Longitudinal performance analysis of machine learning based Android malware detectors

This paper presents a longitudinal study of the performance of machine learning classifiers for Android malware detection. The study is undertaken using features extracted from Android applications first seen between 2012 and 2016. The aim is to investigate the extent of performance decay over time for various machine learning classifiers trained with static features extracted from date-labelled benign and malware application sets. Using date-labelled apps allows for true mimicking of zero-day testing, thus providing a more realistic view of performance than the conventional methods of evaluation that do not take date of appearance into account. In this study, all the investigated machine learning classifiers showed progressive diminishing performance when tested on sets of samples from a later time period. Overall, it was found that false positive rate (misclassifying benign samples as malicious) increased more substantially compared to the fall in True Positive rate (correct classification of malicious apps) when older models were tested on newer app samples

Deep learning guided Android malware and anomaly detection

In the past decade, the cyber-crime related to mobile devices has increased. Mobile devices, especially the ones running on Android operating system are particularly interesting to malware creators, as the users often keep the biggest amount of personal information on their mobile devices, such as their contacts, social media profiles, emails, and bank accounts. Both dynamic and static malware analysis is necessary to prevent and detect malware, as both techniques have their benefits and shortcomings. In this paper, we propose a deep learning technique that relies on LSTM and encoder-decoder neural network architectures for dynamic malware analysis based on CPU, memory and battery usage. The proposed system is able to detect and notify users about anomalies in system that is likely consequence of malware behaviour. The method was implemented as a part of OWASP Seraphimdroids anti-malware mechanism and notifies users about anomalies on their devices. The method proved to perform with an F1-score of 79.2%.Comment: First (draft) version of the pape

Overview of machine learning methods for Android malware identification

Mobile malware is growing and affecting more and more mobile users around the world. Malicious developers and organisations are disguising their malware payloads on apparently benign applications and pushing them to large app stores, such as Google Play Store, and from there to final users. App stores are currently losing the battle against malicious applications proliferation and existing malware. Detection methods based on signatures, such as those of an antivirus, are limited, new approaches based on machine learning start to be explored to surpass the limitations of traditional mobile malware detection methods, analysing not only static characteristics of the app but also its behaviour. This paper contains an overview of the existing machine learning mobile malware detection approaches based on static, dynamic and hybrid analysis, presenting the advantages and limitations of each, and a comparison between the reviewed methods.info:eu-repo/semantics/acceptedVersio

N-opcode Analysis for Android Malware Classification and Categorization

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Malware detection is a growing problem particularly on the Android mobile platform due to its increasing popularity and accessibility to numerous third party app markets. This has also been made worse by the increasingly sophisticated detection avoidance techniques employed by emerging malware families. This calls for more effective techniques for detection and classification of Android malware. Hence, in this paper we present an n-opcode analysis based approach that utilizes machine learning to classify and categorize Android malware. This approach enables automated feature discovery that eliminates the need for applying expert or domain knowledge to define the needed features. Our experiments on 2520 samples that were performed using up to 10-gram opcode features showed that an f-measure of 98% is achievable using this approach

Malware Analysis and Detection on Android: The Big Challenge

The popularization of the use of mobile devices, such as smartphones and tablets, has accelerated in recent years, as these devices have experienced a reduction in cost together with an increase in functionality and services availability. In this context, due to its openness and free availability, Android operating system (OS) has become not only a major stakeholder in the market of mobile devices but has also become an attractive target for cybercriminals. In this chapter, we advocate to present some current trends and results in the Android malware analysis and detection research area. We start by briefly describing the Android’s security model, followed by a discussion of the static and dynamic malware analysis techniques in order to provide a general view of the analysis and detection process to the reader. After that, a description of a particular set of software developments, which exemplify some of the discussed techniques, is presented accompanied by a set of practical results. Finally, we draw some conclusions about the future development of the Android malware analysis area. The main contribution of this chapter is a description of the realization of static and dynamic malware analysis techniques and principles that can be automated and mapped to software system tools in order to simplify analyses. Moreover, some details about the use of machine learning algorithms for malware classifications and the use of the hooking software techniques for dynamic analysis execution are provided

