Andrana: Quick and Accurate Malware Detection for Android

  • Andrew Bedford
  • Sébastien Garvin
  • Josée Desharnais
  • Nadia Tawbi
  • Hana Ajakan
  • Frédéric Audet
  • Bernard Lebel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10128)

Abstract

In order to protect Android users and their information, we have developed a lightweight malware detection tool for Android called Andrana. It leverages machine learning techniques and static analysis to determine, with an accuracy of 94.90%, if an application is malicious. Its analysis can be performed directly on a mobile device in less than a second and using only 12 MB of memory.

Keywords

Malware detection Android Static analysis Machine learning 

References

  1. 1.
    Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in Android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Heidelberg (2013). doi:10.1007/978-3-319-04283-1_6 CrossRefGoogle Scholar
  2. 2.
    Android operating system security. http://developer.android.com/guide/topics/security/permissions.html. Accessed 5 July 2016
  3. 3.
    Apktool. https://ibotpeaches.github.io/Apktool/. Accessed 5 July 2016
  4. 4.
  5. 5.
    Apvrille, A., Nigam, R.: Obfuscation in android malware, and how to fight back. Virus Bull. 1–10 (2014)Google Scholar
  6. 6.
    Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K., Siemens, C.: DREBIN: effective and explainable detection of Android malware in your pocket. In: Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS) (2014)Google Scholar
  7. 7.
    Atzeni, A., Su, T., Baltatu, M., D’Alessandro, R., Pessiva, G.: How dangerous is your Android app? An evaluation methodology. In: Proceedings of the 11th International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services, pp. 130–139. ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering) (2014)Google Scholar
  8. 8.
    Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)MathSciNetCrossRefMATHGoogle Scholar
  9. 9.
    Breiman, L., Friedman, J., Stone, C.J., Olshen, R.A.: Classification and Regression Trees. CRC Press, Boca Raton (1984)MATHGoogle Scholar
  10. 10.
    Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for Android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 15–26. ACM (2011)Google Scholar
  11. 11.
    Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise Analysis of String Expressions. Springer, New York (2003)CrossRefMATHGoogle Scholar
  12. 12.
    Contagio. http://contagiominidump.blogspot.ca/. Accessed 16 July 2016
  13. 13.
    Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20(3), 273–297 (1995). http://dx.doi.org/10.1007/BF00994018 MATHGoogle Scholar
  14. 14.
    Cunningham, P., Delany, S.J.: k-nearest neighbour classifiers. In: Multiple Classifier Systems, pp. 1–17 (2007)Google Scholar
  15. 15.
    Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: a multi-level anomaly detector for Android malware. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 240–253. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33704-8_21 CrossRefGoogle Scholar
  16. 16.
    Hoeffding, W.: Probability inequalities for sums of bounded random variables. J. Am. Stat. Assoc. 58(301), 13–30 (1963)MathSciNetCrossRefMATHGoogle Scholar
  17. 17.
    Java string analyzer (JSA). http://www.brics.dk/JSA/. Accessed 5 July 2016
  18. 18.
    Language detection library. https://github.com/shuyo/language-detection. Acessed 5 July 2016
  19. 19.
    Li, D., Lyu, Y., Wan, M., Halfond, W.G.: String analysis for Java and Android applications. In: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pp. 661–672. ACM (2015)Google Scholar
  20. 20.
    Lindorfer, M., Neugschwandtner, M., Platzer, C.: MARVIN: efficient and comprehensive mobile app. classification through static and dynamic analysis. In: 39th Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 422–433. IEEE (2015)Google Scholar
  21. 21.
    Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., Platzer, C.: Andrubis-1,000,000 apps later: a view on current Android malware behaviors. In: 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 3–17. IEEE (2014)Google Scholar
  22. 22.
  23. 23.
    Maiorca, D., Ariu, D., Corona, I., Aresu, M., Giacinto, G.: Stealth attacks: an extended insight into the obfuscation effects on Android malware. Comput. Secur. 51, 16–31 (2015)CrossRefGoogle Scholar
  24. 24.
    Permissions classified as dangerous. http://developer.android.com/guide/topics/security/permissions.html#normal-dangerous. Accessed 5 July 2016
  25. 25.
    Pscout. https://github.com/dweinstein/pscout. Accessed 5 July 2016
  26. 26.
    Sato, R., Chiba, D., Goto, S.: Detecting Android malware by analyzing manifest files. In: Proceedings of the Asia-Pacific Advanced Network, vol. 36, pp. 23–31 (2013)Google Scholar
  27. 27.
    Schapire, R.E., Singer, Y.: Improved boosting using confidence-rated predictions. Mach. Learn. 37(3), 297–336 (1999)CrossRefMATHGoogle Scholar
  28. 28.
    Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for Android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)CrossRefGoogle Scholar
  29. 29.
    Smali/baksmali. https://github.com/JesusFreke/smali. Accessed 20 July 2016
  30. 30.
    Smartphone OS market share, q1 2015 (2015). http://www.idc.com/prodserv/smartphone-os-market-share.jsp. Accessed 7 July 2016
  31. 31.
    Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 447–458. ACM (2014)Google Scholar
  32. 32.
    Virus share. https://virusshare.com/. Accessed 14 July 2016
  33. 33.
    Wu, W.C., Hung, S.H.: DroidDolphin: a dynamic Android malware detection framework using big data and machine learning. In: Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems, pp. 247–252. ACM (2014)Google Scholar
  34. 34.
    Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: NDSS, vol. 25, pp. 50–52 (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Andrew Bedford
    • 1
  • Sébastien Garvin
    • 1
  • Josée Desharnais
    • 1
  • Nadia Tawbi
    • 1
  • Hana Ajakan
    • 1
  • Frédéric Audet
    • 2
  • Bernard Lebel
    • 2
  1. 1.Laval UniversityQuebecCanada
  2. 2.Thales Research and Technology CanadaQuebecCanada

Personalised recommendations