Identifying Android Malware Using Network-Based Approaches

The proliferation of Android apps has resulted in many malicious apps entering the market and causing significant damage. Robust techniques that determine if an app is malicious are greatly needed. We propose the use of a network-based approach to effectively separate malicious from benign apps, based on a small labeled dataset. The apps in our dataset come from the Google Play Store and have been scanned for malicious behavior using Virus Total to produce a ground truth dataset with labels malicous or benign. The apps in the resulting dataset have been represented using binary feature vectors (where the features represent permissions, intent actions, discriminative APIs, obfuscation signatures, and native code signatures). We have used the feature vectors corresponding to apps to build a weighted network that captures the “closeness” between apps. We propagate labels from the labeled apps to unlabeled apps, and evaluate the effectiveness of the proposed approach using the F1-measure. We have conducted experiments to compare three variants of the label propagation approaches on datasets that include increasingly larger amounts of labeled data. The results have shown that a variant proposed in this study gives the best results overall.

Download Full-text

Static and Dynamic Analysis of Android Malware and Goodware Written with Unity Framework

Security and Communication Networks ◽

10.1155/2018/6280768 ◽

2018 ◽

Vol 2018 ◽

pp. 1-12 ◽

Cited By ~ 2

Author(s):

Jaewoo Shim ◽

Kyeonghwan Lim ◽

Seong-je Cho ◽

Sangchul Han ◽

Minkyu Park

Keyword(s):

Mobile Apps ◽

Android Malware ◽

Static And Dynamic Analysis ◽

Android Apps ◽

Development Framework ◽

Analysis Technique ◽

Executable File ◽

Cross Platform ◽

Malicious Apps ◽

Java Code

Unity is the most popular cross-platform development framework to develop games for multiple platforms such as Android, iOS, and Windows Mobile. While Unity developers can easily develop mobile apps for multiple platforms, adversaries can also easily build malicious apps based on the “write once, run anywhere” (WORA) feature. Even though malicious apps were discovered among Android apps written with Unity framework (Unity apps), little research has been done on analysing the malicious apps. We propose static and dynamic reverse engineering techniques for malicious Unity apps. We first inspect the executable file format of a Unity app and present an effective static analysis technique of the Unity app. Then, we also propose a systematic technique to analyse dynamically the Unity app. Using the proposed techniques, the malware analyst can statically and dynamically analyse Java code, native code in C or C ++, and the Mono runtime layer where the C# code is running.

Download Full-text

Less is More: A privacy-respecting Android malware classifier using federated learning

Proceedings on Privacy Enhancing Technologies ◽

10.2478/popets-2021-0062 ◽

2021 ◽

Vol 2021 (4) ◽

pp. 96-116

Author(s):

Rafa Gálvez ◽

Veelasha Moonsamy ◽

Claudia Diaz

Keyword(s):

Security Analysis ◽

Ground Truth ◽

Classification Performance ◽

Android Malware ◽

Less Is More ◽

Malware Classification ◽

Classification Framework ◽

Cloud Server ◽

Inference Attacks ◽

Malicious Apps

Abstract In this paper we present LiM (‘Less is More’), a malware classification framework that leverages Federated Learning to detect and classify malicious apps in a privacy-respecting manner. Information about newly installed apps is kept locally on users’ devices, so that the provider cannot infer which apps were installed by users. At the same time, input from all users is taken into account in the federated learning process and they all benefit from better classification performance. A key challenge of this setting is that users do not have access to the ground truth (i.e. they cannot correctly identify whether an app is malicious). To tackle this, LiM uses a safe semi-supervised ensemble that maximizes classification accuracy with respect to a baseline classifier trained by the service provider (i.e. the cloud). We implement LiM and show that the cloud server has F1 score of 95%, while clients have perfect recall with only 1 false positive in > 100 apps, using a dataset of 25K clean apps and 25K malicious apps, 200 users and 50 rounds of federation. Furthermore, we conduct a security analysis and demonstrate that LiM is robust against both poisoning attacks by adversaries who control half of the clients, and inference attacks performed by an honest-but-curious cloud server. Further experiments with Ma-MaDroid’s dataset confirm resistance against poisoning attacks and a performance improvement due to the federation.

Download Full-text

Factors that Influence the Android Apps Permissions

International Journal of Software Engineering and Technologies (IJSET) ◽

10.11591/ijset.v1i2.4569 ◽

2016 ◽

Vol 1 (2) ◽

pp. 59

Author(s):

Normi Sham Awang Abu Bakar ◽

Iqram Mahmud

Keyword(s):

Not Given ◽

Sensitive Data ◽

Security Issues ◽

Android Apps ◽

Android Applications ◽

Android Market ◽

Malicious Apps ◽

The Right ◽

User Ratings ◽

Average User

The Android Market is the official (and primary) storefor Android applications. The Market provides users with average user ratings, user reviews, descriptions, screenshots,and permissions to help them select applications. Generally, prior to installation of the apps, users need to agree on the permissions requested by the apps, they are not given any other option. Essentially, users may not aware on some security issues that may arise from the permissions. Some apps request the right to manipulate sensitive data, such as GPS location, photos, calendar, contact, email and files. In this paper, we explain the sources of sensitive data, what the malicious apps can do to the data, and apply the empirical software engineering analysis to find the factors that could potentially influence the permissions in Android apps. In addition, we also highlight top ten most implemented permissions in Android apps and also analyse the permissions for the apps categories in Android.

Download Full-text

Community Detection Based on a Preferential Decision Model

Information ◽

10.3390/info11010053 ◽

2020 ◽

Vol 11 (1) ◽

pp. 53

Author(s):

Jinfang Sheng ◽

Ben Lu ◽

Bin Wang ◽

Jie Hu ◽

Kai Wang ◽

...

Keyword(s):

Community Structure ◽

Complex Networks ◽

Community Detection ◽

Decision Model ◽

Structural Characteristics ◽

Real Life ◽

Stable State ◽

Ground Truth ◽

Label Propagation ◽

Comparison Algorithms

The research on complex networks is a hot topic in many fields, among which community detection is a complex and meaningful process, which plays an important role in researching the characteristics of complex networks. Community structure is a common feature in the network. Given a graph, the process of uncovering its community structure is called community detection. Many community detection algorithms from different perspectives have been proposed. Achieving stable and accurate community division is still a non-trivial task due to the difficulty of setting specific parameters, high randomness and lack of ground-truth information. In this paper, we explore a new decision-making method through real-life communication and propose a preferential decision model based on dynamic relationships applied to dynamic systems. We apply this model to the label propagation algorithm and present a Community Detection based on Preferential Decision Model, called CDPD. This model intuitively aims to reveal the topological structure and the hierarchical structure between networks. By analyzing the structural characteristics of complex networks and mining the tightness between nodes, the priority of neighbor nodes is chosen to perform the required preferential decision, and finally the information in the system reaches a stable state. In the experiments, through the comparison of eight comparison algorithms, we verified the performance of CDPD in real-world networks and synthetic networks. The results show that CDPD not only has better performance than most recent algorithms on most datasets, but it is also more suitable for many community networks with ambiguous structure, especially sparse networks.

Download Full-text

Multi-View Partial Multi-Label Learning with Graph-Based Disambiguation

Proceedings of the AAAI Conference on Artificial Intelligence ◽

10.1609/aaai.v34i04.5761 ◽

2020 ◽

Vol 34 (04) ◽

pp. 3553-3560 ◽

Cited By ~ 1

Author(s):

Ze-Sen Chen ◽

Xuan Wu ◽

Qing-Guo Chen ◽

Yao Hu ◽

Min-Ling Zhang

Keyword(s):

Predictive Model ◽

Clustering Analysis ◽

Experimental Studies ◽

Ground Truth ◽

Two Stage ◽

Feature Vectors ◽

Similarity Graph ◽

Training Examples ◽

Guided Clustering

In multi-view multi-label learning (MVML), each training example is represented by different feature vectors and associated with multiple labels simultaneously. Nonetheless, the labeling quality of training examples is tend to be affected by annotation noises. In this paper, the problem of multi-view partial multi-label learning (MVPML) is studied, where the set of associated labels are assumed to be candidate ones and only partially valid. To solve the MVPML problem, a two-stage graph-based disambiguation approach is proposed. Firstly, the ground-truth labels of each training example are estimated by disambiguating the candidate labels with fused similarity graph. After that, the predictive model for each label is learned from embedding features generated from disambiguation-guided clustering analysis. Extensive experimental studies clearly validate the effectiveness of the proposed approach in solving the MVPML problem.

Download Full-text

Detection of malicious behavior in android apps through API calls and permission uses analysis

Concurrency and Computation Practice and Experience ◽

10.1002/cpe.4172 ◽

2017 ◽

Vol 29 (19) ◽

pp. e4172 ◽

Cited By ~ 8

Author(s):

Ming Yang ◽

Shan Wang ◽

Zhen Ling ◽

Yaowen Liu ◽

Zhenyu Ni

Keyword(s):

Android Apps ◽

Malicious Behavior

Download Full-text

A Multiclass Detection System for Android Malicious Apps Based on Color Image Features

Wireless Communications and Mobile Computing ◽

10.1155/2020/8882295 ◽

2020 ◽

Vol 2020 ◽

pp. 1-21

Author(s):

Hua Zhang ◽

Jiawei Qin ◽

Boan Zhang ◽

Hanbing Yan ◽

Jing Guo ◽

...

Keyword(s):

Color Image ◽

Detection System ◽

Binary Classification ◽

Image Features ◽

Detection Accuracy ◽

Visualization Method ◽

Android Apps ◽

Malicious Apps ◽

Color Visualization ◽

Grayscale Images

The visual recognition of Android malicious applications (Apps) is mainly focused on the binary classification using grayscale images, while the multiclassification of malicious App families is rarely studied. If we can visualize the Android malicious Apps as color images, we will get more features than using grayscale images. In this paper, a method of color visualization for Android Apps is proposed and implemented. Based on this, combined with deep learning models, a multiclassifier for the Android malicious App families is implemented, which can classify 10 common malicious App families. In order to better understand the behavioral characteristics of malicious Apps, we conduct a comprehensive manual analysis for a large number of malicious Apps and summarize 1695 malicious behavior characteristics as customized features. Compared with the App classifier based on the grayscale visualization method, it is verified that the classifier using the color visualization method can achieve better classification results. We use four types of Android App features: classes.dex file, sets of class names, APIs, and customized features as input for App visualization. According to the experimental results, we find out that using the customized features as the color visualization input features can achieve the highest detection accuracy rate, which is 96% in the ten malicious families.

Download Full-text

Android malware detection with weak ground truth data

2016 IEEE International Conference on Big Data (Big Data) ◽

10.1109/bigdata.2016.7841008 ◽

2016 ◽

Cited By ~ 2

Author(s):

Jordan DeLoach ◽

Doina Caragea ◽

Xinming Ou

Keyword(s):

Malware Detection ◽

Ground Truth ◽

Ground Truth Data ◽

Android Malware ◽

Android Malware Detection

Download Full-text

Analysis of Malicious Behavior of Android Apps

Procedia Computer Science ◽

10.1016/j.procs.2016.03.028 ◽

2016 ◽

Vol 79 ◽

pp. 215-220 ◽

Cited By ~ 9

Author(s):

Pooja Singh ◽

Pankaj Tiwari ◽

Santosh Singh

Keyword(s):

Android Apps ◽

Malicious Behavior

Download Full-text

Blockchain Based Detection of Android Malware using Ranked Permissions

International Journal of Engineering and Advanced Technology - Regular Issue ◽

10.35940/ijeat.e2593.0610521 ◽

2021 ◽

Vol 10 (5) ◽

pp. 68-75

Author(s):

Siddhant Gupta ◽

Siddharth Sethi ◽

Srishti Chaudhary ◽

Anshul Arora

Keyword(s):

Mobile Devices ◽

Language Processing ◽

High Reliability ◽

Low Cost ◽

Information Value ◽

Third Party ◽

Detection Accuracy ◽

Financial Loss ◽

Android Malware ◽

Malicious Apps

Android mobile devices are a prime target for a huge number of cyber-criminals as they aim to create malware for disrupting and damaging the servers, clients, or networks. Android malware are in the form of malicious apps, that get downloaded on mobile devices via the Play Store or third-party app markets. Such malicious apps pose serious threats like system damage, information leakage, financial loss to user, etc. Thus, predicting which apps contain malicious behavior will help in preventing malware attacks on mobile devices. Identifying Android malware has become a major challenge because of the ever-increasing number of permissions that applications ask for, to enhance the experience of the users. And most of the times, permissions and other features defined in normal and malicious apps are generally the same. In this paper, we aim to detect Android malware using machine learning, deep learning, and natural language processing techniques. To delve into the problem, we use the Android manifest files which provide us with features like permissions which become the basis for detecting Android malware. We have used the concept of information value for ranking permissions. Further, we have proposed a consensus-based blockchain framework for making more concrete predictions as blockchain have high reliability and low cost. The experimental results demonstrate that the proposed model gives the detection accuracy of 95.44% with the Random Forest classifier. This accuracy is achieved with top 45 permissions ranked according to Information Value.

Download Full-text