Android Malware Detection Using Category-Based Permission Vectors

  • Xu Li
  • Guojun WangEmail author
  • Saqib Ali
  • QiLin He
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11337)


With the drastic increase of smartphone adoption, malware attacks on smartphones have emerged as serious privacy and security threat. Kaspersky Labs detected and intercepted a total of 5,730,916 malicious installation packages in 2017. To curb this problem, researchers and various security laboratories have developed numerous malware analysis models. In Android based smartphones, permissions have been an inherent part of such models. Permission request patterns can be used to detect behavior of different applications. As applications with similar functionalities should use permission requests in similar ways, they can be used to distinguish different types of apps. However, when analysis models are trained on permission vectors extracted from a mixture of applications without maintaining any differences that naturally exist among different application categories, aggregated results can miss details and this can result in errors. In this paper, we propose a permission analysis model for android applications which includes a classification module and a malware detection module based on application permission vectors to deal with Android malware detection problem. We mine the benign application permission vector set into 32 categories by mining the similarity of permission vectors, and input malicious application permission vector sets into the model to obtain class labels, then extract sensitive features from different classes. Finally, sensitive features of each class are respectively input into the machine learning algorithm to obtain a classification model of malicious and benign applications. Our experimental results show that our model can achieve 93.66% accuracy of detecting malware instances.


Clustering Permission vectors Malware detection k-means 



This work is supported in part by the National Natural Science Foundation of China under Grants 61632009 & 61472451, in part by the Guangdong Provincial Natural Science Foundation under Grant 2017A030308006 and High-Level Talents Program of Higher Education in Guangdong Province under Grant 2016ZJ01, in part by Basic Innovation Project of Guangzhou University under Grant 2017GDJC-M18 and CERNET Innovation Project under Grant NGII20170102.


