research-article

Improving Accuracy of Android Malware Detection with Lightweight Contextual Awareness

Authors:

Matthew Landen,

Simon Pak Ho Chung,

Wenke LeeAuthors Info & Claims

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

Pages 210 - 221

https://doi.org/10.1145/3274694.3274744

Published: 03 December 2018 Publication History

Abstract

In Android malware detection, recent work has shown that using contextual information of sensitive API invocation in the modeling of applications is able to improve the classification accuracy. However, the improvement brought by this context-awareness varies depending on how this information is used in the modeling. In this paper, we perform a comprehensive study on the effectiveness of using the contextual information in prior state-of-the-art detection systems. We find that this information has been "over-used" such that a large amount of non-essential metadata built into the models weakens the generalizability and longevity of the model, thus finally affects the detection accuracy. On the other hand, we find that the entrypoint of API invocation has the strongest impact on the classification correctness, which can further improve the accuracy if being properly captured. Based on this finding, we design and implement a lightweight, circumstance-aware detection system, named "PIKADROID" that only uses the API invocation and its entrypoint in the modeling. For extracting the meaningful entrypoints, PIKADROID applies a set of static analysis techniques to extract and sanitize the reachable entrypoints of a sensitive API, then constructs a frequency model for classification decision. In the evaluation, we show that this slim model significantly improves the detection accuracy on a data set of 23,631 applications by achieving an f-score of 97.41%, while maintaining a false positive rating of 0.96%.

References

[1]

Mamadroid, Oct. 2017. https://bitbucket.org/gianluca_students/mamadroid_code.

[2]

Aafer, Y., Du, W., and Yin, H. Droidapiminer: Mining api-level features for robust malware detection in android. In 9thInternational Conference on Security and Privacy in Communication Systems (ICST) (Sydney, Australia, 2013).

[3]

Allen, J. L. pdroid. Master's Thesis, University of Tennessee (2016).

[4]

Allix, K., Bissyandé, T.F., Klein, J., and Le Traon, Y. Androzoo: Collecting millions of android apps for the research community. In Proceedings of the 13th International Conference on Mining Software Repositories (MSR) (Austin, TX, USA, May 2016).

Digital Library

[5]

Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., and Siemens, C. Drebin: Effective and explainable detection of android malware in your pocket. In Proceedings of the 2014 Annual Network and Distributed System Security Symposium (NDSS) (San Diego, California, USA, Feb. 2014).

[6]

Au, K. W. Y., Zhou, Y. F., Huang, Z., and Lie, D. Pscout: analyzing the android permission specification. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS) (Raleigh, NC, USA, Oct. 2012).

Digital Library

[7]

Avdiienko, V., Kuznetsov, K., Gorla, A., Zeller, A., Arzt, S., Rasthofer, S., and Bodden, E. Mining apps for abnormal usage of sensitive data. In Proceedings of the 37th International Conference on Software Engineering (ICSE) (Florence, Italy, May 2015).

Digital Library

[8]

Baxevanis, A. D., and Ouellette, B. F. Bioinformatics: a practical guide to the analysis of genes and proteins, vol. 43. John Wiley & Sons, 2004.

[9]

Cao, Y., Fratantonio, Y., Bianchi, A., Egele, M., Kruegel, C., Vigna, G., and Chen, Y. Edgeminer: Automatically detecting implicit control flow transitions through the android framework. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS) (San Diego, California, USA, Feb. 2015).

[10]

Chen, K., Wang, P., Lee, Y., Wang, X., Zhang, N., Huang, H., Zou, W., and Liu, P. Finding unknown malice in 10 seconds: Mass vetting for new threats at the google-play scale. In Proceedings of the 24th USENIX Security Symposium (Security) (Washington, DC, USA, Aug. 2015).

Digital Library

[11]

Chen, S., Xue, M., Tang, Z., Xu, L., and Zhu, H. Stormdroid: A streaminglized machine learning-based system for detecting android malware. In Proceedings of the 11th ACM Symposium on Information, Computer and Communications Security (ASIACCS) (Xi'an, China, May--June 2016).

Digital Library

[12]

Dash, S.K., Suarez-Tangil, G., Khan, S., Tam, K., Ahmadi, M., Kinder, J., and Cavallaro, L. Droidscribe: Classifying android malware based on runtime behavior. In Security and Privacy Workshops (SPW), 2016, (IEEE) (2016).

[13]

Duan, Y., Zhang, M., Bhaskar, A.V., Yin, H., Pan, X., Li, T., Wang, X., and Wang, X. Things you may not know about android (un) packers: A systematic study based on whole-system emulation. In Proceedings of the 2018 Annual Network and Distributed System Security Symposium (NDSS) (San Diego, California, USA, Feb. 2018).

[14]

Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., and Sheth, A. N. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI) (Vancouver, Canada, Oct. 2010).

Digital Library

[15]

Enck, W., Ongtang, M., and McDaniel, P. On lightweight mobile phone application certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS) (Chicago, IL, USA, Nov. 2009).

Digital Library

[16]

Felt, A. P., Chin, E., Hanna, S., Song, D., and Wagner, D. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS) (Chicago, IL, USA, Oct. 2011).

Digital Library

[17]

Feng, Y., Anand, S., Dillig, I., and Aiken, A. Apposcopy: Semantics-based detection of android malware through static analysis. In Proceedings of the 19th European Software Engineering Conference (ESEC) / 23rd ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE) (Bergamo, Italy, Aug. 2015).

Digital Library

[18]

Feng, Y., Bastani, O., Martins, R., Dillig, I., and Anand, S. Automatically learning android malware signatures from few samples. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS) (San Diego, California, USA, Feb. 2017).

[19]

Fink, S., and Dolby, J. Wala--the tj watson libraries for analysis, 2012.

[20]

Fritz, C., Arzt, S., Rasthofer, S., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., and McDaniel, P. Highly precise taint analysis for android applications. In Proceedings of the 2014 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI) (Edinburgh, UK, June 2014).

[21]

Gorla, A., Tavecchia, I., Gross, F., and Zeller, A. Checking app behavior against app descriptions. In Proceedings of the 36th International Conference on Software Engineering (ICSE) (Hyderabad, India, May--June 2014).

Digital Library

[22]

Grace, M., Zhou, Y., Zhang, Q., Zou, S., and Jiang, X. Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th ACM International Conference on Mobile Computing Systems (MobiSys) (Low Wood Bay, UK, 2012).

Digital Library

[23]

Hoerl, A.E., and Kennard, R. W. Ridge regression: Biased estimation for nonorthogonal problems. Technometrics 12, 1 (1970), 55--67.

[24]

I/O, G. Google i/o.

[25]

Jordaney, R., Sharad, K., Dash, S. K., Wang, Z., Papini, D., Nouret-Dinov, I., Cavallaro, L., and SpA, E. Transcend: detecting concept drift in malware classification models. In Proceedings of the 26th USENIX Security Symposium (Security) (Vancouver, BC, Canada, Aug. 2017).

Digital Library

[26]

Jordaney, R., Wang, Z., Papini, D., Nouretdinov, I., Sharad, K., and Cavallaro, L. Poster misleading metrics: On evaluating ml for malware with confidence. In Proceedings of the 37th IEEE Symposium on Security and Privacy (Oakland) (San Jose, CA, USA, May 2016).

[27]

Jung, J., Jeon, C., Wolotsky, M., Yun, I., and Kim, T. Avpass: Automatically bypassing android malware detection system. In Black Hat USA Briefings (Aug. 2016).

[28]

Lafortune, E., et al. Proguard.

[29]

Liaw, A., Wiener, M., et al. Classification and regression by randomforest. R news 2, 3 (2002), 18--22.

[30]

Lindorfer, M., Neugschwandtner, M., and Platzer, C. Marvin: Efficient and comprehensive mobile app classification through static and dynamic analysis. In Proceedings of the 39th Computer Software and Applications Conference (COMPSAC) (Taichung, Taiwan, July 2015).

Digital Library

[31]

Mariconti, E., Onwuzurike, L., Andriotis, P., De Cristofaro, E., Ross, G., and Stringhini, G. Mamadroid: Detecting android malware by building markov chains of behavioral models. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS) (San Diego, California, USA, Feb. 2016).

[32]

Martin, W., Harman, M., Jia, Y., Sarro, F., and Zhang, Y. The app sampling problem for app store mining. In Proceedings of the 12th International Conference on Mining Software Repositories (MSR) (Florence, Italy, May 2015).

Digital Library

[33]

Mcafee Labs, L. Mcafee mobile threat report q1, 2018.

[34]

Nan, Y., Yang, Z., Wang, X., Zhang, Y., Zhu, D., and Yang, M. Finding clues for your secrets: Semantics-driven, learning-based privacy discovery in mobile apps. In Proceedings of the 2018 Annual Network and Distributed System Security Symposium (NDSS) (San Diego, California, USA, Feb. 2018).

