Abstract
By increasing growth of mobile applications, providing their security has become significant. Among mobile operating systems, Android is the most popular one, and hence, it has drawn more attention from malware programmers. One of the main challenges in designing a malware detection mechanism is handling obfuscation, where malware programmers try to change malware codes, such that they cannot be detected by malware detectors, while they keep their functionalities. In this paper, we propose an obfuscation-resilient method, called ORDroid, which can detect mutated and transformed malwares. We have used RNN and NLP neural networks for achieving this purpose. Our assumption is that the model is run on a server, before the application is published for end users. Users may get an application from different sources, and hence, it is necessary to design methods that can run on end users’ mobile phones. The challenge that should be considered when designing such methods is the limitation of computation and energy resources on a mobile phone. In the second part of this paper, we propose a lightweight malware detection method, called LightDroid. The main idea of this method is to select a minimal number of features from AndroidManifest file, along with a number of picture-based features from Dalvik executable file in a way that the accuracy of the resulting model is close to the state-of-the-art methods, while its complexity is as low as possible. We have fully implemented our proposed methods, as well as some of the state-of-the-art methods, including Drebin and RevealDroid. The results show that LightDroid is the most lightweight one, with 97.49% accuracy on the test data. Evaluation of ORDroid shows that, considering the overall accuracy of both test and transformed data, our model is the best comparing to the most related methods with the accuracy of 98.07% on the normal and 93.00% on the transformed data.
Similar content being viewed by others
References
Share of global mobile website traffic. Accessed 9 Dec 2018. https://www.statista.com/statistics/277125/share-of-website-traffic-coming-from-mobile-devices
Smartphone OS Market Share. Accessed 9 Dec 2018. https://www.idc.com/promo/smartphone-market-share/os
McAfee Research & Reports. Accessed 9 Dec 2018. https://www.mcafee.com/enterprise/en-us/about/newsroom/research-reports.html
Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C.E.R.T.: Drebin: effective and explainable detection of android malware in your pocket. In: Ndss, vol. 14, pp. 23–26 (2014)
Nataraj, L., Karthikeyan, S, Jacob, G., Manjunath, B.S.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, p. 4. ACM (2011)
Ahmadi, M., Ulyanov, D., Semenov, S., Trofimov, M., Giacinto, G.: Novel feature extraction, selection and fusion for effective malware family classification. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 183–194. ACM (2016)
Saracino, A., Sgandurra, D., Dini, G., Martinelli, F.: Madam: effective and efficient behavior-based android malware detection and prevention. IEEE Trans. Dependable Secure Comput. 15(1), 83–97 (2018)
Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)
Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X.S., Zang, B.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 611–622. ACM (2013)
How does Google Play Protect aim to improve Android security? Accessed 9 Dec 2018. https://searchsecurity.techtarget.com/answer/How-does-Google-Play-Protect-aim-to-improve-Android-security
Fratantonio, Y., Bianchi, A., Robertson, W., Kirda, E., Kruegel, C., Vigna, G.: Triggerscope: towards detecting logic bombs in android applications. In: Security and Privacy (SP), 2016 IEEE Symposium on, pp. 377–396. IEEE (2016)
Hidden App Malware Found on Google Play. Accessed 9 Dec 2018. https://www.symantec.com/blogs/threat-intelligence/hidden-app-malware-google-play
Crooks infiltrate Google Play with malware in QR reading utilities. Accessed 9 Dec 2018. https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities
A Whale of a Tale: HummingBad Returns. Accessed 9 Dec 2018. https://blog.checkpoint.com/2017/01/23/hummingbad-returns
Garcia, J., Hammad, M., Malek, S.: Lightweight, obfuscation-resilient detection and family identification of android malware. ACM Trans. Softw. Eng. Methodol. 26(3), 11 (2018)
Aung, Z., Zaw, W.: Permission-based android malware detection. Int. J. Sci. Technol. Res. 2(3), 228–234 (2013)
Aafer, Y., Du, W., Yin, H.: Droidapiminer: Mining api-level features for robust malware detection in android. In International Conference on Security and Privacy in Communication Systems, pp. 86–103. Springer, Cham (2013)
Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Advances in Neural Information Processing Systems, pp. 3111–3119 (2013)
Rong, X.: word2vec parameter learning explained. arXiv preprint arXiv:1411.2738 (2014)
ProGuard The open source optimizer and obfuscator for Java bytecode. Accessed 9 Dec 2018. https://www.guardsquare.com/proguard
DexProtector-Cutting edge obfuscator for Android apps. Accessed 9 Dec 2018. https://dexprotector.com
Rastogi, V., Chen, Y., Jiang, X., et al.: Catch me if you can: evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99–108 (2014)
Hidden miners on Google Play. Accessed 9 Dec 2018. https://usa.kaspersky.com/blog/google-play-hidden-miners/15101
Gibert, D.: Convolutional neural networks for malware classification. PhD thesis, MS Thesis, Dept. of Computer Science, UPC (2016)
Dalvik bytecode. Accessed 9 Dec 2018. https://source.android.com/devices/tech/dalvik/dalvik-bytecode
Chung, J., Gulcehre, C., Cho, K.H., Bengio, Y.: Empirical evaluation of gated recurrent neural networks on sequence modeling. arXiv preprint arXiv:1412.3555 (2014)
Dalvik executable format. Accessed 9 Dec 2018. https://source.android.com/devices/tech/dalvik/dex-format
Fereidooni, H., Moonsamy, V., Conti, M., Batina, L.: Efficient classification of android malware in the wild using robust static features. Prot. Mobile Netw. Dev.: Chall. Solut. 1, 181–209 (2016)
A deep dive into DEX file format. Accessed 9 Dec 2018. https://elinux.org/images/d/d9/A_deep_dive_into_dex_file_format-chiossi.pdf
Krizhevsky, A., Sutskever, I., Hinton, G.E.: Imagenet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, pp. 1097–1105 (2012)
Desnos, A. et al.: Androguard: reverse engineering, malware and goodware analysis of android applications. https://code.google.com/p/androguard, p. 153 (2013)
RevealDroid Java repository. Accessed 9 Dec 2018. https://bitbucket.org/joshuaga/revealdroid
Abadi, M., Barham, P., Chen, J., Chen, Z., Davis, A., Dean, J., Devin, M., Ghemawat, S., Irving, G., Isard, M., et al.: Tensorflow: a system for large-scale machine learning. OSDI 16, 265–283 (2016)
Chollet, F. et al.: Keras: The python deep learning library. In: Astrophysics Source Code Library (2018)
Jiang, X., Zhou, Y.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy, pp. 95–109. IEEE (2012)
Wei, F., Li, Y., Roy, S., Ou, X., Zhou, W.: Deep ground truth analysis of current android malware. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 252–276. Springer, Berlin (2017)
Koodous: an online analysis tools over a vast APKs repository. Accessed 9 Dec 2018. https://koodous.com
Wang, R.: Flash in the pan? Virus Bull. (1998)
Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, Wisconsin Univ-Madison Dept of Computer Sciences (2006)
Narouei, M., Ahmadi, M., Giacinto, G., Takabi, H., Sami, A.: DLLMiner: structural mining for malware detection. Secur. Commun. Netw. 8(18), 3311–3322 (2015)
Hu, W., Tan, Y.: Generating adversarial malware examples for black-box attacks based on gan. arXiv preprint arXiv:1702.05983 (2017)
Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and api calls. In: Tools with Artificial Intelligence (ICTAI), 2013 IEEE 25th International Conference on, pp. 300–305. IEEE (2013)
Gennissen, J., Cavallaro, L., Moonsamy, V., Batina, L.: Gamut: sifting through images to detect android malware (2017)
Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 447–458. ACM (2014)
Erel. Android tutorial-code obfuscation. https://www.b4x.com/android/forum/threads/code-obfuscation.13773. [Online; accessed 18 July 2019]
Canfora, G., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Leila: formal tool for identifying mobile malicious behaviour. IEEE Trans. Softw. Eng. (2018)
Hammad, M.: Self-protection of Android systems from inter-component communication attacks. Ph.D. thesis, UC Irvine (2018)
Polakis, I., Diamantaris, M., Petsas, T., Maggi, F., Ioannidis, S.: Powerslave: analyzing the energy consumption of mobile antivirus software. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 165–184. Springer, Berlin (2015)
Acknowledgements
We are grateful to Dr. Mansour Ahmadi, for sharing his valuable experiences with us during this research.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Aghamohammadi, A., Faghih, F. Lightweight versus obfuscation-resilient malware detection in android applications. J Comput Virol Hack Tech 16, 125–139 (2020). https://doi.org/10.1007/s11416-019-00341-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-019-00341-y