Classifying Android Malware through Subgraph Mining

  • Fabio Martinelli
  • Andrea Saracino
  • Daniele SgandurraEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8247)


Current smartphones are based upon the concept of apps, which are lightweight applications that are distributed through on-line marketplaces, such as Google Play (for Android devices). Unfortunately, this market-centric model is affected by several major security and trust issues, due to the fact that anyone can easily create, and deploy through the market, a malicious app that could potentially lead to a massive malware spread.

In this paper, we propose a framework to classify Android malware based upon the concept of common patterns of actions executed by malicious applications. The basic idea is to extract, from known malware, a subset of frequent subgraphs of system calls that are executed by most of the malware. This set of subgraphs constitutes a database of known malicious features. Then, when a new application is downloaded from a market, it is first run in a sandbox to monitor its behavior. This will result in an execution trace that may contain some of the subgraphs previously found in malware. The resulting vector of the found subgraphs is given to a classifier that returns its decision in terms of a likely malware or not. Preliminary tests executed both on known good apps and malware confirm the effectiveness and quality of our proposal.


Intrusion detection system Android Mobile security Malware Classification 


  1. 1.
    Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: a multi-level anomaly detector for android malware. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 240–253. Springer, Heidelberg (2012)Google Scholar
  2. 2.
    Aldini, A., Martinelli, F., Saracino, A., Sgandurra, D.: A collaborative framework for generating probabilistic contracts. In: Smari, W.W., Fox, G.C. (eds.): Proceedings of the 2013 IEEE International Conference on Collaboration Technologies and Systems, SECOTS 2013, pp. 139–143. IEEE Computer Society (2013)Google Scholar
  3. 3.
    Philippsen, M.: Parsemis: the parallel and sequential mining suite.
  4. 4.
    Burguera, I., Zurutuza, U., Nadijm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: SPSM ’11, October 2011. ACM (2011)Google Scholar
  5. 5.
    Mutz, D., Valeur, F., Vigna, G.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1), 61–93 (2006)CrossRefGoogle Scholar
  6. 6.
    Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)CrossRefGoogle Scholar
  7. 7.
    Blasing, T., Batyuk, L., Schmidt, A.D., Camtepe, S., Albayrak, S.: An android application sandbox system for suspicious software detection. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 55–62 (2010)Google Scholar
  8. 8.
    Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on System Security (EUROSEC), Prague, Czech Republic, April 2013 (2013)Google Scholar
  9. 9.
    Zheng, M., Sun, M., Lui, J.C.: Droidanalytics: a signature based analytic system to collect, extract, analyze and associate android malware. In: 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 13), Melbourne, Australia, July 2013 (2013)Google Scholar
  10. 10.
    Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pp. 73–84. ACM, New York (2010)Google Scholar
  11. 11.
    Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.: On the automatic categorisation of android applications. In: 2012 IEEE Consumer Communications and Networking Conference (CCNC), pp. 149–153 (2012)Google Scholar
  12. 12.
    Damopoulos, D., Kambourakis, G., Gritzalis, S., Park, S.: Peer-to-Peer Netw. Appl. 5, 1–11 (2012)CrossRefGoogle Scholar
  13. 13.
    Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: CCS ’09: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 235–245. ACM, New York (2009)Google Scholar
  14. 14.
    Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in android. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC ’09, December 2009, pp. 340–349 (2009)Google Scholar
  15. 15.
    Schmidt, A.D., Bye, R., Schmidt, H.G., Clausen, J.H., Kiraz, O., Yüksel, K.A., Çamtepe, S.A., Albayrak, S.: Static analysis of executables for collaborative malware detection on android. In: Proceedings of IEEE International Conference on Communications, ICC 2009, Dresden, Germany, 14–18 June 2009, pp. 1–5. IEEE (2009)Google Scholar
  16. 16.
    La Polla, M., Martinelli, F., Sgandurra, D.: A survey on security for mobile devices. IEEE Commun. Surv. Tutorials 15(1), 446–471 (2013)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Fabio Martinelli
    • 1
  • Andrea Saracino
    • 1
    • 2
  • Daniele Sgandurra
    • 1
    Email author
  1. 1.Istituto di Informatica e TelematicaConsiglio Nazionale delle RicerchePisaItaly
  2. 2.Dipartimento di Ingegneria dell’InformazioneUniversità di PisaPisaItaly

Personalised recommendations