Fingerprinting Android malware families

Abstract

The domination of the Android operating system in the market share of smart terminals has engendered increasing threats of malicious applications (apps). Research on Android malware detection has received considerable attention in academia and the industry. In particular, studies on malware families have been beneficial to malware detection and behavior analysis. However, identifying the characteristics of malware families and the features that can describe a particular family have been less frequently discussed in existing work. In this paper, we are motivated to explore the key features that can classify and describe the behaviors of Android malware families to enable fingerprinting the malware families with these features. We present a framework for signature-based key feature construction. In addition, we propose a frequency-based feature elimination algorithm to select the key features. Finally, we construct the fingerprints of ten malware families, including twenty key features in three categories. Results of extensive experiments using Support Vector Machine demonstrate that the malware family classification achieves an accuracy of 92% to 99%. The typical behaviors of malware families are analyzed based on the selected key features. The results demonstrate the feasibility and effectiveness of the presented algorithm and fingerprinting method.

This is a preview of subscription content, access via your institution.

References

  1. 1.

    Wang W, Zhang X L, Gombault S. Constructing attribute weights from computer audit data for effective intrusion detection. Journal of Systems and Software, 2009, 82(12): 1974–1981

    Article  Google Scholar 

  2. 2.

    Guan X H, Wang W, Zhang X L. Fast intrusion detection based on a non-negative matrix factorization model. Journal of Network and Computer Applications, 2009, 32(1): 31–44

    Article  Google Scholar 

  3. 3.

    Wang W, Guan X H, Zhang X L, Yang L. Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Computers & Security, 2006, 25(7): 539–550

    Article  Google Scholar 

  4. 4.

    Wang W, Guan X, Zhang X L. Processing of massive audit data streams for real-time anomaly intrusion detection. Computer Communications, 2008, 31(1): 58–72

    Article  Google Scholar 

  5. 5.

    Wang W, Liu J Q, Pitsilis G, Zhang X L. Abstracting massive data for lightweight intrusion detection in computer networks. Information Sciences, doi:10.1016/j.ins.2016.10.023, 26

  6. 6.

    Zhang X L, T Lee, Pitsilis G. Securing recommender systems against shilling attacks using social-based clustering. Journal of Computer Science and Technology, 2013, 28(4): 616–624

    Article  Google Scholar 

  7. 7.

    Wang W, Guyet T, Quiniou R, Cordier M O, Masseglia F, Zhang X L. Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowledge-Based Systems, 2014, 70: 103–117

    Article  Google Scholar 

  8. 8.

    Wang W, Battiti R. Identifying intrusions in computer networks with principal component analysis. In: Proceedings of the 1st International Conference on Availability, Reliability and Security. 2006, 1–8

    Google Scholar 

  9. 9.

    Zhang X L, Furtlehner C, Germain-Renaud C, Sebag M. Data stream clustering with affinity propagation. IEEE Transactions on Knowledge and Data Engineering, 2014, 26(7): 1644–1656

    Article  Google Scholar 

  10. 10.

    Li J, Li J W, Chen X F, Lou W. Identity-based encryption with outsourced revocation in cloud computing. IEEE Transactions on Computers, 2015, 64(2): 425–437

    MathSciNet  Article  MATH  Google Scholar 

  11. 11.

    Li J, Li Y K, Chen X F, Lee P, Lou W. A hybrid cloud approach for secure authorized deduplication. IEEE Transactions on Parallel & Distributed Systems, 2015, 26(5): 1206–1216

    Article  Google Scholar 

  12. 12.

    Zhou Y, Jiang X. Detecting Android malware: characterization and evolution. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 95–109

    Google Scholar 

  13. 13.

    Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009, 235–245

    Google Scholar 

  14. 14.

    Chan P F, Hui L K, Yiu S M. Droidchecker: analyzing Android applications for capability leak. In: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 2012, 125–136

    Google Scholar 

  15. 15.

    Lu L, Li Z, Wu Z, Lee W, Jiang G. Chex: statically vetting Android apps for component hijacking vulnerabilities. In: Proceedings of ACM Conference on Computer and Communications Security. 2012, 229–240

    Google Scholar 

  16. 16.

    Felt A P, Chin E, Hanna S, Song D, Wagner D. Android permissions demystified. In: Proceedings of the ACM Conference on Computer and Communications Security. 2011, 627–638

    Google Scholar 

  17. 17.

    Dietz M, Shekhar S, Pisetsky Y, Shu A, Wallach D S. Quire: lightweight provenance for smart phone operating systems. In: Proceedings of the 20th USENIX Conference of Security. 2011, 23–24

    Google Scholar 

  18. 18.

    Huang J J, Zhang X Y, Tan L, Wang P, Liang B. AsDroid: detecting stealthy behaviors in Android applications by user interface and program behaviors contradiction. In: Proceedings of the 36th International Conference on Software Engineering. 2014, 1036–1046

    Google Scholar 

  19. 19.

    WangW, Wang X, Feng D, Liu J. Exploring permission-induced risk in Android applications for malicious application detection. IEEE Transactions on Information Forensics and Security. 2014, 9(11): 1869–1882

    Article  Google Scholar 

  20. 20.

