DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications

  • Chao Yang
  • Zhaoyan Xu
  • Guofei Gu
  • Vinod Yegneswaran
  • Phillip Porras
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8712)


Most existing malicious Android app detection approaches rely on manually selected detection heuristics, features, and models. In this paper, we describe a new, complementary system, called DroidMiner, which uses static analysis to automatically mine malicious program logic from known Android malware, abstracts this logic into a sequence of threat modalities, and then seeks out these threat modality patterns in other unknown (or newly published) Android apps. We formalize a two-level behavioral graph representation used to capture Android app program logic, and design new techniques to identify and label elements of the graph that capture malicious behavioral patterns (or malicious modalities). After the automatic learning of these malicious behavioral models, DroidMiner can scan a new Android app to (i) determine whether it contains malicious modalities, (ii) diagnose the malware family to which it is most closely associated, (iii) and provide further evidence as to why the app is considered to be malicious by including a concise description of identified malicious behaviors. We evaluate DroidMiner using 2,466 malicious apps, identified from a corpus of over 67,000 third-party market Android apps, plus an additional set of over 10,000 official market Android apps. Using this set of real-world apps, we demonstrate that DroidMiner achieves a 95.3% detection rate, with only a 0.4% false positive rate. We further evaluate DroidMiner’s ability to classify malicious apps under their proper family labels, and measure its label accuracy at 92%.


Mobile Security Android Malware Analysis and Detection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In: Proc. of the 19th NDSS (2012)Google Scholar
  2. 2.
    Chen, K., Johnson, N., Silva, V., Dai, S., MacNamara, K., Magrino, T., Wu, E., Rinard, M., Song, D.: Contextual policy enforcement in android applications with permission event graphs. In: Proc. of the 20th NDSS (2013)Google Scholar
  3. 3.
    Peng, H., Gates, C., Sarm, B., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Using probabilistic generative models for ranking risks of android apps. In: Proc. of the 19th CCSGoogle Scholar
  4. 4.
    Wu, D., Mao, C., Wei, T., Lee, H., Wu., K.: Droidmat: Android malware detection through manifest and api calls tracing. In: Proc. of the 7th Asia JCIS (2012)Google Scholar
  5. 5.
    Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: Effective and explainable detection of android malware in your pocket. In: Proc. of NDSS (2014)Google Scholar
  6. 6.
    Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: Droidminer: Automated mining and characterization of fine-grained malicious behaviors in android applications. Technical report, Texas A&M University (2014),
  7. 7.
  8. 8.
  9. 9.
  10. 10.
  11. 11.
  12. 12.
  13. 13.
    Slideme android market,
  14. 14.
    App dh android market,
  15. 15.
    Anzhi android market,
  16. 16.
  17. 17.
    Android malware genome project,
  18. 18.
    Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: Proc. of the 33th IEEE Security and Privacy (2012)Google Scholar
  19. 19.
    Portokalidis, G., Homburg, P., Anagnostakis, K., Bos, H.: Paranoid android: versatile protection for smartphones. In: Proc. of the 26th ACSAC (2010)Google Scholar
  20. 20.
    Schmidt, A., Bye, R., Schmidt, H., Clausen, J., Kiraz, O., Yxksel, K., Camtepe, S., Sahin, A.: Static analysis of executables for collaborative malware detection on android. In: ICC Communication and Information Systems Security Symposium (2009)Google Scholar
  21. 21.
    Schmidt, A., Schmidt, H., Clausen, J., Yuksel, K., Kiraz, O., Sahin, A., Camtepe, S.: Enhancing security of linux-based android devices. In: Proc. of 15th International Linux KongressGoogle Scholar
  22. 22.
    Yan, L., Yin, H.: Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Proc. of the 21st USENIX Security (2012)Google Scholar
  23. 23.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proc. of the 20th USENIX (2011)Google Scholar
  24. 24.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystied. In: Proc. of the 18th CCS (2011)Google Scholar
  25. 25.
    Bartel, A., Klein, J., Monperrus, M., Traon, Y.L.: Automatically securing permission-based software by reducing the attack surface: An application to android. In: Proc. of the 27th IEEE/ACM International Conference on Automated Software Engineering (2012)Google Scholar
  26. 26.
    Au, K., Zhou, Y., Huang, Z., Lie, D., Gong, X., Han, X., Zhou, W.: Pscout: Analyzing the android permission specification. In: Proc. of the 19th CCS (2012)Google Scholar
  27. 27.
    Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proc. of the 16th CCS (2009)Google Scholar
  28. 28.
    Frank, M., Dong, B., Felt, A.P., Song, D.: Mining permission request patterns from android and facebook applications. In: Proc. of ICDM 2012 (2012)Google Scholar
  29. 29.
    Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: Mining API-level features for robust malware detection in android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  30. 30.
    Maggi, F., Valdi, A., Zanero, S.: AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors. In: Proc. of SPSM 2013 (2013)Google Scholar
  31. 31.
    Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proc. of EUROSEC 2013 (2013)Google Scholar
  32. 32.
    Enck, W., Gilbert, P., Chun, B., Cox, L.P., Jung, J., Mc-Daniel, P., Sheth, A.N.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: Proc. of the 9th OSDI (2010)Google Scholar
  33. 33.
    Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proc. of the 10th MobiSys (2012)Google Scholar
  34. 34.
    Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P., Alis, J.B.: Dendroid: A text mining approach to analyzing and classifying code structures in android malware families (2012)Google Scholar
  35. 35.
    Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. In: Proc. of the 20th USENIX Security (2011)Google Scholar
  36. 36.
    Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: Proc. of the 19th NDSS (2012)Google Scholar
  37. 37.
    Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: Retrofitting android to protect data from imperious applications. In: Proc. of the 18th CCS (2011)Google Scholar
  38. 38.
    Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proc. of the 5th ICCS (2010)Google Scholar
  39. 39.
    Lange, M., Liebergeld, S., Lackorzynski, A., Warg, A., Peter, M.: L4android: A generic operating system frame- work for secure smartphones. In: Proc. of the 1st Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)Google Scholar
  40. 40.
    Andrus, J., Dall, C., Hof, A.V., Laadan, O., Nieh, J.: Cells: A virtual mobile smartphone architecture. In: Proc. of the 23rd SOSP (2011)Google Scholar
  41. 41.
    Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zhou, W.: Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In: Proc. of the 2nd Workshop on Security and Privacy in Smartphones and Mobile Devices (2012)Google Scholar
  42. 42.
    Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proc. of the 8th ICCS (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Chao Yang
    • 1
  • Zhaoyan Xu
    • 1
  • Guofei Gu
    • 1
  • Vinod Yegneswaran
    • 2
  • Phillip Porras
    • 2
  1. 1.Texas A&M UniversityCollege StationUSA
  2. 2.SRI InternationalMenlo ParkUSA

Personalised recommendations