[35]

Octeau, D., Jha, S., and McDaniel, P. Retargeting android applications to java bytecode. In Proceedings of the 20th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE) (Cary, NC, USA, Nov. 2012).

Digital Library

[36]

Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., and Le Traon, Y. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In Proceedings of the 22th USENIX Security Symposium (Security) (Washington, DC, USA, Aug. 2013).

Digital Library

[37]

Pan, X., Wang, X., Duan, Y., Wang, X., and Yin, H. Dark hazard: Learning-based, large-scale discovery of hidden sensitive operations in android apps. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS) (San Diego, California, USA, Feb. 2017).

[38]

Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., et al. Scikit-learn: Machine learning in python. Journal of machine learning research 12, Oct (2011), 2825--2830.

Digital Library

[39]

Rasthofer, S., Arzt, S., and Bodden, E. A machine-learning approach for classifying and categorizing android sources and sinks. In Proceedings of the 2014 Annual Network and Distributed System Security Symposium (NDSS) (San Diego, California, USA, Feb. 2014).

[40]

Rastogi, V., Chen, Y., and Jiang, X. Droidchameleon: evaluating android anti-malware against transformation attacks. In Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS) (Hangzhou, China, May 2013).

Digital Library

[41]

Roy, S., DeLoach, J., Li, Y., Herndon, N., Caragea, D., Ou, X., Ranganath, V.P., Li, H., and Guevara, N. Experimental study with real-world data for android app security analysis using machine learning. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC) (Los Angeles, California, USA, Dec. 2015).

Digital Library

[42]

Ruck, D. W., Rogers, S. K., Kabrisky, M., Oxley, M. E., and Suter, B. W. The multilayer perceptron as an approximation to a bayes optimal discriminant function. IEEE Transactions on Neural Networks 1, 4 (1990), 296--298.

Digital Library

[43]

Saikoa, B. Dexguard.

[44]

Tam, K., Khan, S. J., Fattori, A., and Cavallaro, L. Copperdroid: Automatic reconstruction of android malware behaviors. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS) (Denver, Colorado, Oct. 2015).

[45]

Total, V. Virustotal-free online virus, malware and url scanner.

[46]

Wei, L., Liu, Y., and Cheung, S.-C. Taming android fragmentation: Characterizing and detecting compatibility issues for android apps. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE) (Singapore, Singapore, Sept. 2016).

Digital Library

[47]

Winsniewski, R. Android--apktool: A tool for reverse engineering android apk files, 2012.

[48]

Wong, M. Y., and Lie, D. Intellidroid: A targeted input generator for the dynamic analysis of android malware. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS) (San Diego, California, USA, Feb. 2016).

[49]

Yan, L.-K., and Yin, H. Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX Security Symposium (Security) (Bellevue, WA, USA, Aug. 2012).

Digital Library

[50]

Yang, W., Kong, D., Xie, T., and Gunter, C. A. Malware detection in adversarial settings: Exploiting feature evolutions and confusions in android apps. In Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC) (Orlando, FL, USA, Dec. 2017).

Digital Library

[51]

Yang, W., Prasad, M., and Xie, T. Enmobile: Entity-based characterization and analysis of mobile malware. In Proceedings of the 40th International Conference on Software Engineering (ICSE) (Gothenburg, Sweden, May 2018).

Digital Library

[52]

Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., and Enck, W. Appcontext: Differentiating malicious and benign mobile app behaviors using context. In Proceedings of the 37th International Conference on Software Engineering (ICSE) (Florence, Italy, May 2015).

Digital Library

[53]

Zhang, M., Duan, Y., Yin, H., and Zhao, Z. Semantics-aware android malware classification using weighted contextual api dependency graphs. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS) (Scottsdale, Arizona, Nov. 2014).

Digital Library

[54]

Zhou, Y., and Jiang, X. Dissecting android malware: Characterization and evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland) (San Francisco, CA, USA, May 2012).

Digital Library

[55]

Zhou, Y., Wang, Z., Zhou, W., and Jiang, X. Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In Proceedings of the 19th Annual Network and Distributed System Security Symposium (NDSS) (San Diego, California, USA, Feb. 2012).

Cited By

Zhao HWu YZou DJin H(2024)An Empirical Study on Android Malware Characterization by Social Network AnalysisIEEE Transactions on Reliability10.1109/TR.2023.330438973:1(757-770)Online publication date: Mar-2024
https://doi.org/10.1109/TR.2023.3304389
Han LChen PLiao W(2024)DCDroid: An APK Static Identification Method Based on Naïve Bayes Classifier and Dual‐Centrality AnalysisIET Information Security10.1049/2024/66522172024:1Online publication date: 19-Aug-2024
https://doi.org/10.1049/2024/6652217
Zhou FWang DXiong YSun KWang W(2024)FAMCF: A few-shot Android malware family classification frameworkComputers & Security10.1016/j.cose.2024.104027146(104027)Online publication date: Nov-2024
https://doi.org/10.1016/j.cose.2024.104027
Show More Cited By

Index Terms

Improving Accuracy of Android Malware Detection with Lightweight Contextual Awareness
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers

Android platform has dominated the markets of smart mobile devices in recent years. The number of Android applications (apps) has seen a massive surge. Unsurprisingly, Android platform has also become the primary target of attackers. The management of ...
Effective detection of android malware based on the usage of data flow APIs and machine learning

Context. Android has been ranked as the top smartphone platform nowadays. Studies show that Android malware have increased dramatically and that personal privacy theft has become a major form of attack in recent years. These critical security ...
An improved Android malware detection scheme based on an evolving hybrid neuro-fuzzy classifier (EHNFC) and permission-based features

The increasing number of Android devices and users has been attracting the attention of different types of attackers. Malware authors create new versions of malware from previous ones by implementing code obfuscation techniques. Obfuscated malware is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference

December 2018

766 pages

ISBN:9781450365697

DOI:10.1145/3274694

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ACSAC '18

ACSAC '18: 2018 Annual Computer Security Applications Conference

December 3 - 7, 2018

PR, San Juan, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
704
Total Downloads

Downloads (Last 12 months)42
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhao HWu YZou DJin H(2024)An Empirical Study on Android Malware Characterization by Social Network AnalysisIEEE Transactions on Reliability10.1109/TR.2023.330438973:1(757-770)Online publication date: Mar-2024
https://doi.org/10.1109/TR.2023.3304389
Han LChen PLiao W(2024)DCDroid: An APK Static Identification Method Based on Naïve Bayes Classifier and Dual‐Centrality AnalysisIET Information Security10.1049/2024/66522172024:1Online publication date: 19-Aug-2024
https://doi.org/10.1049/2024/6652217
Zhou FWang DXiong YSun KWang W(2024)FAMCF: A few-shot Android malware family classification frameworkComputers & Security10.1016/j.cose.2024.104027146(104027)Online publication date: Nov-2024
https://doi.org/10.1016/j.cose.2024.104027
Yang HWang YZhang LHu ZJiang LCheng X(2024)An Android Malware Detection Method Using Better API Contextual InformationInformation Security and Cryptology10.1007/978-981-97-0945-8_2(24-36)Online publication date: 25-Feb-2024
https://doi.org/10.1007/978-981-97-0945-8_2
Huang LXue JWang YQu DChen JZhang NZhang L(2023)EAODroid: Android Malware Detection Based on Enhanced API OrderChinese Journal of Electronics10.23919/cje.2021.00.45132:5(1169-1178)Online publication date: Sep-2023
https://doi.org/10.23919/cje.2021.00.451
Yang HWang YZhang LHu ZCheng XJiang L(2023)EAMDM: An Evolved Android Malware Detection Method Using API Clustering2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom60117.2023.00127(889-895)Online publication date: 1-Nov-2023
https://doi.org/10.1109/TrustCom60117.2023.00127
Yang HWang YZhang LCheng XHu Z(2023)A Novel Android Malware Detection Method with API Semantics ExtractionComputers & Security10.1016/j.cose.2023.103651(103651)Online publication date: Dec-2023
https://doi.org/10.1016/j.cose.2023.103651
Lu YPan MPei YLi XRyu SSmaragdakis Y(2022)Detecting resource utilization bugs induced by variant lifecycles in AndroidProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534413(642-653)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534413
Du XPan XCao YHe BFang GChen YXu D(2022)FlowCog: Context-aware Semantic Extraction and Analysis of Information Flow Leaks in Android AppsIEEE Transactions on Mobile Computing10.1109/TMC.2022.3197638(1-17)Online publication date: 2022
https://doi.org/10.1109/TMC.2022.3197638
Tang JLi RJiang YGu XLi Y(2022)Android malware obfuscation variants detection method based on multi-granularity opcode featuresFuture Generation Computer Systems10.1016/j.future.2021.11.005129:C(141-151)Online publication date: 1-Apr-2022
https://dl.acm.org/doi/10.1016/j.future.2021.11.005
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents