research-article

EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning

Authors:

Mohammed K. Alzaylaee,

Suleiman Y. Yerima,

Sakir SezerAuthors Info & Claims

IWSPA '17: Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics

Pages 65 - 72

https://doi.org/10.1145/3041008.3041010

Published: 24 March 2017 Publication History

Abstract

The Android operating system has become the most popular operating system for smartphones and tablets leading to a rapid rise in malware. Sophisticated Android malware employ detection avoidance techniques in order to hide their malicious activities from analysis tools. These include a wide range of anti-emulator techniques, where the malware programs attempt to hide their malicious activities by detecting the emulator. For this reason, countermeasures against anti-emulation are becoming increasingly important in Android malware detection. Analysis and detection based on real devices can alleviate the problems of anti-emulation as well as improve the effectiveness of dynamic analysis. Hence, in this paper we present an investigation of machine learning based malware detection using dynamic analysis on real devices. A tool is implemented to automatically extract dynamic features from Android phones and through several experiments, a comparative analysis of emulator based vs. device based detection by means of several machine learning algorithms is undertaken. Our study shows that several features could be extracted more effectively from the on-device dynamic analysis compared to emulators. It was also found that approximately 24% more apps were successfully analysed on the phone. Furthermore, all of the studied machine learning based detection performed better when applied to features extracted from the on-device dynamic analysis.

References

[1]

Smartphone OS market share worldwide 2009--2015 | Statistic, Statista https://www.statista.com/statistics/263453/global-market-share-held-by-smartphone-operating-systems.

[2]

Global smartphone shipments by OS 2016 and 2020 | Statistic, https://www.statista.com/statistics/309448/global-smartphone-shipments-forecast-operating-system/.

[3]

F-Secure, Android Pincer A, https://www.f-secure.com/weblog/archives/00002538.html.

[4]

DroidBox, Google Archive https://code.google.com/archive/p/droidbox/#!

[5]

SandDroid, Hu.Wenjun, http://sanddroid.xjtu.edu.cn/.

[6]

CopperDroid, http://copperdroid.isg.rhul.ac.uk/copperdroid/.

[7]

Tracedroid, http://tracedroid.few.vu.nl/.

[8]

NVISO ApkScan - Scan Android applications for malware, https://apkscan.nviso.be/.

[9]

Android Malware Genome Project, Yajin Zhou and Xuxian Jiang, http://www.malgenomeproject.org/.

[10]

APIMonitor, https://github.com/pjlantz/droidbox/wiki/APIMonitor.

[11]

FireEye, Android.HeHe, https://www.fireeye.com/blog/threat-research/2014/01/android-hehe-malware-now-disconnects-phone-calls.html.

[12]

Contagio mobile mini-dump, OBAD, http://contagiominidump.blogspot.co.uk/search/label/Backdoor.AndroidOS.Obad.a.

[13]

Y. Aafer, W. Du, and H. Yin. DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android. Security and Privacy in Communication Networks, 127:86--103, 2013.

[14]

M. K. Alzaylaee, S. Y. Yerima, and S. Sezer. DynaLog: An automated dynamic analysis framework for characterizing android applications. 2016 International Conference on Cyber Security and Protection of Digital Services, Cyber Security 2016, 2016.

[15]

B. Amos, H. Turner, and J. White. Applying machine learning classifiers to dynamic android malware detection at scale. 2013 9th International Wireless Communications and Mobile Computing Conference, IWCMC 2013, pages 1666--1671, 2013.

[16]

D. Arp, M. Spreitzenbarth, H. Malte, H. Gascon, and K. Rieck. Drebin: Effective and Explainable Detection of Android Malware in Your Pocket. Symposium on Network and Distributed System Security (NDSS), (February):23--26, 2014.

[17]

U. Bayer, I. Habibi, D. Balzarotti, E. Kirda, and C. Kruegel. A view on current malware behaviors. Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, page 8, 2009.

Digital Library

[18]

I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani. Crowdroid: Behavior-Based Malware Detection System for Android. Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices - SPSM '11, page 15, 2011.

Digital Library

[19]

G. Dini, F. Martinelli, A. Saracino, and D. Sgandurra. MADAM: A multi-level anomaly detector for android malware. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7531 LNCS:240--253, 2012.

Digital Library

[20]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. Osdi '10, 49:1--6, 2010.

Digital Library

[21]

P. Irolla and E. Filiol. Glassbox: Dynamic Analysis Platform for Malware Android Applications on Real Devices. 2016.

[22]

Y. Jing, Z. Zhao, G.-J. Ahn, and H. Hu. Morpheus: Automatically Generating Heuristics to Detect Android Emulators. Proceedings of the 30th Annual Computer Security Applications Conference on - ACSAC '14, pages 216--225, 2014.

Digital Library

[23]

M. Lindorfer and M. Neugschwandtner. Marvin: Efficient and comprehensive mobile app classification through static and dynamic analysis. Computer Software and Applications Conference (COMPSAC), 2015 IEEE 39th Annual, 2:422--433, 2015.

Digital Library

[24]

McAfee Labs. McAfee Labs Threats Predictions Report. (March):34--35, 2016.

[25]

S. Mutti, Y. Fratantonio, A. Bianchi, L. Invernizzi, J. Corbetta, D. Kirat, C. Kruegel, and G. Vigna. BareDroid. Proceedings of the 31st Annual Computer Security Applications Conference on - ACSAC 2015, pages 71--80, 2015.

Digital Library

[26]

J. Oberheide and C. Miller. Dissecting the Android Bouncer. Summercon 2012, 2012.

[27]

V. Rastogi, Y. Chen, and W. Enck. AppsPlayground : Automatic Security Analysis of Smartphone Applications. CODASPY '13 (3rd ACM conference on Data and Application Security and Privac), pages 209--220, 2013.

Digital Library

[28]

A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss. "Andromaly": A behavioral malware detection framework for android devices. Journal of Intelligent Information Systems, 38(1):161--190, 2012.

Digital Library

[29]

K. Tam, S. J. Khan, A. Fattori, and L. Cavallaro. CopperDroid: Automatic Reconstruction of Android Malware Behaviors. Ndss, (February):8--11, 2015.

[30]

T. Vidas and N. Christin. Evading android runtime analysis via sandbox detection. ASIA CCS '14 (9th ACM symposium on Information, computer and communications security), pages 447--458, 2014.

Digital Library

[31]

W.-C. Wu and S.-H. Hung. Droiddolphin: A dynamic android malware detection framework using big data and machine learning. In Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems, RACS '14, pages 247--252, New York, NY, USA, 2014. ACM.

Digital Library

[32]

S. Y. Yerima, S. Sezer, and I. Muttik. Android Malware Detection : an Eigenspace Analysis Approach. Science and Information Conference, pages 1--7, 2015.

[33]

S. Y. Yerima, S. Sezer, and I. Muttik. High accuracy android malware detection using ensemble learning. IET Information Security, 9(6):313--320, 2015.

Digital Library

Cited By

Su RZheng BLu Y(2024)Architecture Design of Android-based Log Retrieval System2024 2nd International Conference On Mobile Internet, Cloud Computing and Information Security (MICCIS)10.1109/MICCIS63508.2024.00044(229-235)Online publication date: 19-Apr-2024
https://doi.org/10.1109/MICCIS63508.2024.00044
Yunmar RKusumawardani SWidyawan Mohsen F(2024)Hybrid Android Malware Detection: A Review of Heuristic-Based ApproachIEEE Access10.1109/ACCESS.2024.337765812(41255-41286)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3377658
Haidros Rahima Manzil HManohar Naik S(2024)Detection approaches for android malware: Taxonomy and review analysisExpert Systems with Applications10.1016/j.eswa.2023.122255238(122255)Online publication date: Mar-2024
https://doi.org/10.1016/j.eswa.2023.122255
Show More Cited By

Index Terms

EMULATOR vs REAL PHONE: Android Malware Detection Using Machine Learning
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation

Recommendations

A robust dynamic analysis system preventing SandBox detection by Android malware
SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

Due to an increase in the number of Android malware applications and their diversity, it has become necessary for the security community to develop automated dynamic analysis systems. Static analysis has its limitations that can be overcome by dynamic ...
Smart malware detection on Android

Nowadays, because of its increased popularity, Android is target to a growing number of attacks and malicious applications, with the purpose of stealing private information and consuming credit by subscribing to premium services. Most of the current ...
R-PackDroid: API package-based characterization and detection of mobile ransomware
SAC '17: Proceedings of the Symposium on Applied Computing

Ransomware has become a serious and concrete threat for mobile platforms and in particular for Android. In this paper, we propose R-PackDroid, a machine learning system for the detection of Android ransomware. Differently to previous works, we leverage ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IWSPA '17: Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics

March 2017

88 pages

ISBN:9781450349093

DOI:10.1145/3041008

General Chair:
Rakesh Verma
University of Houston
,
Program Chairs:
Bhavani Thuraisingham
University of Texas -- Dallas
,
Rakesh Verma
University of Houston

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 March 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CODASPY '17

Sponsor:

SIGSAC

CODASPY '17: Seventh ACM Conference on Data and Application Security and Privacy

March 24, 2017

Arizona, Scottsdale, USA

Acceptance Rates

IWSPA '17 Paper Acceptance Rate 4 of 14 submissions, 29%;

Overall Acceptance Rate 18 of 58 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

63
Total Citations
View Citations
676
Total Downloads

Downloads (Last 12 months)52
Downloads (Last 6 weeks)3

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Su RZheng BLu Y(2024)Architecture Design of Android-based Log Retrieval System2024 2nd International Conference On Mobile Internet, Cloud Computing and Information Security (MICCIS)10.1109/MICCIS63508.2024.00044(229-235)Online publication date: 19-Apr-2024
https://doi.org/10.1109/MICCIS63508.2024.00044
Yunmar RKusumawardani SWidyawan Mohsen F(2024)Hybrid Android Malware Detection: A Review of Heuristic-Based ApproachIEEE Access10.1109/ACCESS.2024.337765812(41255-41286)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3377658
Haidros Rahima Manzil HManohar Naik S(2024)Detection approaches for android malware: Taxonomy and review analysisExpert Systems with Applications10.1016/j.eswa.2023.122255238(122255)Online publication date: Mar-2024
https://doi.org/10.1016/j.eswa.2023.122255
Faruki PBhan RJain VBhatia SEl Madhoun NPamula R(2023)A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection FrameworksInformation10.3390/info1407037414:7(374)Online publication date: 30-Jun-2023
https://doi.org/10.3390/info14070374
Marzouk MElkholy M(2023)Deep Image: An Efficient Image-Based Deep Conventional Neural Network Method for Android Malware DetectionJournal of Advances in Information Technology10.12720/jait.14.4.838-84514:4(838-845)Online publication date: 2023
https://doi.org/10.12720/jait.14.4.838-845
Maniriho PMahmood AChowdhury M(2023)A Survey of Recent Advances in Deep Learning Models for Detecting Malware in Desktop and Mobile PlatformsACM Computing Surveys10.1145/363824056:6(1-41)Online publication date: 20-Dec-2023
https://dl.acm.org/doi/10.1145/3638240
Sudhamsu GBhatt RJakka GJweeg MAlfurhood BTripathi V(2023)The Role of Machine Learning Algorithms in Developing Android App and to do Malware Detection2023 3rd International Conference on Advance Computing and Innovative Technologies in Engineering (ICACITE)10.1109/ICACITE57410.2023.10182785(697-701)Online publication date: 12-May-2023
https://doi.org/10.1109/ICACITE57410.2023.10182785
Costa LMoia V(2023)A Lightweight and Multi-Stage Approach for Android Malware Detection Using Non-Invasive Machine Learning TechniquesIEEE Access10.1109/ACCESS.2023.329660611(73127-73144)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3296606
Guerra-Manzanares A(2023)Android malware detection: mission accomplished? A review of open challenges and future perspectivesComputers & Security10.1016/j.cose.2023.103654(103654)Online publication date: Dec-2023
https://doi.org/10.1016/j.cose.2023.103654
Cui YSun YLin Z(2023)DroidHook: a novel API-hook based Android malware dynamic analysis sandboxAutomated Software Engineering10.1007/s10515-023-00378-w30:1Online publication date: 24-Feb-2023
https://dl.acm.org/doi/10.1007/s10515-023-00378-w
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents