Permission based Mobile Malware Detection System using Machine Learning Techniques

Mobile technology has grown dramatically around the world. Nowadays smart mobile devices are ubiquitous, i.e. they serve multiple purposes such as personal mobile communication, data storage, multimedia and entertainment etc. They have become important part of life. Implementing secure mobile and wireless networks is crucial for enterprises operating in the Internet-based business environment. Mobile market share has grown significantly in past few years so that we need to think about mobile security. Mobile security can be compromised due to design flaws, vulnerabilities, and protocol failures in any mobile applications, viruses, spyware, malware and other threats. In this paper we will more focus on mobile malware. Many tools are available in the market to detect malware but new research trend in the mobile security is users should be aware of app before he/she installs from the app store. Hence we propose a novel approach for permission based mobile malware detection system. It is based on static analysis. It has 3 major parts in it 1) a signature database for storing analysis results of training and testing. 2) An Android client who is used by end users for making analysis requests, and 3) a central server plays important role as it communicates with both signature database and smartphone client. We can say that he is the manager of whole analysis process. It alerts user if the app is malicious or the benign based on it user can proceed whether to continue with it or not

Android Malware Characterization using Metadata and Machine Learning Techniques

Android Malware has emerged as a consequence of the increasing popularity of smartphones and tablets. While most previous work focuses on inherent characteristics of Android apps to detect malware, this study analyses indirect features and meta-data to identify patterns in malware applications. Our experiments show that: (1) the permissions used by an application offer only moderate performance results; (2) other features publicly available at Android Markets are more relevant in detecting malware, such as the application developer and certificate issuer, and (3) compact and efficient classifiers can be constructed for the early detection of malware applications prior to code inspection or sandboxing.Comment: 4 figures, 2 tables and 8 page

Detecting Repackaged Android Applications Using Perceptual Hashing

The last decade has shown a steady rate of Android device dominance in market share and the emergence of hundreds of thousands of apps available to the public. Because of the ease of reverse engineering Android applications, repackaged malicious apps that clone existing code have become a severe problem in the marketplace. This research proposes a novel repackaged detection system based on perceptual hashes of vetted Android apps and their associated dynamic user interface (UI) behavior. Results show that an average hash approach produces 88% accuracy (indicating low false negative and false positive rates) in a sample set of 4878 Android apps, including 2151 repackaged apps. The approach is the first dynamic method proposed in the research community using image-based hashing techniques with reasonable performance to other known dynamic approaches and the possibility for practical implementation at scale for new applications entering the Android market

An Adaptive Feature Centric XG Boost Ensemble Classifier Model for Improved Malware Detection and Classification

Machine learning (ML) is often used to solve the problem of malware detection and classification and various machine learning approaches are adapted to the problem of malware classification; still  acquiring poor performance by the way of feature selection, and classification. To manage the issue, an efficient Adaptive Feature Centric XG Boost Ensemble Learner Classifier “AFC-XG Boost” novel algorithm is presented in this paper. The proposed model has been designed to handle varying data sets of malware detection obtained from Kaggle data set. The model turns the process of XG Boost classifier in several stages to optimize the performance. At preprocessing stage, the data set given has been noise removed, normalized and tamper removed using Feature Base Optimizer “FBO” algorithm. The FBO would normalize the data points as well as performs noise removal according to the feature values and their base information. Similarly, the performance of standard XG Boost has been optimized by adapting Feature selection using Class Based Principle Component Analysis “CBPCA” algorithm, which performs feature selection according to the fitness of any feature for different classes. Based on the selected features, the method generates regression tree for each feature considered. Based on the generated trees, the method performs classification by computing Tree Level Ensemble Similarity “TLES” and Class Level Ensemble Similarity “CLES”. Using both method computes the value of Class Match Similarity “CMS” based on which the malware has been classified. The proposed approach achieves 97% accuracy in malware detection and classification with the less time complexity of 34 seconds for 75000 sample

The Paradox of Choice: Investigating Selection Strategies for Android Malware Datasets Using a Machine-learning Approach

The increase in the number of mobile devices that use the Android operating system has attracted the attention of cybercriminals who want to disrupt or gain unauthorized access to them through malware infections. To prevent such malware, cybersecurity experts and researchers require datasets of malware samples that most available antivirus software programs cannot detect. However, researchers have infrequently discussed how to identify evolving Android malware characteristics from different sources. In this paper, we analyze a wide variety of Android malware datasets to determine more discriminative features such as permissions and intents. We then apply machine-learning techniques on collected samples of different datasets based on the acquired features’ similarity. We perform random sampling on each cluster of collected datasets to check the antivirus software’s capability to detect the sample. We also discuss some common pitfalls in selecting datasets. Our findings benefit firms by acting as an exhaustive source of information about leading Android malware datasets

Rapid Android Parser for Investigating DEX Files (RAPID)

Android malware is a well-known challenging problem and many researchers/vendors/practitioners have tried to address this issue through application analysis techniques. In order to analyze Android applications, tools decompress APK files and extract relevant data from the Dalvik EXecutable (DEX) files. To acquire the data, investigators either use decompiled intermediate code generated by existing tools, e.g., Baksmali or Dex2jar or write their own parsers/dissemblers. Thus, they either need additional time because of decompiling the application into an intermediate representation and then parsing text files, or they reinvent the wheel by implementing their own parsers. In this article, we present Rapid Android Parser for Investigating DEX files (RAPID) which is an open source and easy-to-use JAVA library for parsing DEX files. RAPID comes with well-documented APIs which allow users to query data directly from the DEX binary files. Our experiments reveal that RAPID outperforms existing approaches in terms of runtime efficiency, provides better reliability (does not crash) and can support dynamic analysis by finding critical offsets. Notably, the processing time for our sample set of 22.35 GB was only 1.5 h with RAPID while the traditional approaches needed about 23 h (parsing and querying)

Detección conjunta de malware entre usuarios y dispositivos a partir de la validación de firmas digitales y/o la correlación de eventos en dispositivos Android

Para la detección de software malicioso que compromete aplicaciones en teléfonos inteligentes con sistema operativo Android, los controles convencionales, utilizados entre el año 2012 y hasta el primer semestre del año 2018, requieren de una muestra de malware para realizar la detección. Estos controles de seguridad ejecutan el análisis de aplicaciones en la nube y no localmente en el dispositivo. La mayoría de los controles se limitan a las aplicaciones ofrecidas en la tienda de Google (Play Store) y, para que la neutralización sea efectiva, la mayoría de ellos requiere de habilidades especiales que no todo usuario final de Android posee. En este proyecto se hizo un análisis de estas técnicas, se compararon sus formas de detección y se registraron sus falencias. Con la información obtenida, se diseñó e implementó una aplicación para sistemas operativos Android en dispositivos móviles llamada CAM (Control de Aplicaciones Móviles), para asegurar la integridad de las aplicaciones y revisar si han sido intervenidas con malware, por medio de la validación de firmas digitales y la correlación de eventos. CAM propone una estrategia de corresponsabilidad entre los desarrolladores de aplicaciones para móviles y la comunidad de usuarios del sistema operativo, basada en defensa activa para que la seguridad se convierta en un atributo del sistema y no complemento. La estrategia de corresponsabilidad busca que los desarrolladores y usuarios publiquen bases de datos de listas blancas de los principales eventos operativos de sus aplicaciones, para contrastarlas con la información que generen dichos eventos, con el fin de detectar y mitigar amenazas cibernéticas como el espionaje, la fuga de información, la suplantación de identidad, el robo de contraseñas y el control remoto del dispositivo por medio de troyanos (bots). También pretende brindar educación en materia de ciberseguridad a los usuarios, apoyándose en la entrega de alertas eficientes. Para el desarrollo de este trabajo de grado, se utilizaron los registros estadísticos de dispositivos móviles con sistema operativo Android más usado entre el 2015 y el 2018 y se realizó un laboratorio de máquinas virtuales para simular dichas distribuciones de Android, se examinaron sus principales características y eventos operativos tales como: permisos, firmas y tráfico, se intervino las aplicaciones seleccionadas con el paquete de Meterpreter para Android del framework Metasploit. Para la detección de los indicadores de compromiso en las aplicaciones infectadas se usaron aplicaciones como: Package Info, RL Permissions y Network Connections entre otras. Estos resultados hicieron posible el desarrollo de la plataforma CAM para Android con arquitectura cliente-servidor. La plataforma CAM se encarga de almacenar y correlacionar los eventos operativos validos de las aplicaciones legítimas, en una lista blanca y posteriormente brindar al usuario un informe eficiente que le permita evitar e identificar cuando una aplicación móvil genera una ciber-amenaza en un teléfono inteligenteFor malicious software detection that compromises applications in smartphones with Android Operating System, conventional controls, used between 2012 the first half of 2018, require a sample of malware to perform the detection. Most security controls run the applications analysis in the cloud, and not locally on the device. Other controls are limited to the applications offered in the Google Play Store. In addition, for the neutralization to be effective, most controls require special abilities most end user of Android doesn’t have. In this project, an analysis of these techniques is made, their forms of detection are compared, and their shortcomings are recorded. With the information obtained from these analyses, an application for Android operating systems is designed and implemented on mobile devices: CAM (Control for Mobile Applications). To ensure the applications integrity, it is checked if they have been intervened with malware, through the digital signatures' validation and events’ correlation. CAM proposes a strategy of co-responsibility between the mobile application developers and the operating system community users, based on active defense, so that security becomes systems attribute instead of just being a complementary service. The co-responsibility strategy aims for developers and users publishing their application main operational events white-list databases, to contrast them with the information generated by those applications' events. That way, the collected information may improve detection and mitigation of cyber threats such as espionage, information leakage, identity theft, password stealing, and remote device control through trojans (bots). The co-responsibility strategy also aims to provide education on cyber security to users, based on the delivery of efficient alerts. For the development of this degree work, statistical records of mobile devices with the most used Android operating system between 2015 and 2018, and a laboratory of virtual machines, were made to simulate said distributions of Android, its main features and operational events such as: permits, signatures, and traffic were examined. The selected applications were intervened with the Meterpreter for Android Package of the Metasploit framework. For the commitment indicators detection in the infected applications, applications such as Package Info, RL Permissions and Network Connections, among others were used. The results of these experiments made possible the development of the CAM platform for Android with client-server architecture development. The CAM platform is responsible for storing and correlating the legitimate applications valid operational events in a white list. This white list is used to provide efficient reports to users, so they are able to identify and avoid when a mobile application generates a cyber-threat on a smartphoneMagister en Seguridad Informátic