research-article

Crowdroid: behavior-based malware detection system for Android

Authors:

Simin Nadjm-TehraniAuthors Info & Claims

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices

Pages 15 - 26

https://doi.org/10.1145/2046614.2046619

Published: 17 October 2011 Publication History

Abstract

The sharp increase in the number of smartphones on the market, with the Android platform posed to becoming a market leader makes the need for malware analysis on this platform an urgent issue.

In this paper we capitalize on earlier approaches for dynamic analysis of application behavior as a means for detecting malware in the Android platform. The detector is embedded in a overall framework for collection of traces from an unlimited number of real users based on crowdsourcing. Our framework has been demonstrated by analyzing the data collected in the central server using two types of data sets: those from artificial malware created for test purposes, and those from real malware found in the wild. The method is shown to be an effective means of isolating the malware and alerting the users of a downloaded malware. This shows the potential for avoiding the spreading of a detected malware to a larger community.

References

[1]

50 Malware applications found on Android Official Market. http://m.guardian.co.uk/technology/blog/2011/mar/02/android-market-apps-malware?cat=technology&type=article.

[2]

Guangdong Bai, Liang Gu, Tao Feng, Yao Guo, and Xiangqun Chen. Context-aware usage control for android. In Security and Privacy in Communication Networks, volume 50 of Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, pages 326--343. Springer Berlin Heidelberg, 2010.

[3]

Thomas Blasing, Aubrey-Derrick Schmidt, Leonid Batyuk, Seyit A. Camtepe, and Sahin Albayrak. An android application sandbox system for suspicious software detection. In 5th International Conference on Malicious and Unwanted Software (Malware 2010) (MALWARE'2010), Nancy, France, France, 2010.

[4]

Mylookout blog. Hongtoutou. http://bit.ly/iOu5AA.

[5]

Abhijit Bose, Xin Hu, Kang G. Shin, and Taejoon Park. Behavioral detection of malware on mobile handsets. In Proceeding of the 6th international conference on Mobile systems, applications, and services, MobiSys '08, pages 225--238, New York, NY, USA, 2008. ACM.

Digital Library

[6]

Timothy K. Buennemeyer, Theresa M. Nelson, Lee M. Clagett, John P. Dunning, Randy C. Marchany, and Joseph G. Tront. Mobile device profiling and intrusion detection using smart batteries. In Proceedings of the Proceedings of the 41st Annual Hawaii International Conference on System Sciences, HICSS '08, pages 296--, Washington, DC, USA, 2008. IEEE Computer Society.

Digital Library

[7]

Cabir, Smartphone Malware. http://www.f-secure.com/ v-descs/cabir.shtml.

[8]

Cabir Malware variants. http://www.f-secure.com/weblog/archives/00000414.html.

[9]

Jerry Cheng, Starsky H.Y. Wong, Hao Yang, and Songwu Lu. Smartsiren: virus detection and alert for smartphones. In Proceedings of the 5th international conference on Mobile systems, applications and services, MobiSys '07, pages 258--271, New York, NY, USA, 2007. ACM.

Digital Library

[10]

Mihai Christodorescu and Somesh Jha. Static analysis of executables to detect malicious patterns. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12, pages 12--12, Berkeley, CA, USA, 2003. USENIX Association.

Digital Library

[11]

Mihai Christodorescu, Somesh Jha, and Christopher Kruegel. Mining specifications of malicious behavior. In Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, ESEC-FSE '07, pages 5--14, New York, NY, USA, 2007. ACM.

Digital Library

[12]

David Dagon, Tom Martin, and Thad Starner. Mobile phones as computing devices: The viruses are coming! IEEE Pervasive Computing, 3:11--15, October 2004.

Digital Library

[13]

Francesco Di Cerbo, Andrea Girardello, Florian Michahelles, and Svetlana Voronkova. Detection of malicious applications on android os. In Proceedings of the 4th international conference on Computational forensics, IWCF'10, pages 138--149, Berlin, Heidelberg, 2011. Springer-Verlag.

Digital Library

[14]

Manuel Egele. A survey on automated dynamic malware analysis techniques and tools. ACM Computing Surveys, to appear.

Digital Library

[15]

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10, pages 1--6, Berkeley, CA, USA, 2010. USENIX Association.

