GranDroid: Graph-Based Detection of Malicious Network Behaviors in Android Applications

  • Zhiqiang Li
  • Jun Sun
  • Qiben Yan
  • Witawas Srisa-an
  • Shakthi Bachala
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 254)


As Android malware increasingly relies on network interfaces to perform malicious behaviors, detecting such malicious network behaviors becomes a critical challenge. Traditionally, static analysis provides soundness for Android malware detection, but it also leads to high false positives. It is also challenging to guarantee the completion of static analysis within a given time constraint, which is an important requirement for real-world security analysis. Dynamic analysis is often used to precisely detect malware within a specific time budget. However, dynamic analysis is inherently unsound as it only reports analysis results of the executed paths. In this paper, we introduce GranDroid, a graph-based hybrid malware detection system that combines dynamic analysis, incremental and partial static analysis, and machine learning to provide time-sensitive malicious network behavior detection with high accuracy. Our evaluation using 1,500 malware samples and 1,500 benign apps shows that our approach achieves 93% accuracy while spending only eight minutes to dynamically execute each app and determine its maliciousness. GranDroid can be used to provide rich and precise detection results while incurring similar analysis time as a typical malware detector based on pure dynamic analysis.



This work was supported in part by US National Science Foundation under grant CNS-1566388.


  1. 1. Accessed Dec 2017
  2. 2.
    An http client for android and java applications. Accessed Dec 2017
  3. 3. Accessed Dec 2017
  4. 4.
    Volley overview. Accessed Dec 2017
  5. 5.
    Android feiwo. Accessed Feb 2018
  6. 6.
    Afonso, V., et al.:. Going native: using a large-scale analysis of android apps to create a practical native-code sandboxing policy. In: The Network and Distributed System Security Symposium, pp. 1–15 (2016)Google Scholar
  7. 7.
    Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C.: DREBIN: effective and explainable detection of android malware in your pocket. In: NDSS (2014)Google Scholar
  8. 8.
    Chen, Z., et al.: A first look at android malware traffic in first few minutes. In: Trustcom/BigDataSE/ISPA, vol. 1, pp. 206–213. IEEE (2015)Google Scholar
  9. 9.
    Choudhary, S.R., Gorla, A., Orso, A.: Automated test input generation for android: are we there yet? In: Proceedings of ASE, Lincoln, NE, pp. 429–440 (2015)Google Scholar
  10. 10.
    Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM TOCS 32(2), 5 (2014)CrossRefGoogle Scholar
  11. 11.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: USENIX Security Symposium, vol. 2, p. 2 (2011)Google Scholar
  12. 12.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of CCS, pp. 627–638. ACM (2011)Google Scholar
  13. 13.
    Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of MobiSys, pp. 281–294 (2012)Google Scholar
  14. 14.
    Kelly, G.: Report: 97% of mobile malware is on android. This is the easy way you stay safe. In: Forbes Tech (2014)Google Scholar
  15. 15.
    Li, Z., Sun, L., Yan, Q., Srisa-an, W., Chen, Z.: DroidClassifier: efficient adaptive mining of application-layer header for classifying android malware. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds.) SecureComm 2016. LNICST, vol. 198, pp. 597–616. Springer, Cham (2017). Scholar
  16. 16.
    Messmer, E.: Black Hat demo: Google Bouncer Can Be Beaten.
  17. 17.
    Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing android sources and sinks. In: Proceedings of of NDSS (2014)Google Scholar
  18. 18.
    Storey, O.: More malware found on google play store. Accessed June 2017
  19. 19.
    Sun, L., Li, Z., Yan, Q., Srisa-an, W., Pan, Y.: SigPID: significant permission identification for android malware detection. In: Proceedings of MALWARE, pp. 1–8. IEEE (2016)Google Scholar
  20. 20.
    Symantec. Latest intelligence for March 2016. In: Symantec Official Blog (2016)Google Scholar
  21. 21.
    Tsutano, Y., Bachala, S., Srisa-An, W., Rothermel, G., Dinh, J.: An efficient, robust, and scalable approach for analyzing interacting android apps. In: Proceedings of ICSE, Buenos Aires, Argentina (2017)Google Scholar
  22. 22.
    Wang, S., et al.: TrafficAV: an effective and explainable detection of mobile malware behavior using network traffic. In: Proceedings of IWQoS, pp. 1–6. IEEE (2016)Google Scholar
  23. 23.
    Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in android applications for malicious application detection. IEEE Trans. Inf. Forensics Secur. 9(11), 1869–1882 (2014)CrossRefGoogle Scholar
  24. 24.
    Xu, W., Qi, Y., Evans, D.: Automatically evading classifiers. In: Proceedings of NDSS (2016)Google Scholar
  25. 25.
    Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: DroidMiner: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 163–182. Springer, Cham (2014). Scholar
  26. 26.
    Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: Droidminer: automated mining and characterization of fine-grained malicious behaviors in android applications, Technical report. Texas A&M (2014)Google Scholar
  27. 27.
    Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., Enck, W.: Appcontext: differentiating malicious and benign mobile app behaviors using context. In: Proceedings of ICSE, Florence, Italy, pp. 303–313 (2015)Google Scholar
  28. 28.
    Yang, Y., Wei, Z., Xu, Y., He, H., Wang, W.: Droidward: an effective dynamic analysis method for vetting android applications. Cluster Comput. December 2016Google Scholar
  29. 29.
    Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of CCS, pp. 1105–1116 (2014)Google Scholar
  30. 30.
    Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., Garant, D.: Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 39, 2–16 (2013)CrossRefGoogle Scholar
  31. 31.
    Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of IEEE S&P, pp. 95–109 (2012)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Zhiqiang Li
    • 1
  • Jun Sun
    • 1
  • Qiben Yan
    • 1
  • Witawas Srisa-an
    • 1
  • Shakthi Bachala
    • 1
  1. 1.Department of Computer Science and EngineeringUniversity of Nebraska–LincolnLincolnUSA

Personalised recommendations