Analyzing Android Adware

Most Android smartphone apps are free; in order to generate revenue, the app developers embed ad libraries so that advertisements are displayed when the app is being used. Billions of dollars are lost annually due to ad fraud. In this research, we propose a machine learning based scheme to detect Android adware based on static and dynamic features. We collect static features from the manifest file, while dynamic features are obtained from network traffic. Using these features, we initially classify Android applications into broad categories (e.g., adware and benign) and then further classify each application into a more specific family. We employ a variety of machine learning techniques including neural networks, random forests, adaboost and support vector machines

CICMalDroid2020 Veri Kümesi Kullanılarak Kötü Amaçlı Yazılım Tespiti için Makine Öğrenimi Algoritmalarının Performans Analizi

Teknolojideki gelişmelere paralel olarak bilgiye erişim kolaylaşmıştır. Bu durumun hayatımıza pozitif etkisi olsa da bilginin hedef haline geldiği kaçınılmaz bir gerçektir. Kötü amaçlı kişiler tarafından bilgilerin çalınması, tehdit unsuru olarak kullanılması bilgi güvenliği konusunda endişelere sebep olmuştur. Bu amaçlarla geliştirilen kötücül yazılımlar, bilginin güvenliği açısından büyük bir tehlike oluşturmaktadır. Bilgiye erişim kolaylaştıkça artan bu durum karşısında araştırmacılar, kötücül yazılımların tespiti, engellenmesi ve bilgi güvenliğinin sağlanması konusunda çalışmalarına hız kazandırmışlardır. Literatürde, farklı çalışmalar ile kötücül yazılımların tespiti gerçekleştirildiği görülmektedir. Bu çalışmada ise, kötücül yazılım tespiti WEKA programı kullanarak gerçekleştirilmiştir. CICMalDroid2020 veri seti ile yapılan analizlerde, farklı makine öğrenmesi sınıflandırıcılarının, özellik çıkarımının ve en iyi sonucu veren sınıflandırmanın performansını etkileyen parametrelerin etkisi incelenmiştir. Sonuçlar, detaylı bir şekilde aktarılmıştır

Analysis of Mobile Malware: A Systematic Review of Evolution and Infection Strategies

The open-source and popularity of Android attracts hackers and has multiplied security concerns targeting devices. As such, malware attacks on Android are one of the security challenges facing society. This paper presents an analysis of mobile malware evolution between 2000-2020. The paper presents mobile malware types and in-depth infection strategies malware deploys to infect mobile devices. Accordingly, factors that restricted the fast spread of early malware and those that enhance the fast propagation of recent malware are identified. Moreover, the paper discusses and classifies mobile malware based on privilege escalation and attack goals. Based on the reviewed survey papers, our research presents recommendations in the form of measures to cope with emerging security threats posed by malware and thus decrease threats and malware infection rates. Finally, we identify the need for a critical analysis of mobile malware frameworks to identify their weaknesses and strengths to develop a more robust, accurate, and scalable tool from an Android detection standpoint. The survey results facilitate the understanding of mobile malware evolution and the infection trend. They also help mobile malware analysts to understand the current evasion techniques mobile malware deploys

Malware detection in android applications with machine learning techniques

Dissertação para obtenção do Grau de Mestre em Engenharia Informática e de ComputadoresA presença de software malicioso (malware) em, por exemplo, aplicações Android, tem consequências prejudiciais e irreparáveis para o utilizador e/ou o dispositivo. Apesar das app stores providenciarem proteções para restringir aplicações contendo malware, este continua a crescer em sofisticação e difusão. Neste trabalho, exploramos técnicas de Aprendizagem Automática (AA) para deteção de malware em aplicações Android. Com foco no estudo de diferentes técnicas de pré-processamento, redução de dimensionalidade e classificação, avaliando a capacidade de generalização do modelo usando conjuntos de dados standard e de domínio público. Com base na literatura e nos nossos resultados experimentais, concluímos que os classificadores que apresentam melhor desempenho na deteção de malware em aplicações Android são Support Vector Machine (SVM) e Random Forest (RF). É dado ênfase à Seleção de Atributos (SA), que reduz a dimensionalidade dos dados e identifica os atributos mais decisivos para classificação de malware em Android. Aplicam-se diferentes métricas de avaliação ao modelo e comparam-se os resultados experimentais com os reportados na literatura. O objetivo deste estudo é o desenvolvimento de um protótipo que recorra a técnicas de AA para detetar malware em aplicações Android. A nossa abordagem é capaz de identificar os atributos mais relevantes para classificar uma aplicação como maliciosa. Nomeadamente, concluímos que as permissões se destacam na deteção de malware em Android. A abordagem proposta reduz a imensionalidade dos dados enquanto apresenta uma alta acurácia na identificação de malware em aplicações Android.MFSPV outperforms DLAPP in computational efficiency, but DLAPP achieves a slightly lower network latency. Nevertheless, both only introduce an additional 11% delay in hybrid end-to-end communications. Hybrid communication imposes, on average, an extra 28.29ms of end-to-end time. The proposal shows promise as it reaches end-to-end times below the latency requirements imposed in most C-ITS use cases.The presence of malicious software (malware), for example, in Android applications (apps), has harmful or irreparable consequences to the user and/or the device. Despite the protections app stores provide to restrict apps containing malware, it keeps growing both in sophistication and diffusion. In this work, we explore the use of Machine Learning (ML) techniques to detect malware in Android apps. The focus is on the study of different data pre-processing, dimensionality reduction, and classification techniques, assessing the generalisation ability of the learned models using standard and public domain datasets. From the literature and our own experimental results, it can be concluded that the classifiers that achieve the best performance in Android malware detection are the Support Vector Machine (SVM) and Random Forest (RF). We also emphasise Feature Selection (FS), which reduces the data’s dimensionality and identifies the most relevant features in Android malware classification. Different evaluationmetrics are applied to the learned model and compared against the experimental results found in the literature.The final goal of this study was the development of a prototype that resorts to ML techniques to detect malware in Android apps. Our approach is able to identify the most relevant features to classify an app as malicious. Namely, we conclude that permissions play a prominent role in Androidmalware detection. The proposed approach reduced the data dimensionality while achieving high accuracy in identifying malware in Android apps.N/

Detecting Privacy Leaks Through Existing Android Frameworks

The Android application ecosystem has thrived, with hundreds of thousands of applications (apps) available to users; however, not all of them are safe or privacy-friendly. Analyzing these many apps for malicious behaviors is an important but challenging area of research as malicious apps tend to use prevalent stealth techniques, e.g., encryption, code transformation, and other obfuscation approaches to bypass detection. Academic researchers and security companies have realized that the traditional signature-based and static analysis methods are inadequate to deal with this evolving threat. In recent years, a number of static and dynamic code analysis proposals for analyzing Android apps have been introduced in academia and in the commercial world. Moreover, as a single detection approach may be ineffective against advanced obfuscation techniques, multiple frameworks for privacy leakage detection have been shown to yield better results when used in conjunction. In this dissertation, our contribution is two-fold. First, we organize 32 of the most recent and promising privacy-oriented proposals on Android apps analysis into two categories: static and dynamic analysis. For each category, we survey the state of-the-art proposals and provide a high-level overview of the methodology they rely on to detect privacy-sensitive leakages and app behaviors. Second, we choose one popular proposal from each category to analyze and detect leakages in 5,000 Android apps. Our toolchain setup consists of IntelliDroid (static) to find and trigger sensitive API (Application Program Interface) calls in target apps and leverages TaintDroid (dynamic) to detect leakages in these apps. We found that about 33% of the tested apps leak privacy-sensitive information over the network (e.g., IMEI, location, UDID), which is consistent with existing work. Furthermore, we highlight the efficiency of combining IntelliDroid and TaintDroid in comparison with Android Monkey and TaintDroid as used in most prior work. We report an overall increase in the frequency of leakage of identifiers. This increase may indicate that IntelliDroid is a better approach over Android Monkey

An analysis of android malware classification services

The increasing number of Android malware forced antivirus (AV) companies to rely on automated classification techniques to determine the family and class of suspicious samples. The research community relies heavily on such labels to carry out prevalence studies of the threat ecosystem and to build datasets that are used to validate and benchmark novel detection and classification methods. In this work, we carry out an extensive study of the Android malware ecosystem by surveying white papers and reports from 6 key players in the industry, as well as 81 papers from 8 top security conferences, to understand how malware datasets are used by both. We, then, explore the limitations associated with the use of available malware classification services, namely VirusTotal (VT) engines, for determining the family of an Android sample. Using a dataset of 2.47 M Android malware samples, we find that the detection coverage of VT's AVs is generally very low, that the percentage of samples flagged by any 2 AV engines does not go beyond 52%, and that common families between any pair of AV engines is at best 29%. We rely on clustering to determine the extent to which different AV engine pairs agree upon which samples belong to the same family (regardless of the actual family name) and find that there are discrepancies that can introduce noise in automatic label unification schemes. We also observe the usage of generic labels and inconsistencies within the labels of top AV engines, suggesting that their efforts are directed towards accurate detection rather than classification. Our results contribute to a better understanding of the limitations of using Android malware family labels as supplied by common AV engines.This work has been supported by the “Ramon y Cajal” Fellowship RYC-2020-029401