Digital Library

[16]

William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. A study of android application security. In Proceedings of the 20th USENIX Security Symposium. USENIX Association, August 2011.

Digital Library

[17]

William Enck, Machigar Ongtang, and Patrick McDaniel. Understanding android security. IEEE Security and Privacy, 7:50--57, January 2009.

Digital Library

[18]

Steven A. Hofmeyr, Stephanie Forrest, and Anil Somayaji. Intrusion detection using sequences of system calls. J. Comput. Secur., 6:151--180, August 1998.

Digital Library

[19]

Google Inc. Android market. https://market.android.com/.

[20]

Juniper Networks Inc. Malicious mobile threats report 2010/2011. Technical report, Juniper Networks, Inc., 2011.

[21]

T. J Lee and J.J. Mody. Behavioral classification. In Proceedings of EICAR 2006, April 2006.

[22]

G A Jacoby and Nathaniel J Davis Iv. Battery-based intrusion detection. In Global Telecommunications Conference, 2004. GLOBECOM '04, pages 2250 -- 2255. IEEE, 2004.

[23]

Hahnsang Kim, Joshua Smith, and Kang G. Shin. Detecting energy-greedy anomalies and mobile malware variants. In Proceeding of the 6th international conference on Mobile systems, applications, and services, MobiSys '08, pages 239--252, New York, NY, USA, 2008. ACM.

Digital Library

[24]

Ramon T. Llamas, William Stofega, Stephen D. Drake, and Stacy K. Crook. Worldwide smartphone 2011--2015 forecast and analysis. Technical report, International Data Corporation, 2011.

[25]

J. B. MacQueen. Some methods for classification and analysis of multivariate observations. In L. M. Le Cam and J. Neyman, editors, Proc. of the fifth Berkeley Symposium on Mathematical Statistics and Probability, volume 1, pages 281--297. University of California Press, 1967.

[26]

Andreas Moser, Christopher Kruegel, and Engin Kirda. Limits of static analysis for malware detection. In Proceedings of the 23rd Annual Computer Security Applications Conference, ACSAC'07, pages 421--430, Los Alamitos, CA, USA, December 2007. IEEE Computer Society.

[27]

Jon Oberheide and Zach Lanier. Team joch vs android: The ultimate showdown. ShmooCon 2011, January 2011.

[28]

Machigar Ongtang, Stephen McLaughlin, William Enck, and Patrick McDaniel. Semantically rich application-centric security in android. In Proceedings of the 25th Annual Computer Security Applications Conference, ACSAC'09, pages 340--349, Los Alamitos, CA, USA, 2009. IEEE Computer Society.

Digital Library

[29]

Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis, and Herbert Bos. Paranoid android: versatile protection for smartphones. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC'10, ACSAC '10, pages 347--356, New York, NY, USA, 2010. ACM.

Digital Library

[30]

Konrad Rieck, Thorsten Holz, Carsten Willems, Patrick Düssel, and Pavel Laskov. Learning and classification of malware behavior. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '08, pages 108--125, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[31]

Aubrey-Derrick Schmidt, Rainer Bye, Hans-Gunther Schmidt, Jan Clausen, Osman Kiraz, Kamer Yüksel, Seyit Camtepe, and Albayrak Sahin. Static analysis of executables for collaborative malware detection on android. In ICC 2009 Communication and Information Systems Security Symposium, Dresden, Germany, Germany, 6 2009.

Digital Library

[32]

Aubrey-Derrick Schmidt, Ahmet Camtepe, and Sahin Albayrak. Static smartphone malware detection. In proceedings of the 5th Security Research Conference (Future Security 2010), ISBN: 978-3-8396-0159-4, page 146, 2010.

[33]

Aubrey-Derrick Schmidt, Jan Hendrik Clausen, Ahmet Camtepe, and Sahin Albayrak. Detecting symbian os malware through static function call analysis. In 4th International Conference on Malicious and Unwanted Software (MALWARE'09), pages 15--22. IEEE, 2009.

[34]

Aubrey-Derrick Schmidt, Frank Peters, Florian Lamour, Christian Scheel, Seyit Ahmet Camtepe, and Sahin Albayrak. Monitoring smartphones for anomaly detection. Mobile Networks and Applications (MONET) -- SPECIAL ISSUE on Mobility of Systems, Users, Data and Computing, November 2008.

