: Permission-based android malware detection. Int. J. Sci. Technol. Res. 2 (2013)

  14. Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)

  15. Bläsing, T., Schmidt, A.D., Batyuk, L., Camtepe, S.A., Albayrak, S.: An Android application Sandbox System for suspicious software detection. In: 5th International Conference on Malicious and Unwanted Software (MALWARE’2010). Nancy, France (2010)

  16. Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012). doi:10.1007/s10844-010-0148-x

    Article  Google Scholar 

  17. Arp, D., Spreitzenbarth, M., Habner, M., Gascon, H., Rieck, K.: Drebin: efficient and explainable detection of Android malware in your pocket. In: Proceedings of the 17th Network and Distributed System Security Symposium (NDSS) (2014)

  18. Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy. CODASPY ’13, pp. 209–220. ACM, New York, NY, USA (2013)

  19. Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th Network and Distributed System Security Symposium (NDSS 2012). San Diego, CA, USA (2012)

  20. Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on System Security (EUROSEC 2013). Prague, Czech Republic (2013)

  21. Apvrille, A., Strazzere, T.: Reducing the window of opportunity for Android malware. Gotta catch’em all. J. Comput. Virol. 8, 61–71 (2012)

  22. Demiroz, A.: Google play crawler java api.

  23. INTERPOL, Kaspersky Lab: 60 % of android attacks use financial malware.

  24. Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: MAST: triage for market-scale mobile malware analysis. In: Proceedings of 6th WiSec (2013)

  25. Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G., Maranon, G.A.: Puma: Permission usage to detect malware in android. In: A. Herrero, V., Snasel, A., Abraham, I., Zelinka, B., Baruque, H., Quintian-Pardo, J.L., Calvo-Rolle, J., Sedano, E., Corchado (eds.) CISIS/ICEUTE/SOCO Special Sessions, Advances in Intelligent Systems and Computing, vol. 189, pp. 289–298. Springer. URL (2012)

  26. Zhao, M., Zhang, T., Ge, F., Yuan, Z.: Robotdroid: a lightweight malware detection framework on smartphones. J. Netw. 7(4) (2012). URL

  27. Schulz, Patrick.: Dalvik Bytecode Obfuscation on Android (2012).

  28. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection, RAID’11, pp. 338–357. Springer-Verlag, Berlin, Heidelberg (2011). doi:10.1007/978-3-642-23644-0_18

  29. Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of android ad library permissions. CoRR abs/1303.0857 (2013)

  30. de Pontevès, K., Apvrille, A.: Analysis of android in-app advertisement kits. In: The 23rd Virus Bulletin International Conference, pp. 157–162 (2013)

  31. Fortiguard Center: Android/RuSMS.AO (2013). Fortiguard Encyclopedia,

  32. Apvrille, L.: Alligator: anaLyzing malware wIth partitioning and probability-based algorithms. (2014)

  33. Apvrille, L., Apvrille, A.: Pre-filtering mobile malware with Heuristic techniques. In: GreHack, pp. 43–59. Grenoble, France (2013)

  34. Chang, C.C., Lin, C.J.: LIBSVM: a library for support vector machines. ACM Trans. Intell. Syst. Technol. 2, 27:1–27:27 (2011). Software available at

  35. Schapire, R.E., Singer, Y.: Improved boosting algorithms using confidence-rated predictions. In: Machine learning, pp. 80–91 (1999)

  36. Kose, N., Apvrille, L., Dugelay, J.L.: Facial makeup detection technique based on texture and shape analysis. In: 11th IEEE International Conference on Automatic Face and Gesture Recognition (FG 2015) (2015)

  37. Soergel, D.: Efficient training of support vector machines in java. (2014)

Download references


We wish to thank Ruchna Nigam, for her help on SherlockDroid.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Axelle Apvrille.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Apvrille, A., Apvrille, L. SherlockDroid: a research assistant to spot unknown malware in Android marketplaces. J Comput Virol Hack Tech 11, 235–245 (2015).

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI:


  • Android
  • Malware
  • Classification
  • Static analysis
  • Security