  1. 1.
    Google: Android Security 2017 Year in Review (2018)Google Scholar
  2. 2.
    Statista: Cumulative Number of Apps Downloaded from the Google Play as of May 2016. Accessed 20 June 2018
  3. 3.
    Qihoo 360: Mobile Security Report. Accessed 20 June 2018
  4. 4.
    Kaspersky Labs: Mobile Malware Evolution (2017). Accessed 20 June 2018
  5. 5.
    Symantec: Latest Intelligence for March 2016. In: Symantec Official Blog (2016)Google Scholar
  6. 6.
    Drake, J., Lanier, Z., Mulliner, C., et al.: Android Hacker’s Handbook. Wiley, Hoboken (2014)Google Scholar
  7. 7.
    Faruki, P., et al.: Android security: a survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutors. 17, 998–1022 (2015)CrossRefGoogle Scholar
  8. 8.
    Sokolova, K., Perez, C., Lemercier, M.: Android application classification and anomaly detection with graph-based permission patterns. Decis. Support Syst. 93, 62–76 (2017)CrossRefGoogle Scholar
  9. 9.
    Li, J., Sun, L., Yan, Q., Li, Z., Srisa-an, W., Ye, H.: Android malware detection. IEEE Trans. Ind. Inform. 14(7), 3216–3225 (2018)CrossRefGoogle Scholar
  10. 10.
    Felt, A., Chin, E., Hanna, S.: Android permissions demystified. In: Proceedings of 18th ACM Conference on Computer and Communications Security - CCS 2011, pp. 627–636 (2011)Google Scholar
  11. 11.
    Peng, H., et al.: Using probabilistic generative models for ranking risks of Android apps. In: Proceedings of 2012 ACM Conference on Computer and Communications Security - CCS 2012, p. 241 (2012)Google Scholar
  12. 12.
    Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of 16th ACM Computer and Communications Security. - CCS 2009, p. 235 (2009)Google Scholar
  13. 13.
    Fan, M., Liu, J., Wang, W., Li, H., Tian, Z., Liu, T.: DAPASA: detecting android piggybacked apps through sensitive subgraph analysis. IEEE Trans. Inf. Forensics Secur. 12, 1772–1785 (2017)CrossRefGoogle Scholar
  14. 14.
    Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: RiskRanker: scalable and accurate zero-day android malware detection. In: 10th International Conference on Mobile Systems, Applications, and Services, pp. 281–294 (2012)Google Scholar
  15. 15.
    Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: Proceedings of 19th Annual Network and Distributed System Security Symposium, pp. 5–8 (2012)Google Scholar
  16. 16.
    Hao, H., Singh, V., Du, W.: On the effectiveness of API-level access control using bytecode rewriting in Android. In: Proceedings of 8th ACM SIGSAC Symposium on Information, Computer and Communications Security - ASIA CCS 2013, p. 25 (2013)Google Scholar
  17. 17.
    Bu, K., Xu, M., Liu, X., Luo, J., Zhang, S., Weng, M.: Deterministic detection of cloning attacks for anonymous RFID systems. IEEE Trans. Ind. Inform. 11, 1255–1266 (2015)CrossRefGoogle Scholar
  18. 18.
    Cruz, T., et al.: A cybersecurity detection framework for supervisory control and data acquisition systems. IEEE Trans. Ind. Inform. 1, 1–10 (2016)Google Scholar
  19. 19.
  20. 20.
    Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in android applications for malicious application detection. IEEE Trans. Inf. Forensics Secur. 9, 1869–1882 (2014)CrossRefGoogle Scholar
  21. 21.
    Xu, W., Zhang, F., Zhu, S.: Permlyzer: analyzing permission usage in Android applications. In: 2013 IEEE 24th International Symposium on Software Reliability Engineering, ISSRE 2013, pp. 400–410 (2013)Google Scholar
  22. 22.
    Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: Proceedings of 2014 Network and Distributed System Security Symposium (2014)Google Scholar
  23. 23.
    Google Play Homepage. Accessed 19 June 2018
  24. 24.
    Huawei App Store Homepage. Accessed 20 June 2018
  25. 25.
    Xiao MI App Store Homepage. Accessed 20 June 2018
  26. 26.
    Application Details Query Interface. Accessed 19 May 2018
  27. 27.
    Malicious App Sharing Site. Accessed 20 June 2018
  28. 28.
    Application Analyzing Tool. Accessed 25 Apr 2018
  29. 29.
    Android Malicious Application Sharing. Accessed 20 June 2018
  30. 30.
    Ali, S., Wang, G., Cottrell, R.L., Anwar, T.: Detecting anomalies from end-to-end internet performance measurements (PingER) using cluster based local outlier factor. In: 2017 IEEE ISPA/IUCC, pp. 982–989 (2017)Google Scholar
  31. 31.
    Fuchs, A.P., Chaudhuri, A., Foster, J.: SCanDroid : automated security certification of android applications. Read, vol. 10, p. 328 (2010)Google Scholar
  32. 32.
    Ali, S., Wang, G., Xing, X., Cottrell, R.L.: Substituting missing values in end-to-end internet performance measurements using k-nearest neighbors. In: 2018 IEEE 16th International Conference on Dependable, Autonomic and Secure Computing, 16th International Conference on Pervasive Intelligence and Computing, 4th International Conference on Big Data Intelligence and Computing and Cyber Science and Technology Congress (DASC/PiCom/DataCom/CyberSciTech), pp. 919–926. IEEE, August 2018Google Scholar
  33. 33.
    Davies, D.L., Bouldin, D.W.: A cluster separation measure. IEEE Trans. Pattern Anal. Mach. Intell. PAMI-1, 224–227 (1979)CrossRefGoogle Scholar
  34. 34.
    Fornasini, P.: The Uncertainty in Physical Measurements (2008)CrossRefGoogle Scholar
  35. 35.
    Ali, S., Wang, G., Cottrell, R.L., Masood, S.: Internet performance analysis of South Asian countries using end-to-end internet performance measurements. In: 2017 IEEE ISPA/IUCC, pp. 1319–1326 (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.School of Computer Science and TechnologyGuangzhou UniversityGuangzhouPeople’s Republic of China

Personalised recommendations