Digital Library

[35]

Aubrey-Derrick Schmidt, Hans-Gunther Schmidt, Jan Clausen, Kamer Ali Yüksel, Osman Kiraz, Ahmet Camtepe, and Sahin Albayrak. Enhancing security of linux-based android devices. In in Proceedings of 15th International Linux Kongress. Lehmann, October 2008.

[36]

Asaf Shabtai, Yuval Fledel, Uri Kanonov, Yuval Elovici, Shlomi Dolev, and Chanan Glezer. Google android: A comprehensive security assessment. IEEE Security and Privacy, 8:35--44, 2010.

Digital Library

[37]

Asaf Shabtai, Uri Kanonov, and Yuval Elovici. Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method. J. Syst. Softw., 83:1524--1537, August 2010.

Digital Library

[38]

Asaf Shabtai, Uri Kanonov, Yuval Elovici, Chanan Glezer, and Yael Weiss. Andromaly: a behavioral malware detection framework for android devices. Journal of Intelligent Information Systems, pages 1--30, 2011. 10.1007/s10844-010-0148-x.

Digital Library

[39]

Asaf Shabtai, Robert Moskovitch, Yuval Elovici, and Chanan Glezer. Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey. Inf. Secur. Tech. Rep., 14:16--29, February 2009.

Digital Library

[40]

Ashkan Sharifi Shamili, Christian Bauckhage, and Tansu Alpcan. Malware detection on mobile devices using distributed machine learning. In Proceedings of the 2010 20th International Conference on Pattern Recognition, ICPR '10, pages 4348--4351, Washington, DC, USA, 2010. IEEE Computer Society.

Digital Library

[41]

Wook Shin, Shinsaku Kiyomoto, Kazuhide Fukushima, and Toshiaki Tanaka. Towards formal analysis of the permission-based security model for android. In Proceedings of the 2009 Fifth International Conference on Wireless and Mobile Communications, ICWMC '09, pages 87--92, Washington, DC, USA, 2009. IEEE Computer Society.

Digital Library

[42]

Wook Shin, Shinsaku Kiyomoto, Kazuhide Fukushima, and Toshiaki Tanaka. A formal model to analyze the permission authorization and enforcement in the android framework. In Proceedings of the 2010 IEEE Second International Conference on Social Computing, SOCIALCOM '10, pages 944--951, Washington, DC, USA, 2010. IEEE Computer Society.

Digital Library

[43]

Wook Shin, Sanghoon Kwak, Shinsaku Kiyomoto, Kazuhide Fukushima, and Toshiaki Tanaka. A small but non-negligible flaw in the android permission scheme. In Proceedings of the 2010 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY '10, pages 107--110, Washington, DC, USA, 2010. IEEE Computer Society.

Digital Library

[44]

Hispasec Sistemas. Virustotal malware intelligence service. http://bit.ly/mytpXt.

[45]

Symantec. Pjapps. http://bit.ly/juL7Rh.

Cited By

Deypir MZoughi T(2025)Robust security risk estimation for android apps using nearest neighbor approach and hamming distanceSoft Computing10.1007/s00500-025-10489-zOnline publication date: 10-Feb-2025
https://doi.org/10.1007/s00500-025-10489-z
Sindiramutty STan CLau SThangaveloo RGharib AManchuri AKhan NTee WMuniandy L(2024)Explainable AI for CybersecurityAdvances in Explainable AI Applications for Smart Cities10.4018/978-1-6684-6361-1.ch002(31-97)Online publication date: 18-Jan-2024
https://doi.org/10.4018/978-1-6684-6361-1.ch002
Coskuner Mİskefiyeli M(2024)Implementing a hybrid Android sandbox for malware analysisDüzce Üniversitesi Bilim ve Teknoloji Dergisi10.29130/dubited.123977912:2(1114-1125)Online publication date: 29-Apr-2024
https://doi.org/10.29130/dubited.1239779
Show More Cited By

Index Terms

Crowdroid: behavior-based malware detection system for Android
1. Information systems
  1. Information systems applications
    1. Data mining
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

A Survey on Malware Detection Using Data Mining Techniques

In the Internet age, malware (such as viruses, trojans, ransomware, and bots) has posed serious and evolving security threats to Internet users. To protect legitimate users from these threats, anti-malware software products from different companies, ...
Combining Crowd Contributions with Machine Learning to Detect Malicious Mobile Apps
Internetware '15: Proceedings of the 7th Asia-Pacific Symposium on Internetware

Android is undoubtedly becoming the most popular smartphone platform. The popularity of Android, unfortunately, has also made the devices become the target of malware. Most of existing malicious mobile apps feature stealthy operations such as collecting ...
Opcode sequences as representation of executables for data-mining-based unknown malware detection

Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SPSM '11: Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices

October 2011

96 pages

ISBN:9781450310000

DOI:10.1145/2046614

General Chair:
Xuxian Jiang
North Carolina State University
,
Program Chairs:
Amiya Bhattacharya
Arizona State University
,
Partha Dasgupta
Arizona State University
,
William Enck
North Carolina State University

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'11

Sponsor:

SIGSAC

CCS'11: the ACM Conference on Computer and Communications Security

October 17, 2011

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 46 of 139 submissions, 33%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

695
Total Citations
View Citations
7,418
Total Downloads

Downloads (Last 12 months)93
Downloads (Last 6 weeks)3

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Deypir MZoughi T(2025)Robust security risk estimation for android apps using nearest neighbor approach and hamming distanceSoft Computing10.1007/s00500-025-10489-zOnline publication date: 10-Feb-2025
https://doi.org/10.1007/s00500-025-10489-z
Sindiramutty STan CLau SThangaveloo RGharib AManchuri AKhan NTee WMuniandy L(2024)Explainable AI for CybersecurityAdvances in Explainable AI Applications for Smart Cities10.4018/978-1-6684-6361-1.ch002(31-97)Online publication date: 18-Jan-2024
https://doi.org/10.4018/978-1-6684-6361-1.ch002
Coskuner Mİskefiyeli M(2024)Implementing a hybrid Android sandbox for malware analysisDüzce Üniversitesi Bilim ve Teknoloji Dergisi10.29130/dubited.123977912:2(1114-1125)Online publication date: 29-Apr-2024
https://doi.org/10.29130/dubited.1239779
Xu XJiang SZhao JWang X(2024)DCEL: Classifier Fusion Model for Android Malware DetectionJournal of Systems Engineering and Electronics10.23919/JSEE.2024.00001835:1(163-177)Online publication date: Feb-2024
https://doi.org/10.23919/JSEE.2024.000018
Wang FKoral YFutamura K(2024)Navigating Connected Car Cybersecurity: Location Anomaly Detection with RAN Data2024 IEEE 99th Vehicular Technology Conference (VTC2024-Spring)10.1109/VTC2024-Spring62846.2024.10683076(1-6)Online publication date: 24-Jun-2024
https://doi.org/10.1109/VTC2024-Spring62846.2024.10683076
Peng HZhan YZhai DZhang XXia Y(2024)Egret: Reinforcement Mechanism for Sequential Computation Offloading in Edge ComputingIEEE Transactions on Services Computing10.1109/TSC.2024.3478826(1-14)Online publication date: 2024
https://doi.org/10.1109/TSC.2024.3478826
Chen XYu DCai XJiang HYu H(2024)Android Malware Family Clustering Based on Multiple FeaturesIEEE Transactions on Reliability10.1109/TR.2023.333209073:2(1202-1215)Online publication date: Jun-2024
https://doi.org/10.1109/TR.2023.3332090
Alecci MSamhi JLi LBissyandé TKlein J(2024)Improving Logic Bomb Identification in Android Apps via Context-Aware Anomaly DetectionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2024.3358979(1-18)Online publication date: 2024
https://doi.org/10.1109/TDSC.2024.3358979
Salman TGhubaish APietro RBaza MAlshahrani HJain RChoo K(2024)CrowdFAB: Intelligent Crowd-Forecasting Using Blockchains and its Use in SecurityIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.332203821:4(3030-3047)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3322038
Yuvarani EGomathi P(2024)Security issues on Forensics Applications by Dynamic Malware injection – A Review2024 8th International Conference on Electronics, Communication and Aerospace Technology (ICECA)10.1109/ICECA63461.2024.10800977(573-579)Online publication date: 6-Nov-2024
https://doi.org/10.1109/ICECA63461.2024.10800977
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten