Skip to main content
SpringerLink
Log in

Evaluating Op-Code Frequency Histograms in Malware and Third-Party Mobile Applications

  • Conference paper
  • First Online:
E-Business and Telecommunications (ICETE 2015)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 585))

Included in the following conference series:

Abstract

Mobile malware has grown in scale and complexity, as a consequence of the unabated uptake of smartphones worldwide. Malware writers have been developing detection evasion techniques which are rapidly making anti-malware technologies ineffective. In particular, zero-days malware is able to easily pass signature based detection, while techniques based on dynamic analysis, which could be more accurate and robust, are too costly or inappropriate to real contexts, especially for reasons related to usability. This paper discusses a technique for discriminating Android malware from trusted applications that does not rely on signatures, but exploits a vector of features obtained from the static analysis of the Android’s Dalvik code. Experiments on a sample of 11,200 applications revealed that the proposed technique produces high precision (over 93 %) in mobile malware detection. Furthermore we investigate whether the feature vector is useful to identify the malware family and if it is possible to discriminate whether an application was retrieved from the official market or third-party one.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.appbrain.com/.

  2. 2.

    http://m.aptoide.com/.

  3. 3.

    http://www.blackmart.us/.

  4. 4.

    https://code.google.com/p/smali/.

  5. 5.

    http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html.

  6. 6.

    https://code.google.com/p/android-apktool/.

  7. 7.

    http://www.cs.waikato.ac.nz/ml/weka/.

  8. 8.

    https://play.google.com/.

  9. 9.

    http://www.appchina.com/.

  10. 10.

    http://www.gfan.com/.

  11. 11.

    https://www.f-secure.com/v-descs/trojan_android_opfake.shtml.

References

  1. Androguard (2014). https://code.google.com/p/androguard/

  2. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: NDSS 2014, Network and Distributed System Security Symposium. IEEE (2014)

    Google Scholar 

  3. Attaluri, S., McGhee, S., Stamp, M.: Profile hidden markov models and metamorphic virus detection. J. Comput. Virol. Hacking Tech. 5(2), 179–192 (2008)

    Google Scholar 

  4. Baysa, D., Low, R.M., Stamp, M.: Structural entropy and metamorphic malware. J. Comput. Virol. Hacking Tech. 9(4), 179–192 (2013)

    Article  Google Scholar 

  5. Bilar, D.: Opcodes as predictor for malware. Int. J. Electron. Secur. Digital Forensics 1(2), 156–168 (2007)

    Article  Google Scholar 

  6. Canfora, G., Mercaldo, F., Visaggio, C.: A classifier of malicious android applications. In: IWSMA 2013, 2nd International Workshop on Security of Mobile Applications, in conjunction with the International Conference on Availability, Reliability and Security, pp. 607–614. IEEE (2013)

    Google Scholar 

  7. Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: Mast: triage for market-scale mobile malware analysis. In: WISEC 2013, 6th ACM Conference on Security in Wireless and Mobile Networks, pp. 13–24. ACM (2013)

    Google Scholar 

  8. Chandra, D., Franz, M.: Fine-grained information flow analysis and enforcement in a java virtual machine. In: ACSAC 2007, 23rd Annual Computer Security Applications Conference, pp. 463–475. IEEE (2007)

    Google Scholar 

  9. Choucane, M., Lakhotia, A.: Using engine signature to detect metamorphic malware. In: WORM 2006, 4th ACM workshop on Recurring malcode, pp. 73–78. ACM (2006)

    Google Scholar 

  10. Desnos, A.: Android: static analysis using similarity distance. In: HICSS 2012, 45th Hawaii International Conference on System Sciences, pp. 5394–5403. IEEE (2012)

    Google Scholar 

  11. Enck, W., Gilbert, P., Chun, B., Con, L., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: OSDI 2010, 9th USENIX Symposium on Operating Systems Design and Implementation (2010)

    Google Scholar 

  12. Fedler, R., Schütte, J., Kulicke, M.: On the effectiveness of malware protection on android: An evaluation of android antivirus apps, (2014). http://www.aisec.fraunhofer.de/, http://www.aisec.fraunhofer.de/content/dam/aisec/Dokumente/Publikationen/Studien_TechReports/deutsch/042013-Technical-Report-Android-Virus-Test.pdf

  13. Gartner (2014). http://www.gartner.com/newsroom/id/2944819

  14. Gibler, C., Crussell, J., Erickson, J., Chen, H.: Androidleaks: automatically detecting potential privacy leaks in android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  15. GoogleMobile (2014). http://googlemobile.blogspot.it/2012/02/android-and-security.html

  16. GooglePlay (2014). https://play.google.com/

  17. Marforio, C., Aurelien, F., Srdjan, C.: Application collusion attack on the permission-based security model and its implications for modern smartphone systems (2011). ftp://ftp.inf.ethz.ch/doc/tech-reports/7xx/724.pdf

  18. Oberheide, J., Miller, C.: Dissecting the android bouncer. In: SummerCon (2012). https://jon.oberheide.org/files/summercon12-bouncer.pdf

  19. Peng, H., Gates, C., Sarma, B., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Using probabilistic generative models for ranking risks of android apps. In: CCS 2012, 19th ACM Conference on Computer and Communications Security, pp. 241–252 (2012)

    Google Scholar 

  20. Rad, B.B., Masrom, M.: Metamorphic virus variants classification using opcode frequency histogram. Latest Trends on Computers (Volume I) (2010)

    Google Scholar 

  21. Rad, B., Masrom, M., Ibrahim, S.: Opcodes histogram for classifying metamorphic portable executables malware. In: ICEEE 2012, International Conference on E-Learning and E-Technologies in Education, pp. 209–213 (2012)

    Google Scholar 

  22. Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: EUROSEC 2013, 6th European Workshop on Systems Security (2013)

    Google Scholar 

  23. Sahs, J., Khan, L.: A machine learning approach to android malware detection. In: EISIC 2012, European Intelligence and Security Informatics Conference, pp. 141–147 (2012)

    Google Scholar 

  24. Spreitzenbarth, M., Ectler, F., Schreck, T., Freling, F., Hoffmann, J.: Mobilesandbox: looking deeper into android applications. In: SAC 2013, 28th International ACM Symposium on Applied Computing (2013)

    Google Scholar 

  25. Wu, D., Mao, C., Wei, T., Lee, H., Wu, K.: Droidmat: android malware detection through manifest and api calls tracing. In: Asia JCIS 2012, 7th Asia Joint Conference on Information Security, pp. 62–69 (2012)

    Google Scholar 

  26. Zheng, M., Sun, M., Lui, J.: Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware. In: TrustCom 2013, International Conference on Trust, Security and Privacy in Computing and Communications, pp. 163–171 (2013)

    Google Scholar 

  27. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: SP 2012, IEEE Symposium on Security and Privacy, pp. 95–109 (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Engineering, University of Sannio, Viale Traiano 1, 82100, Benevento, Italy

    Gerardo Canfora, Francesco Mercaldo & Corrado Aaron Visaggio

Authors
  1. Gerardo Canfora
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Francesco Mercaldo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Corrado Aaron Visaggio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Francesco Mercaldo .

Editor information

Editors and Affiliations

  1. Dept. of Computer & Info Science, Fordham University, Bronx, New York, USA

    Mohammad S. Obaidat

  2. IUT, University of Haute Alsace, Colmar, France

    Pascal Lorenz

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Canfora, G., Mercaldo, F., Visaggio, C.A. (2016). Evaluating Op-Code Frequency Histograms in Malware and Third-Party Mobile Applications. In: Obaidat, M., Lorenz, P. (eds) E-Business and Telecommunications. ICETE 2015. Communications in Computer and Information Science, vol 585. Springer, Cham. https://doi.org/10.1007/978-3-319-30222-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-30222-5_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-30221-8

  • Online ISBN: 978-3-319-30222-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation