IntelliAV: Toward the Feasibility of Building Intelligent Anti-malware on Android Devices

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10410)


Android is targeted the most by malware coders as the number of Android users is increasing. Although there are many Android anti-malware solutions available in the market, almost all of them are based on malware signatures, and more advanced solutions based on machine learning techniques are not deemed to be practical for the limited computational resources of mobile devices. In this paper we aim to show not only that the computational resources of consumer mobile devices allow deploying an efficient anti-malware solution based on machine learning techniques, but also that such a tool provides an effective defense against novel malware, for which signatures are not yet available. To this end, we first propose the extraction of a set of lightweight yet effective features from Android applications. Then, we embed these features in a vector space, and use a pre-trained machine learning model on the device for detecting malicious applications. We show that without resorting to any signatures, and relying only on a training phase involving a reasonable set of samples, the proposed system outperforms many commercial anti-malware products, as well as providing slightly better performances than the most effective commercial products.


Android Malware detection Machine learning On-device TensorFlow Mobile security Classification 



We appreciate VirusTotal’s collaboration for providing us the access to a large set of Android applications.


  1. 1.
    Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICSSITE, vol. 127, pp. 86–103. Springer, Cham (2013). doi: 10.1007/978-3-319-04283-1_6 CrossRefGoogle Scholar
  2. 2.
    Abadi, M., Barham, P., Chen, J., Chen, Z., Davis, A., Dean, J., Devin, M., Ghemawat, S., Irving, G., Isard, M., Kudlur, M., Levenberg, J., Monga, R., Moore, S., Murray, D.G., Steiner, B., Tucker, P., Vasudevan, V., Warden, P., Wicke, M., Yu, Y., Zheng, X.: Tensorflow: a system for large-scale machine learning. In: OSDI, pp. 265–283. USENIX Association (2016)Google Scholar
  3. 3.
    Ahmadi, M., Biggio, B., Arzt, S., Ariu, D., Giacinto, G.: Detecting misuse of google cloud messaging in android badware. In: SPSM, pp. 103–112 (2016)Google Scholar
  4. 4.
    Ahmadi, M., Ulyanov, D., Semenov, S., Trofimov, M., Giacinto, G.: Novel feature extraction, selection and fusion for effective malware family classification. In: CODASPY, pp. 183–194 (2016)Google Scholar
  5. 5.
    Amos, B., Turner, H., White, J.: Applying machine learning classifiers to dynamic android malware detection at scale. In: 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 1666–1671, July 2013Google Scholar
  6. 6.
    Andronio, N., Zanero, S., Maggi, F.: HelDroid: dissecting and detecting mobile ransomware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 382–404. Springer, Cham (2015). doi: 10.1007/978-3-319-26362-5_18 CrossRefGoogle Scholar
  7. 7.
    Aresu, M., Ariu, D., Ahmadi, M., Maiorca, D., Giacinto, G.: Clustering android malware families by http traffic. In: MALWARE, pp. 128–135 (2015)Google Scholar
  8. 8.
    Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: NDSS (2014)Google Scholar
  9. 9.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2014, NY, USA, pp. 259–269. ACM, New York (2014)Google Scholar
  10. 10.
    AV-TEST: Security report 2015/16 (2017).
  11. 11.
    Avdiienko, V., Kuznetsov, K., Gorla, A., Zeller, A., Arzt, S., Rasthofer, S., Bodden, E.: Mining apps for abnormal usage of sensitive data. In: ICSE, pp. 426–436 (2015)Google Scholar
  12. 12.
    Biggio, B., Corona, I., Maiorca, D., Nelson, B., Šrndić, N., Laskov, P., Giacinto, G., Roli, F.: Evasion attacks against machine learning at test time, pp. 387–402 (2013)Google Scholar
  13. 13.
    Bishop, C.: Pattern Recognition and Machine Learning. Information Science and Statistics, 1st edn. Springer, New York (2006)zbMATHGoogle Scholar
  14. 14.
    Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)CrossRefzbMATHGoogle Scholar
  15. 15.
    Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2011, NY, USA, pp. 15–26. ACM, New York (2011)Google Scholar
  16. 16.
    Colthurst, T., Sculley, D., Hendry, G., Nado, Z.: Tensorforest: scalable random forests on tensorflow. In: Machine Learning Systems Workshop at NIPS (2016)Google Scholar
  17. 17.
    Dash, S.K., Suarez-Tangil, G., Khan, S., Tam, K., Ahmadi, M., Kinder, J., Cavallaro, L.: Droidscribe: classifying android malware based on runtime behavior. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 252–261, May 2016Google Scholar
  18. 18.
    eweek: symantec adds deep learning to anti-malware tools to detect zero-days, January 2016.
  19. 19.
    Fernández-Delgado, M., Cernadas, E., Barro, S., Amorim, D.: Do we need hundreds of classifiers to solve real world classification problems? J. Mach. Learn. Res. 15(1), 3133–3181 (2014)MathSciNetzbMATHGoogle Scholar
  20. 20.
    Fortinet: Android locker malware uses google cloud messaging service, January 2017.
  21. 21.
    Fortinet: deep analysis of android rootnik malware using advanced anti-debug and anti-hook, January 2017.
  22. 22.
    Fortinet: teardown of a recent variant of android/ztorg (part 1), March 2017.
  23. 23.
    Fortinet: teardown of android/ztorg (part 2), March 2017.
  24. 24.
    Google: An investigation of chrysaor malware on android, April 2017.
  25. 25.
    IDC: smartphone OS market share, q2 2016 (2016).
  26. 26.
    Islam, N., Das, S., Chen, Y.: On-device mobile phone security exploits machine learning. IEEE Pervasive Comput. 16(2), 92–96 (2017)CrossRefGoogle Scholar
  27. 27.
  28. 28.
    Maiorca, D., Mercaldo, F., Giacinto, G., Visaggio, A., Martinelli, F.: R-packdroid: API package-based characterization and detection of mobile ransomware. In: ACM Symposium on Applied Computing (2017)Google Scholar
  29. 29.
    Mariconti, E., Onwuzurike, L., Andriotis, P., De Cristofaro, E., Ross, G., Stringhini, G.: MaMaDroid: detecting android malware by building markov chains of behavioral models. In: ISOC Network and Distributed Systems Security Symposiym (NDSS), San Diego, CA (2017)Google Scholar
  30. 30.
  31. 31.
    Check point: charger malware calls and raises the risk on google play.
  32. 32.
    Check point: preinstalled malware targeting mobile users.
  33. 33.
    Check point: whale of a tale: hummingbad returns.
  34. 34.
    Sadeghi, A., Bagheri, H., Garcia, J., Malek, S.: A taxonomy and qualitative comparison of program analysis techniques for security assessment of android software. IEEE Trans. Softw. Eng. PP(99), 1 (2016)Google Scholar
  35. 35.
  36. 36.
    Suarez-Tangil, G., Dash, S.K., Ahmadi, M., Kinder, J., Giacinto, G., Cavallaro, L.: Droidsieve: fast and accurate classification of obfuscated android malware. In: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy (CODASPY 2017), pp. 309–320 (2017)Google Scholar
  37. 37.
    Taylor, V.F., Martinovic, I.: Securank: starving permission-hungry apps using contextual permission analysis. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2016), NY, USA, pp. 43–52. ACM, New York (2016)Google Scholar
  38. 38.
    Trustlook: trustlook AI, March 2017.
  39. 39.
    VirusTotal: virustotal blog, March 2017.
  40. 40.
    Xia, M., Gong, L., Lyu, Y., Qi, Z., Liu, X.: Effective real-time android application auditing. In: IEEE Symposium on Security and Privacy, pp. 899–914. IEEE Computer Society (2015)Google Scholar
  41. 41.
    Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: DroidMiner: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 163–182. Springer, Cham (2014). doi: 10.1007/978-3-319-11203-9_10 Google Scholar
  42. 42.
    Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: CCS, New York, NY, USA, pp. 1105–1116 (2014)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  1. 1.University of CagliariCagliariItaly

Personalised recommendations