The domination of the Android operating system in the market share of smart terminals has engendered increasing threats of malicious applications (apps). Research on Android malware detection has received considerable attention in academia and the industry. In particular, studies on malware families have been beneficial to malware detection and behavior analysis. However, identifying the characteristics of malware families and the features that can describe a particular family have been less frequently discussed in existing work. In this paper, we are motivated to explore the key features that can classify and describe the behaviors of Android malware families to enable fingerprinting the malware families with these features. We present a framework for signature-based key feature construction. In addition, we propose a frequency-based feature elimination algorithm to select the key features. Finally, we construct the fingerprints of ten malware families, including twenty key features in three categories. Results of extensive experiments using Support Vector Machine demonstrate that the malware family classification achieves an accuracy of 92% to 99%. The typical behaviors of malware families are analyzed based on the selected key features. The results demonstrate the feasibility and effectiveness of the presented algorithm and fingerprinting method.
This is a preview of subscription content,to check access.
Access this article
Wang W, Zhang X L, Gombault S. Constructing attribute weights from computer audit data for effective intrusion detection. Journal of Systems and Software, 2009, 82(12): 1974–1981
Guan X H, Wang W, Zhang X L. Fast intrusion detection based on a non-negative matrix factorization model. Journal of Network and Computer Applications, 2009, 32(1): 31–44
Wang W, Guan X H, Zhang X L, Yang L. Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Computers & Security, 2006, 25(7): 539–550
Wang W, Guan X, Zhang X L. Processing of massive audit data streams for real-time anomaly intrusion detection. Computer Communications, 2008, 31(1): 58–72
Wang W, Liu J Q, Pitsilis G, Zhang X L. Abstracting massive data for lightweight intrusion detection in computer networks. Information Sciences, doi:10.1016/j.ins.2016.10.023, 26
Zhang X L, T Lee, Pitsilis G. Securing recommender systems against shilling attacks using social-based clustering. Journal of Computer Science and Technology, 2013, 28(4): 616–624
Wang W, Guyet T, Quiniou R, Cordier M O, Masseglia F, Zhang X L. Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowledge-Based Systems, 2014, 70: 103–117
Wang W, Battiti R. Identifying intrusions in computer networks with principal component analysis. In: Proceedings of the 1st International Conference on Availability, Reliability and Security. 2006, 1–8
Zhang X L, Furtlehner C, Germain-Renaud C, Sebag M. Data stream clustering with affinity propagation. IEEE Transactions on Knowledge and Data Engineering, 2014, 26(7): 1644–1656
Li J, Li J W, Chen X F, Lou W. Identity-based encryption with outsourced revocation in cloud computing. IEEE Transactions on Computers, 2015, 64(2): 425–437
Li J, Li Y K, Chen X F, Lee P, Lou W. A hybrid cloud approach for secure authorized deduplication. IEEE Transactions on Parallel & Distributed Systems, 2015, 26(5): 1206–1216
Zhou Y, Jiang X. Detecting Android malware: characterization and evolution. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 95–109
Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009, 235–245
Chan P F, Hui L K, Yiu S M. Droidchecker: analyzing Android applications for capability leak. In: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 2012, 125–136
Lu L, Li Z, Wu Z, Lee W, Jiang G. Chex: statically vetting Android apps for component hijacking vulnerabilities. In: Proceedings of ACM Conference on Computer and Communications Security. 2012, 229–240
Felt A P, Chin E, Hanna S, Song D, Wagner D. Android permissions demystified. In: Proceedings of the ACM Conference on Computer and Communications Security. 2011, 627–638
Dietz M, Shekhar S, Pisetsky Y, Shu A, Wallach D S. Quire: lightweight provenance for smart phone operating systems. In: Proceedings of the 20th USENIX Conference of Security. 2011, 23–24
Huang J J, Zhang X Y, Tan L, Wang P, Liang B. AsDroid: detecting stealthy behaviors in Android applications by user interface and program behaviors contradiction. In: Proceedings of the 36th International Conference on Software Engineering. 2014, 1036–1046
WangW, Wang X, Feng D, Liu J. Exploring permission-induced risk in Android applications for malicious application detection. IEEE Transactions on Information Forensics and Security. 2014, 9(11): 1869–1882
Liu X, Liu J, Wang W, He Y, Zhang X. Discovering and understanding Android sensor usage behaviors with data flow analysis. World Wide Web, 2018, 21(1): 105–126
Liu X, Zhu S, Wang W, Liu J. Alde: privacy risk analysis of analytics libraries in the Android ecosystem. In: Proceedings of the 12th EAI International Conference on Security and Privacy in Communication Networks. 2016, 10–12
Wang W, Li Y, Wang X, Liu J Q, Zhang X L. Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers. Future Generation Computer Systems, 2018, 78: 987–994
Barrera D, Oorschot P, Somayaji A. A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of ACM Conference on Computer and Communications Security. 2010, 73–84
Shabtai A, Kanonov U, Elovici Y, Glezer C, Weiss Y. “Andromaly”: a behavioral malware detection framework for Android devices. Journal of Intelligent Information Systems, 2012, 38(1): 161–190
Munoz A, Martin I, Guzman A, Hernandez J. Android malware detection from Google Play meta-data: selection of important features. In: Proceedings of IEEE Conference on Communications & Network Security. 2015, 701–702
Qing S H. Research progress on Android security. Journal of Software, 2016, 27(1): 45–71
Jang JW, Yun J, Mohaisen A, Woo J, Kim H K. Detecting and classifying method based on similarity matching of Android malware behavior with profile. Spingerplus, 2016, 5(1): 1–23
Chen J, Alalfi M H, Dean T R, Zou Y. Detecting Android malware using clone detection. Journal of Computer Science and Technology, 2015, 30(5): 942–956
Dunham K, Hartman S, Morales J A, Quintans M, Strazzere T. Android Malware and Analysis. Boca Raion, Florida: CRC Press, 2014
Liu H, Yu L. Toward integrating feature selection algorithms for classification and clustering. IEEE Transactions on Knowledge and Data Engineering, 2005, 17(4): 491–502
Cheng Z D, Zhang Y J, Fan X, Zhu B. Study on discriminant matrices of commonly-used fisher discriminant functions. Acta Automatica Sinica, 2010, 36(10): 1361–1370
Yang J, Ye H. Theory of fisher discriminant analysis and its application. Acta Automatica Sinica, 2003, 29(4): 481–493
This work was supported in part by the Scientific Research Foundation through the Returned Overseas Chinese Scholars, Ministry of Education of China (K14C300020), in part by Shanghai Key Laboratory of Integrated Administration Technologies for Information Security (AGK2015002), in part by ZTE Corporation Foundation, and in part by the National Natural Science Foundation of China (Grant No. 61672092).
Nannan Xie is currently a postdoctoral researcher in the Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China. She received her PhD degree in computer science and technology from Jilin University, China in 2015. She has published about 20 scientific papers in various journals and international conferences. Her main research interests include network intrusion detection and mobile security.
Xing Wang is currently a PhD student in the Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China. He received his BS degree from Beijing Jiaotong University, China in 2009. He visited King Abudullah University of Science and Technology (KAUST), Saudi Arabia from January to April 2014. His main research interests include mobile security and data processing.
Wei Wang is currently an associate professor in the Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China. He earned his PhD degree in control science and engineering from Xi’an Jiaotong University, China in 2006. He was a postdoctoral researcher in University of Trento, Italy from 2005 to 2006. He was a postdoctoral researcher in TELECOM Bretagne and in INRIA, France from 2007 to 2008. He visited INRIA, ETH, NTNU, CNR, and New York University Polytechnic. He has authored or co-authored over 50 peer-reviewed papers in various journals and international conferences. His main research interests include mobile, computer and network security.
Jiqiang Liu received his BS (1994) and PhD (1999) degrees both from Beijing Normal University, China. He is currently a professor at the Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China. He has published over 100 scientific papers in various journals and international conferences. His main research interests are trusted computing, cryptographic protocols, privacy preserving and network security.
Electronic supplementary material
About this article
Cite this article
Xie, N., Wang, X., Wang, W. et al. Fingerprinting Android malware families. Front. Comput. Sci. 13, 637–646 (2019). https://doi.org/10.1007/s11704-017-6493-y