    Liu X, Liu J, Wang W, He Y, Zhang X. Discovering and understanding Android sensor usage behaviors with data flow analysis. World Wide Web, 2018, 21(1): 105–126

    Article  Google Scholar 

  21. 21.

    Liu X, Zhu S, Wang W, Liu J. Alde: privacy risk analysis of analytics libraries in the Android ecosystem. In: Proceedings of the 12th EAI International Conference on Security and Privacy in Communication Networks. 2016, 10–12

    Google Scholar 

  22. 22.

    Wang W, Li Y, Wang X, Liu J Q, Zhang X L. Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers. Future Generation Computer Systems, 2018, 78: 987–994

    Article  Google Scholar 

  23. 23.

    Barrera D, Oorschot P, Somayaji A. A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of ACM Conference on Computer and Communications Security. 2010, 73–84

    Google Scholar 

  24. 24.

    Shabtai A, Kanonov U, Elovici Y, Glezer C, Weiss Y. “Andromaly”: a behavioral malware detection framework for Android devices. Journal of Intelligent Information Systems, 2012, 38(1): 161–190

    Article  Google Scholar 

  25. 25.

    Munoz A, Martin I, Guzman A, Hernandez J. Android malware detection from Google Play meta-data: selection of important features. In: Proceedings of IEEE Conference on Communications & Network Security. 2015, 701–702

    Google Scholar 

  26. 26.

    Qing S H. Research progress on Android security. Journal of Software, 2016, 27(1): 45–71

    MathSciNet  Google Scholar 

  27. 27.

    Jang JW, Yun J, Mohaisen A, Woo J, Kim H K. Detecting and classifying method based on similarity matching of Android malware behavior with profile. Spingerplus, 2016, 5(1): 1–23

    Article  Google Scholar 

  28. 28.

    Chen J, Alalfi M H, Dean T R, Zou Y. Detecting Android malware using clone detection. Journal of Computer Science and Technology, 2015, 30(5): 942–956

    Article  Google Scholar 

  29. 29.

    Dunham K, Hartman S, Morales J A, Quintans M, Strazzere T. Android Malware and Analysis. Boca Raion, Florida: CRC Press, 2014

    Book  Google Scholar 

  30. 30.

    Liu H, Yu L. Toward integrating feature selection algorithms for classification and clustering. IEEE Transactions on Knowledge and Data Engineering, 2005, 17(4): 491–502

    Article  Google Scholar 

  31. 31.

    Cheng Z D, Zhang Y J, Fan X, Zhu B. Study on discriminant matrices of commonly-used fisher discriminant functions. Acta Automatica Sinica, 2010, 36(10): 1361–1370

    MathSciNet  Article  Google Scholar 

  32. 32.

    Yang J, Ye H. Theory of fisher discriminant analysis and its application. Acta Automatica Sinica, 2003, 29(4): 481–493

    MathSciNet  Google Scholar 

Download references

Acknowledgements

This work was supported in part by the Scientific Research Foundation through the Returned Overseas Chinese Scholars, Ministry of Education of China (K14C300020), in part by Shanghai Key Laboratory of Integrated Administration Technologies for Information Security (AGK2015002), in part by ZTE Corporation Foundation, and in part by the National Natural Science Foundation of China (Grant No. 61672092).

Author information

Affiliations

Authors

Corresponding author

Correspondence to Wei Wang.

Additional information

Nannan Xie is currently a postdoctoral researcher in the Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China. She received her PhD degree in computer science and technology from Jilin University, China in 2015. She has published about 20 scientific papers in various journals and international conferences. Her main research interests include network intrusion detection and mobile security.

Xing Wang is currently a PhD student in the Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China. He received his BS degree from Beijing Jiaotong University, China in 2009. He visited King Abudullah University of Science and Technology (KAUST), Saudi Arabia from January to April 2014. His main research interests include mobile security and data processing.

Wei Wang is currently an associate professor in the Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China. He earned his PhD degree in control science and engineering from Xi’an Jiaotong University, China in 2006. He was a postdoctoral researcher in University of Trento, Italy from 2005 to 2006. He was a postdoctoral researcher in TELECOM Bretagne and in INRIA, France from 2007 to 2008. He visited INRIA, ETH, NTNU, CNR, and New York University Polytechnic. He has authored or co-authored over 50 peer-reviewed papers in various journals and international conferences. His main research interests include mobile, computer and network security.

Jiqiang Liu received his BS (1994) and PhD (1999) degrees both from Beijing Normal University, China. He is currently a professor at the Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, China. He has published over 100 scientific papers in various journals and international conferences. His main research interests are trusted computing, cryptographic protocols, privacy preserving and network security.

Electronic supplementary material

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Xie, N., Wang, X., Wang, W. et al. Fingerprinting Android malware families. Front. Comput. Sci. 13, 637–646 (2019). https://doi.org/10.1007/s11704-017-6493-y

Download citation

Keywords

  • Android malware
  • malware family
  • feature selection
  • behavior analysis