Evaluating Op-Code Frequency Histograms in Malware and Third-Party Mobile Applications

  • Gerardo Canfora
  • Francesco MercaldoEmail author
  • Corrado Aaron Visaggio
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 585)


Mobile malware has grown in scale and complexity, as a consequence of the unabated uptake of smartphones worldwide. Malware writers have been developing detection evasion techniques which are rapidly making anti-malware technologies ineffective. In particular, zero-days malware is able to easily pass signature based detection, while techniques based on dynamic analysis, which could be more accurate and robust, are too costly or inappropriate to real contexts, especially for reasons related to usability. This paper discusses a technique for discriminating Android malware from trusted applications that does not rely on signatures, but exploits a vector of features obtained from the static analysis of the Android’s Dalvik code. Experiments on a sample of 11,200 applications revealed that the proposed technique produces high precision (over 93 %) in mobile malware detection. Furthermore we investigate whether the feature vector is useful to identify the malware family and if it is possible to discriminate whether an application was retrieved from the official market or third-party one.


Malware Android Security Testing Static analysis 


  1. 1.
  2. 2.
    Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: NDSS 2014, Network and Distributed System Security Symposium. IEEE (2014)Google Scholar
  3. 3.
    Attaluri, S., McGhee, S., Stamp, M.: Profile hidden markov models and metamorphic virus detection. J. Comput. Virol. Hacking Tech. 5(2), 179–192 (2008)Google Scholar
  4. 4.
    Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hacking Tech. 9(4), 179–192 (2013)CrossRefGoogle Scholar
  5. 5.
    Bilar, D.: Opcodes as predictor for malware. Int. J. Electron. Secur. Digital Forensics 1(2), 156–168 (2007)CrossRefGoogle Scholar
  6. 6.
    Canfora, G., Mercaldo, F., Visaggio, C.: A classifier of malicious android applications. In: IWSMA 2013, 2nd International Workshop on Security of Mobile Applications, in conjunction with the International Conference on Availability, Reliability and Security, pp. 607–614. IEEE (2013)Google Scholar
  7. 7.
    Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: Mast: triage for market-scale mobile malware analysis. In: WISEC 2013, 6th ACM Conference on Security in Wireless and Mobile Networks, pp. 13–24. ACM (2013)Google Scholar
  8. 8.
    Chandra, D., Franz, M.: Fine-grained information flow analysis and enforcement in a java virtual machine. In: ACSAC 2007, 23rd Annual Computer Security Applications Conference, pp. 463–475. IEEE (2007)Google Scholar
  9. 9.
    Choucane, M., Lakhotia, A.: Using engine signature to detect metamorphic malware. In: WORM 2006, 4th ACM workshop on Recurring malcode, pp. 73–78. ACM (2006)Google Scholar
  10. 10.
    Desnos, A.: Android: static analysis using similarity distance. In: HICSS 2012, 45th Hawaii International Conference on System Sciences, pp. 5394–5403. IEEE (2012)Google Scholar
  11. 11.
    Enck, W., Gilbert, P., Chun, B., Con, L., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI 2010, 9th USENIX Symposium on Operating Systems Design and Implementation (2010)Google Scholar
  12. 12.
    Fedler, R., Schütte, J., Kulicke, M.: On the effectiveness of malware protection on android: An evaluation of android antivirus apps, (2014).,
  13. 13.
  14. 14.
    Gibler, C., Crussell, J., Erickson, J., Chen, H.: Androidleaks: automatically detecting potential privacy leaks in android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
  16. 16.
    GooglePlay (2014).
  17. 17.
    Marforio, C., Aurelien, F., Srdjan, C.: Application collusion attack on the permission-based security model and its implications for modern smartphone systems (2011).
  18. 18.
    Oberheide, J., Miller, C.: Dissecting the android bouncer. In: SummerCon (2012).
  19. 19.
    Peng, H., Gates, C., Sarma, B., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Using probabilistic generative models for ranking risks of android apps. In: CCS 2012, 19th ACM Conference on Computer and Communications Security, pp. 241–252 (2012)Google Scholar
  20. 20.
    Rad, B.B., Masrom, M.: Metamorphic virus variants classification using opcode frequency histogram. Latest Trends on Computers (Volume I) (2010)Google Scholar
  21. 21.
    Rad, B., Masrom, M., Ibrahim, S.: Opcodes histogram for classifying metamorphic portable executables malware. In: ICEEE 2012, International Conference on E-Learning and E-Technologies in Education, pp. 209–213 (2012)Google Scholar
  22. 22.
    Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: EUROSEC 2013, 6th European Workshop on Systems Security (2013)Google Scholar
  23. 23.
    Sahs, J., Khan, L.: A machine learning approach to android malware detection. In: EISIC 2012, European Intelligence and Security Informatics Conference, pp. 141–147 (2012)Google Scholar
  24. 24.
    Spreitzenbarth, M., Ectler, F., Schreck, T., Freling, F., Hoffmann, J.: Mobilesandbox: looking deeper into android applications. In: SAC 2013, 28th International ACM Symposium on Applied Computing (2013)Google Scholar
  25. 25.
    Wu, D., Mao, C., Wei, T., Lee, H., Wu, K.: Droidmat: android malware detection through manifest and api calls tracing. In: Asia JCIS 2012, 7th Asia Joint Conference on Information Security, pp. 62–69 (2012)Google Scholar
  26. 26.
    Zheng, M., Sun, M., Lui, J.: Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware. In: TrustCom 2013, International Conference on Trust, Security and Privacy in Computing and Communications, pp. 163–171 (2013)Google Scholar
  27. 27.
    Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: SP 2012, IEEE Symposium on Security and Privacy, pp. 95–109 (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Gerardo Canfora
    • 1
  • Francesco Mercaldo
    • 1
    Email author
  • Corrado Aaron Visaggio
    • 1
  1. 1.Department of EngineeringUniversity of SannioBeneventoItaly

Personalised recommendations