Android-manifest extraction and labeling method for malware compilation and dataset creation

Malware is a nuisance for smartphone users. The impact is detrimental to smartphone users if the smartphone is infected by malware. Malware identification is not an easy process for ordinary users due to its deeply concealed dangers in application package kit (APK) files available in the Android Play Store. In this paper, the challenges of creating malware datasets are discussed. Long before a malware classification process and model can be built, the need for datasets with representative features for most types of malwares has to be addressed systematically. Only after a quality data set is available can a quality classification model be obtained using machine learning (ML) or deep learning (DL) algorithms. The entire malware classification process is a full pipeline process and sub processes. The authors purposefully focus on the process of building quality malware datasets, not on ML itself, because implementing ML requires another effort after the reliable dataset is fully built. The overall step in creating the malware dataset starts with the extraction of the Android Manifest from the APK file set and ends with the labeling method for all the extracted APK files. The key contribution of this paper is on how to generate datasets systematically from any APK file

Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

Machine learning based solutions have been successfully employed for automatic detection of malware in Android applications. However, machine learning models are known to lack robustness against inputs crafted by an adversary. So far, the adversarial examples can only deceive Android malware detectors that rely on syntactic features, and the perturbations can only be implemented by simply modifying Android manifest. While recent Android malware detectors rely more on semantic features from Dalvik bytecode rather than manifest, existing attacking/defending methods are no longer effective. In this paper, we introduce a new highly-effective attack that generates adversarial examples of Android malware and evades being detected by the current models. To this end, we propose a method of applying optimal perturbations onto Android APK using a substitute model. Based on the transferability concept, the perturbations that successfully deceive the substitute model are likely to deceive the original models as well. We develop an automated tool to generate the adversarial examples without human intervention to apply the attacks. In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph. The perturbations can also be implemented directly onto APK's Dalvik bytecode rather than Android manifest to evade from recent detectors. We evaluated the proposed manipulation methods for adversarial examples by using the same datasets that Drebin and MaMadroid (5879 malware samples) used. Our results show that, the malware detection rates decreased from 96% to 1% in MaMaDroid, and from 97% to 1% in Drebin, with just a small distortion generated by our adversarial examples manipulation method.Comment: 15 pages, 11 figure

SAMADroid: A Novel 3-Level Hybrid Malware Detection Model for Android Operating System

© 2013 IEEE. For the last few years, Android is known to be the most widely used operating system and this rapidly increasing popularity has attracted the malware developer's attention. Android allows downloading and installation of apps from other unofficial market places. This gives malware developers an opportunity to put repackaged malicious applications in third-party app-stores and attack the Android devices. A large number of malware analysis and detection systems have been developed which uses static analysis, dynamic analysis, or hybrid analysis to keep Android devices secure from malware. However, the existing research clearly lags in detecting malware efficiently and accurately. For accurate malware detection, multilayer analysis is required which consumes large amount of hardware resources of resource constrained mobile devices. This research proposes an efficient and accurate solution to this problem, named SAMADroid, which is a novel 3-level hybrid malware detection model for Android operating systems. The research contribution includes multiple folds. First, many of the existing Android malware detection techniques are thoroughly investigated and categorized on the basis of their detection methods. Also, their benefits along with limitations are deduced. A novel 3-level hybrid malware detection model for Android operating systems is developed, that can provide high detection accuracy by combining the benefits of the three different levels: 1) Static and Dynamic Analysis; 2) Local and Remote Host; and 3) Machine Learning Intelligence. Experimental results show that SAMADroid achieves high malware detection accuracy by ensuring the efficiency in terms of power and storage consumption

Mobile Malware Behaviour through Opcode Analysis

As the popularity of mobile devices are on the rise, millions of users are now exposed to mobile malware threats. Malware is known for its ability in causing damage to mobile devices. Attackers often use it as a way to use the resources available and for other cybercriminal benefits such stealing users’ data, credentials and credit card number. Various detection techniques have been introduced in mitigating mobile malware, yet the malware author has its own method to overcome the detection method. This paper presents mobile malware analysis approaches through opcode analysis. Opcode analysis on mobile malware reveals the behaviour of malicious application in the binary level. The comparison made between the numbers of opcode occurrence from a malicious application and benign shows a significance traits. These differences can be used in classifying the malicious and benign mobile application

Applying Deep Learning Techniques to the Analysis of Android APKs

Malware targeting mobile devices is a pervasive problem in modern life and as such tools to detect and classify malware are of great value. This paper seeks to demonstrate the effectiveness of Deep Learning Techniques, specifically Convolutional Neural Networks, in detecting and classifying malware targeting the Android operating system. Unlike many current detection techniques, which require the use of relatively rigid features to aid in detection, deep neural networks are capable of automatically learning flexible features which may be more resilient to obfuscation. We present a parsing for extracting sequences of API calls which can be used to describe a hypothetical execution of a given application. We then show how to use this sequence of API calls to successfully classify Android malware using a Convolutional Neural Network

Analysing Use of High Privileges in Android Applications

The number of Android smartphone and tablet users has experienced a rapid growth in the past few years and it raises users' awareness on the privacy and security of their mobile devices. The features of openness and extensibility make Android unique, attractive and competitive but meanwhile vulnerable to malicious attack. There are lots of users rooting their Android devices for some useful functions, which are not originally provided to developers and users, such as backup and taking screenshot. However, after observing the danger of rooting devices, the developers begin to look for other non-root alternatives to implement those functions. ADB workaround is one of the best known non-root alternatives to help app gain higher privilege on Android. It used to be considered as a secure practice until some cases of ADB privilege leakage have been found. In this project, we design an approach and implement a couple of tools to detect the privilege leakage in Android apps. We apply them to analyse three real-world apps with millions of users, and successfully identify three ADB privilege leaks from them. Moreover, we also conduct an exploitation of the ADB privilege in one app, and therefore we prove the existence of vulnerabilities in ADB workaround. Based on out study, we propose some suggestion to help developers create their apps that could not only satisfy users' needs but also protect users' privacy from similar attacks in future.Comment: 13 page

Malicious code detection in android : the role of sequence characteristics and disassembling methods

The acceptance and widespread use of the Android operating system drew the attention of both legitimate developers and malware authors, which resulted in a significant number of benign and malicious applications available on various online markets. Since the signature-based methods fall short for detecting malicious software effectively considering the vast number of applications, machine learning techniques in this field have also become widespread. In this context, stating the acquired accuracy values in the contingency tables in malware detection studies has become a popular and efficient method and enabled researchers to evaluate their methodologies comparatively. In this study, we wanted to investigate and emphasize the factors that may affect the accuracy values of the models managed by researchers, particularly the disassembly method and the input data characteristics. Firstly, we developed a model that tackles the malware detection problem from a Natural Language Processing (NLP) perspective using Long Short-Term Memory (LSTM). Then, we experimented with different base units (instruction, basic block, method, and class) and representations of source code obtained from three commonly used disassembling tools (JEB, IDA, and Apktool) and examined the results. Our findings exhibit that the disassembly method and different input representations affect the model results. More specifically, the datasets collected by the Apktool achieved better results compared to the other two disassemblers

An Efficient Multistage Fusion Approach for Smartphone Security Analysis

Android smartphone ecosystem is inundated with innumerable applications mainly developed by third party contenders leading to high vulnerability of these devices. In addition, proliferation of smartphone usage along with their potential applications in diverse field entice malware community to develop new malwares to attack these devices. In order to overcome these issues, an android malware detection framework is proposed wherein an efficient multistage fusion approach is introduced. For this, a robust unified feature vector is created by fusion of transformed feature matrices corresponding to multi-cue using non-linear graph based cross-diffusion. Unified feature is further subjected to multiple classifiers to obtain their classification scores. Classifier scores are further optimally fused employing Dezert-Smarandache Theory (DSmT). Strength of suggested model is assessed both qualitatively and quantitatively by ten-fold cross-validation on the benchmarked datasets. On an average of outcome, we achieved detection accuracy of 98.97% and F-measure of 0.9936.&nbsp