BarkDroid: Android Malware Detection Using Bark Frequency Cepstral Coefficients

Since their inaugural releases in 2007, Google’s Android and Apple’s iOS have grown to dominate the mobile OS market share. Currently, they jointly possess over 99% of the global market share with Android being the leading mobile Operating System of choice worldwide, controlling close to 70% of the market share. Mobile devices have enabled the exponential growth of a plethora of mobile applications that play key roles in enabling many use cases that are pivotal in our daily lives. On the other hand, access to a large pool of potential end users is available to both legitimate and nefarious applications, thus making mobile devices a burgeoning target of malicious applications. Current malware detection solutions rely on tedious, time-consuming, knowledge-based, and manual processes to identify malware. This paper presents BarkDroid, a novel Android malware detection technique that uses the low-level Bark Frequency Cepstral Coefficients audio features to detect malware. The results obtained outperform results obtained using other features on the same datasets. BarkDroid achieved 97.9% accuracy, 98.5% precision, an F1 score of 98.6%, and shorter execution times

Static and Dynamic Analysis for Android Malware Detection

Static analysis relies on features extracted without executing code, while dynamic analysis extracts features based on code execution (or emulation). In general, static analysis is more e cient, while static analysis is often more informative, particularly in cases of highly obfuscated code. Static analysis of an Android application can rely on features extracted from the manifest le or the Java bytecode, while dynamic analysis of Android applications can deal with features involving dynamic code loading and system calls that are collected while the application is running. In this research, we analyzed the e ectiveness of combining static and dynamic features for detecting Android malware using machine learning techniques . We also carefully analyze the robustness of our scoring technique

Feature selection for malicious android applications using Symmetrical Uncert Attribute Eval method

The fast growth of tablets, smartphones has led to increase the usage of mobile applications. The Android apps have more popularity, however, the applications downloaded from third-party markets could be malware that may threaten the users' privacy. Several works used techniques to detect normal apps from malicious apps based on mining requested permissions. However, there are some set of permissions that can occur in benign and malignant applications. Redundant features could reduce the detection rate and increase the false positive rate. In this paper, we have proposed feature selection methods to identify clean and malicious applications based on selecting a set combination of permission patterns using different classification algorithms such as sequential minimal optimization (SMO), decision Tree (J48) and Naive Bayes. The experimental results show that sequential minimal optimization (SMO) combining with SymmetricalUncertAttributeEval method achieved the highest accuracy rate of 0.88, with lowest false positive rate of 0.085 and highest precision of 0.910. And the findings prove that feature selection methods enhanced the result of classification

Dynalog: An Automated Dynamic Analysis Framework for Characterizing Android Applications

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Android is becoming ubiquitous and currently has the largest share of the mobile OS market with billions of application downloads from the official app market. It has also become the platform most targeted by mobile malware that are becoming more sophisticated to evade state-of-the-art detection approaches. Many Android malware families employ obfuscation techniques in order to avoid detection and this may defeat static analysis based approaches. Dynamic analysis on the other hand may be used to overcome this limitation. Hence in this paper we propose DynaLog, a dynamic analysis based framework for characterizing Android applications. The framework provides the capability to analyse the behaviour of applications based on an extensive number of dynamic features. It provides an automated platform for mass analysis and characterization of apps that is useful for quickly identifying and isolating malicious applications. The DynaLog framework leverages existing open source tools to extract and log high level behaviours, API calls, and critical events that can be used to explore the characteristics of an application, thus providing an extensible dynamic analysis platform for detecting Android malware. DynaLog is evaluated using real malware samples and clean applications demonstrating its capabilities for effective analysis and detection of malicious applications