Skip to main content
SpringerLink
Log in

Detection, Classification and Characterization of Android Malware Using API Data Dependency

  • Conference paper
Book cover Security and Privacy in Communication Networks (SecureComm 2015)

Abstract

With the popularity of Android devices, more and more Android malware are manufactured every year. How to filter out malicious app is a serious problem for app markets. In this paper, we propose DroidADDMiner, an efficient and precise system to detect, classify and characterize Android malware. DroidADDMiner is a machine learning based system that extracts features based on data dependency between sensitive APIs. It extracts API data dependence paths embedded in app to construct feature vectors for machine learning. While DroidSIFT [13] also attempts automated detection of Android applications according to data flow analysis, DroidADDMiner can not only reduce the run time but also characterize malware’s behaviors automatically. We implement DroidADDMiner based on FlowDroid [14] and evaluate it using 5648 malware samples and 14280 benign apps. Experiments show that, for malware detection, DroidADDMiner achieves a 98% detection rate, with a 0.3% false positive rate. For malware classification, the accuracy of classifying malicious apps under their proper family labels is 96%. Although performing data flow analysis, most of the experimental samples can be examined in 60 seconds.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. iPhone market share shrinks as Android, Windows Phone grow. http://www.cnet.com/news/iphone-market-share-shrinks-as-android-windows-phone-grow/

  2. Mobile threat report 2013 q3. F-Secure Response Labs (2013). https://www.f-secure.com/documents/996508/1030743/Mobile_Threat_Report_Q3_2013.pdf

  3. Symantec enterprise. http://www.symantec.com/security_response/landing/azlisting.jsp

  4. Virustotal. https://www.virustotal.com/

  5. Virusshare. http://virusshare.com/

  6. Ad-Aware. http://www.lavasoft.com/

  7. Xiaomi android market. http://app.mi.com/

  8. Anzhi Android market. http://www.anzhi.com/

  9. Android malware genome project. http://www.malgenomeproject.org/

  10. Arp, D., Spreitzenbarth, M., Hbner, M., Gascon, H., Rieck, K., Siemens, C.: Drebin: effective and explainable detection of android malware in your pocket. In: Proceedings of NDSS, February 2014

    Google Scholar 

  11. Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: DroidMiner: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part I. LNCS, vol. 8712, pp. 163–182. Springer, Heidelberg (2014)

    Google Scholar 

  12. Agrawal, R., Srikant, R.: Fast algorithms for mining association rules in large databases. In: Proceedings of the 20th International Conference on Very Large Data Bases, pp. 641–644. Morgan Kaufmann Publishers Inc. (1994)

    Google Scholar 

  13. Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1105–1116. ACM, November 2014

    Google Scholar 

  14. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 29. ACM, June 2014

    Google Scholar 

  15. Fritz, C., Arzt, S., Rasthofer, S., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Highly precise taint analysis for Android applications. EC SPRIDE, TU Darmstadt, Tech. Rep. (2013)

    Google Scholar 

  16. Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 229–240. ACM, October 2012

    Google Scholar 

  17. Wei, F., Roy, S., Ou, X.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341. ACM, November 2014

    Google Scholar 

  18. Horwitz, S., Reps, T., Binkley, D.: Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS) 12(1), 26–60 (1990)

    Article  Google Scholar 

  19. Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 49–61. ACM, January 1995

    Google Scholar 

  20. Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  21. Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: Pscout: analyzing the android permission specification. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp. 217–228. ACM, October 2012

    Google Scholar 

  22. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE, May 2012

    Google Scholar 

  23. Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 329–334. ACM, May 2013

    Google Scholar 

  24. Zheng, M., Lee, P.P.C., Lui, J.C.S.: ADAM: an automatic and extensible platform to stress test android anti-virus systems. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 82–101. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  25. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The WEKA data mining software: an update. ACM SIGKDD Explorations Newsletter 11(1), 10–18 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. State Key Laboratory for Novel Software Technology, Department of Computer Science and Technology, Nanjing University, Nanjing, China

    Yongfeng Li, Tong Shen, Xin Sun, Xuerui Pan & Bing Mao

Authors
  1. Yongfeng Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tong Shen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xin Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xuerui Pan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Bing Mao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yongfeng Li .

Editor information

Editors and Affiliations

  1. The University of Texas at Dallas, Richardson, Texas, USA

    Bhavani Thuraisingham

  2. Indiana University at Bloomington, Bloomington, Indiana, USA

    XiaoFeng Wang

  3. SRI International, Menlo Park, California, USA

    Vinod Yegneswaran

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Li, Y., Shen, T., Sun, X., Pan, X., Mao, B. (2015). Detection, Classification and Characterization of Android Malware Using API Data Dependency. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2015. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 164. Springer, Cham. https://doi.org/10.1007/978-3-319-28865-9_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-28865-9_2

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-28864-2

  • Online ISBN: 978-3-319-28865-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation