Skip to main content

Advertisement

SpringerLink
  • Log in
Book cover

European Symposium on Research in Computer Security

ESORICS 2014: Computer Security - ESORICS 2014 pp 163–182Cite as

  1. Home
  2. Computer Security - ESORICS 2014
  3. Conference paper
DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications

DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications

  • Chao Yang17,
  • Zhaoyan Xu17,
  • Guofei Gu17,
  • Vinod Yegneswaran18 &
  • …
  • Phillip Porras18 
  • Conference paper

  • 3463 Accesses

  • 107 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 8712)

Abstract

Most existing malicious Android app detection approaches rely on manually selected detection heuristics, features, and models. In this paper, we describe a new, complementary system, called DroidMiner, which uses static analysis to automatically mine malicious program logic from known Android malware, abstracts this logic into a sequence of threat modalities, and then seeks out these threat modality patterns in other unknown (or newly published) Android apps. We formalize a two-level behavioral graph representation used to capture Android app program logic, and design new techniques to identify and label elements of the graph that capture malicious behavioral patterns (or malicious modalities). After the automatic learning of these malicious behavioral models, DroidMiner can scan a new Android app to (i) determine whether it contains malicious modalities, (ii) diagnose the malware family to which it is most closely associated, (iii) and provide further evidence as to why the app is considered to be malicious by including a concise description of identified malicious behaviors. We evaluate DroidMiner using 2,466 malicious apps, identified from a corpus of over 67,000 third-party market Android apps, plus an additional set of over 10,000 official market Android apps. Using this set of real-world apps, we demonstrate that DroidMiner achieves a 95.3% detection rate, with only a 0.4% false positive rate. We further evaluate DroidMiner’s ability to classify malicious apps under their proper family labels, and measure its label accuracy at 92%.

Keywords

  • Mobile Security
  • Android Malware Analysis and Detection

Download conference paper PDF

References

  1. Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In: Proc. of the 19th NDSS (2012)

    Google Scholar 

  2. Chen, K., Johnson, N., Silva, V., Dai, S., MacNamara, K., Magrino, T., Wu, E., Rinard, M., Song, D.: Contextual policy enforcement in android applications with permission event graphs. In: Proc. of the 20th NDSS (2013)

    Google Scholar 

  3. Peng, H., Gates, C., Sarm, B., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Using probabilistic generative models for ranking risks of android apps. In: Proc. of the 19th CCS

    Google Scholar 

  4. Wu, D., Mao, C., Wei, T., Lee, H., Wu., K.: Droidmat: Android malware detection through manifest and api calls tracing. In: Proc. of the 7th Asia JCIS (2012)

    Google Scholar 

  5. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: Effective and explainable detection of android malware in your pocket. In: Proc. of NDSS (2014)

    Google Scholar 

  6. Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: Droidminer: Automated mining and characterization of fine-grained malicious behaviors in android applications. Technical report, Texas A&M University (2014), http://faculty.cse.tamu.edu/guofei/paper/DroidMiner_TechReport_2014.pdf

  7. 60 percentage of android malware hide in fake versions of popular apps, http://thenextweb.com/google/2012/10/05/over-60-percent-of-android-malware-comes-from-one-family-hides-in-fake-versions-of-popular-apps/

  8. Association mining rule, http://en.wikipedia.org/wiki/Association_rule_learning

  9. Androguard, http://code.google.com/p/androguard/

  10. Dex2jar, https://code.google.com/p/dex2jar/

  11. Smali, https://code.google.com/p/smali/

  12. extensible graph markup and modeling language, http://www.cs.rpi.edu/research/groups/pb/punin/public_html/XGMML/draft-xgmml-20001006.html

  13. Slideme android market, http://slideme.org/

  14. App dh android market, http://www.appdh.com/

  15. Anzhi android market, http://www.anzhi.com/

  16. Virustotal, https://www.virustotal.com/

  17. Android malware genome project, http://www.malgenomeproject.org/

  18. Zhou, Y., Jiang, X.: Dissecting android malware: Characterization and evolution. In: Proc. of the 33th IEEE Security and Privacy (2012)

    Google Scholar 

  19. Portokalidis, G., Homburg, P., Anagnostakis, K., Bos, H.: Paranoid android: versatile protection for smartphones. In: Proc. of the 26th ACSAC (2010)

    Google Scholar 

  20. Schmidt, A., Bye, R., Schmidt, H., Clausen, J., Kiraz, O., Yxksel, K., Camtepe, S., Sahin, A.: Static analysis of executables for collaborative malware detection on android. In: ICC Communication and Information Systems Security Symposium (2009)

    Google Scholar 

  21. Schmidt, A., Schmidt, H., Clausen, J., Yuksel, K., Kiraz, O., Sahin, A., Camtepe, S.: Enhancing security of linux-based android devices. In: Proc. of 15th International Linux Kongress

    Google Scholar 

  22. Yan, L., Yin, H.: Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: Proc. of the 21st USENIX Security (2012)

    Google Scholar 

  23. Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proc. of the 20th USENIX (2011)

    Google Scholar 

  24. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystied. In: Proc. of the 18th CCS (2011)

    Google Scholar 

  25. Bartel, A., Klein, J., Monperrus, M., Traon, Y.L.: Automatically securing permission-based software by reducing the attack surface: An application to android. In: Proc. of the 27th IEEE/ACM International Conference on Automated Software Engineering (2012)

    Google Scholar 

  26. Au, K., Zhou, Y., Huang, Z., Lie, D., Gong, X., Han, X., Zhou, W.: Pscout: Analyzing the android permission specification. In: Proc. of the 19th CCS (2012)

    Google Scholar 

  27. Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proc. of the 16th CCS (2009)

    Google Scholar 

  28. Frank, M., Dong, B., Felt, A.P., Song, D.: Mining permission request patterns from android and facebook applications. In: Proc. of ICDM 2012 (2012)

    Google Scholar 

  29. Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: Mining API-level features for robust malware detection in android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  30. Maggi, F., Valdi, A., Zanero, S.: AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors. In: Proc. of SPSM 2013 (2013)

    Google Scholar 

  31. Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proc. of EUROSEC 2013 (2013)

    Google Scholar 

  32. Enck, W., Gilbert, P., Chun, B., Cox, L.P., Jung, J., Mc-Daniel, P., Sheth, A.N.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: Proc. of the 9th OSDI (2010)

    Google Scholar 

  33. Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proc. of the 10th MobiSys (2012)

    Google Scholar 

  34. Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P., Alis, J.B.: Dendroid: A text mining approach to analyzing and classifying code structures in android malware families (2012)

    Google Scholar 

  35. Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: Quire: lightweight provenance for smart phone operating systems. In: Proc. of the 20th USENIX Security (2011)

    Google Scholar 

  36. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: Proc. of the 19th NDSS (2012)

    Google Scholar 

  37. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: Retrofitting android to protect data from imperious applications. In: Proc. of the 18th CCS (2011)

    Google Scholar 

  38. Nauman, M., Khan, S., Zhang, X.: Apex: extending android permission model and enforcement with user-defined runtime constraints. In: Proc. of the 5th ICCS (2010)

    Google Scholar 

  39. Lange, M., Liebergeld, S., Lackorzynski, A., Warg, A., Peter, M.: L4android: A generic operating system frame- work for secure smartphones. In: Proc. of the 1st Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)

    Google Scholar 

  40. Andrus, J., Dall, C., Hof, A.V., Laadan, O., Nieh, J.: Cells: A virtual mobile smartphone architecture. In: Proc. of the 23rd SOSP (2011)

    Google Scholar 

  41. Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zhou, W.: Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In: Proc. of the 2nd Workshop on Security and Privacy in Smartphones and Mobile Devices (2012)

    Google Scholar 

  42. Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proc. of the 8th ICCS (2013)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Texas A&M University, College Station, TX, USA

    Chao Yang, Zhaoyan Xu & Guofei Gu

  2. SRI International, Menlo Park, CA, USA

    Vinod Yegneswaran & Phillip Porras

Authors
  1. Chao Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhaoyan Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Guofei Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vinod Yegneswaran
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Phillip Porras
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Fundamental Problems of Technology, Wrocław University of Technology, Wybrzeże Wyspiańskiego 27, 50-370, Wrocław, Poland

    Mirosław Kutyłowski

  2. MSIS Department, Rutgers University, USA

    Jaideep Vaidya

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P. (2014). DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications. In: Kutyłowski, M., Vaidya, J. (eds) Computer Security - ESORICS 2014. ESORICS 2014. Lecture Notes in Computer Science, vol 8712. Springer, Cham. https://doi.org/10.1007/978-3-319-11203-9_10

Download citation

  • .RIS
  • .ENW
  • .BIB

  • DOI: https://doi.org/10.1007/978-3-319-11203-9_10

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11202-2

  • Online ISBN: 978-3-319-11203-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Over 10 million scientific documents at your fingertips

Switch Edition
  • Academic Edition
  • Corporate Edition
  • Home
  • Impressum
  • Legal information
  • Privacy statement
  • California Privacy Statement
  • How we use cookies
  • Manage cookies/Do not sell my data
  • Accessibility
  • FAQ
  • Contact us
  • Affiliate program

Not logged in - 3.238.134.157

Not affiliated

Springer Nature

© 2023 Springer Nature Switzerland AG. Part of Springer Nature.