Skip to main content
SpringerLink
Log in

Lightweight versus obfuscation-resilient malware detection in android applications

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

By increasing growth of mobile applications, providing their security has become significant. Among mobile operating systems, Android is the most popular one, and hence, it has drawn more attention from malware programmers. One of the main challenges in designing a malware detection mechanism is handling obfuscation, where malware programmers try to change malware codes, such that they cannot be detected by malware detectors, while they keep their functionalities. In this paper, we propose an obfuscation-resilient method, called ORDroid, which can detect mutated and transformed malwares. We have used RNN and NLP neural networks for achieving this purpose. Our assumption is that the model is run on a server, before the application is published for end users. Users may get an application from different sources, and hence, it is necessary to design methods that can run on end users’ mobile phones. The challenge that should be considered when designing such methods is the limitation of computation and energy resources on a mobile phone. In the second part of this paper, we propose a lightweight malware detection method, called LightDroid. The main idea of this method is to select a minimal number of features from AndroidManifest file, along with a number of picture-based features from Dalvik executable file in a way that the accuracy of the resulting model is close to the state-of-the-art methods, while its complexity is as low as possible. We have fully implemented our proposed methods, as well as some of the state-of-the-art methods, including Drebin and RevealDroid. The results show that LightDroid is the most lightweight one, with 97.49% accuracy on the test data. Evaluation of ORDroid shows that, considering the overall accuracy of both test and transformed data, our model is the best comparing to the most related methods with the accuracy of 98.07% on the normal and 93.00% on the transformed data.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

References

  1. Share of global mobile website traffic. Accessed 9 Dec 2018. https://www.statista.com/statistics/277125/share-of-website-traffic-coming-from-mobile-devices

  2. Smartphone OS Market Share. Accessed 9 Dec 2018. https://www.idc.com/promo/smartphone-market-share/os

  3. McAfee Research & Reports. Accessed 9 Dec 2018. https://www.mcafee.com/enterprise/en-us/about/newsroom/research-reports.html

  4. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C.E.R.T.: Drebin: effective and explainable detection of android malware in your pocket. In: Ndss, vol. 14, pp. 23–26 (2014)

  5. Nataraj, L., Karthikeyan, S, Jacob, G., Manjunath, B.S.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, p. 4. ACM (2011)

  6. Ahmadi, M., Ulyanov, D., Semenov, S., Trofimov, M., Giacinto, G.: Novel feature extraction, selection and fusion for effective malware family classification. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 183–194. ACM (2016)

  7. Saracino, A., Sgandurra, D., Dini, G., Martinelli, F.: Madam: effective and efficient behavior-based android malware detection and prevention. IEEE Trans. Dependable Secure Comput. 15(1), 83–97 (2018)

    Article  Google Scholar 

  8. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    Article  Google Scholar 

  9. Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X.S., Zang, B.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 611–622. ACM (2013)

  10. How does Google Play Protect aim to improve Android security? Accessed 9 Dec 2018. https://searchsecurity.techtarget.com/answer/How-does-Google-Play-Protect-aim-to-improve-Android-security

  11. Fratantonio, Y., Bianchi, A., Robertson, W., Kirda, E., Kruegel, C., Vigna, G.: Triggerscope: towards detecting logic bombs in android applications. In: Security and Privacy (SP), 2016 IEEE Symposium on, pp. 377–396. IEEE (2016)

  12. Hidden App Malware Found on Google Play. Accessed 9 Dec 2018. https://www.symantec.com/blogs/threat-intelligence/hidden-app-malware-google-play

  13. Crooks infiltrate Google Play with malware in QR reading utilities. Accessed 9 Dec 2018. https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities

  14. A Whale of a Tale: HummingBad Returns. Accessed 9 Dec 2018. https://blog.checkpoint.com/2017/01/23/hummingbad-returns

  15. Garcia, J., Hammad, M., Malek, S.: Lightweight, obfuscation-resilient detection and family identification of android malware. ACM Trans. Softw. Eng. Methodol. 26(3), 11 (2018)

    Article  Google Scholar 

  16. Aung, Z., Zaw, W.: Permission-based android malware detection. Int. J. Sci. Technol. Res. 2(3), 228–234 (2013)

    Google Scholar 

  17. Aafer, Y., Du, W., Yin, H.: Droidapiminer: Mining api-level features for robust malware detection in android. In International Conference on Security and Privacy in Communication Systems, pp. 86–103. Springer, Cham (2013)

  18. Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Advances in Neural Information Processing Systems, pp. 3111–3119 (2013)

  19. Rong, X.: word2vec parameter learning explained. arXiv preprint arXiv:1411.2738 (2014)

  20. ProGuard The open source optimizer and obfuscator for Java bytecode. Accessed 9 Dec 2018. https://www.guardsquare.com/proguard

  21. DexProtector-Cutting edge obfuscator for Android apps. Accessed 9 Dec 2018. https://dexprotector.com

  22. Rastogi, V., Chen, Y., Jiang, X., et al.: Catch me if you can: evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99–108 (2014)

    Article  Google Scholar 

  23. Hidden miners on Google Play. Accessed 9 Dec 2018. https://usa.kaspersky.com/blog/google-play-hidden-miners/15101

  24. Gibert, D.: Convolutional neural networks for malware classification. PhD thesis, MS Thesis, Dept. of Computer Science, UPC (2016)

  25. Dalvik bytecode. Accessed 9 Dec 2018. https://source.android.com/devices/tech/dalvik/dalvik-bytecode

  26. Chung, J., Gulcehre, C., Cho, K.H., Bengio, Y.: Empirical evaluation of gated recurrent neural networks on sequence modeling. arXiv preprint arXiv:1412.3555 (2014)

  27. Dalvik executable format. Accessed 9 Dec 2018. https://source.android.com/devices/tech/dalvik/dex-format

  28. Fereidooni, H., Moonsamy, V., Conti, M., Batina, L.: Efficient classification of android malware in the wild using robust static features. Prot. Mobile Netw. Dev.: Chall. Solut. 1, 181–209 (2016)

    Google Scholar 

  29. A deep dive into DEX file format. Accessed 9 Dec 2018. https://elinux.org/images/d/d9/A_deep_dive_into_dex_file_format-chiossi.pdf

  30. Krizhevsky, A., Sutskever, I., Hinton, G.E.: Imagenet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, pp. 1097–1105 (2012)

  31. Desnos, A. et al.: Androguard: reverse engineering, malware and goodware analysis of android applications. https://code.google.com/p/androguard, p. 153 (2013)

  32. RevealDroid Java repository. Accessed 9 Dec 2018. https://bitbucket.org/joshuaga/revealdroid

  33. Abadi, M., Barham, P., Chen, J., Chen, Z., Davis, A., Dean, J., Devin, M., Ghemawat, S., Irving, G., Isard, M., et al.: Tensorflow: a system for large-scale machine learning. OSDI 16, 265–283 (2016)

    Google Scholar 

  34. Chollet, F. et al.: Keras: The python deep learning library. In: Astrophysics Source Code Library (2018)

  35. Jiang, X., Zhou, Y.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy, pp. 95–109. IEEE (2012)

  36. Wei, F., Li, Y., Roy, S., Ou, X., Zhou, W.: Deep ground truth analysis of current android malware. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 252–276. Springer, Berlin (2017)

  37. Koodous: an online analysis tools over a vast APKs repository. Accessed 9 Dec 2018. https://koodous.com

  38. Wang, R.: Flash in the pan? Virus Bull. (1998)

  39. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, Wisconsin Univ-Madison Dept of Computer Sciences (2006)

  40. Narouei, M., Ahmadi, M., Giacinto, G., Takabi, H., Sami, A.: DLLMiner: structural mining for malware detection. Secur. Commun. Netw. 8(18), 3311–3322 (2015)

    Article  Google Scholar 

  41. Hu, W., Tan, Y.: Generating adversarial malware examples for black-box attacks based on gan. arXiv preprint arXiv:1702.05983 (2017)

  42. Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and api calls. In: Tools with Artificial Intelligence (ICTAI), 2013 IEEE 25th International Conference on, pp. 300–305. IEEE (2013)

  43. Gennissen, J., Cavallaro, L., Moonsamy, V., Batina, L.: Gamut: sifting through images to detect android malware (2017)

  44. Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 447–458. ACM (2014)

  45. Erel. Android tutorial-code obfuscation. https://www.b4x.com/android/forum/threads/code-obfuscation.13773. [Online; accessed 18 July 2019]

  46. Canfora, G., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Leila: formal tool for identifying mobile malicious behaviour. IEEE Trans. Softw. Eng. (2018)

  47. Hammad, M.: Self-protection of Android systems from inter-component communication attacks. Ph.D. thesis, UC Irvine (2018)

  48. Polakis, I., Diamantaris, M., Petsas, T., Maggi, F., Ioannidis, S.: Powerslave: analyzing the energy consumption of mobile antivirus software. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 165–184. Springer, Berlin (2015)

Download references

Acknowledgements

We are grateful to Dr. Mansour Ahmadi, for sharing his valuable experiences with us during this research.

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, College of Engineering, University of Tehran, Tehran, Iran

    Ali Aghamohammadi & Fathiyeh Faghih

Authors
  1. Ali Aghamohammadi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fathiyeh Faghih
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fathiyeh Faghih.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Aghamohammadi, A., Faghih, F. Lightweight versus obfuscation-resilient malware detection in android applications. J Comput Virol Hack Tech 16, 125–139 (2020). https://doi.org/10.1007/s11416-019-00341-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-019-00341-y

Keywords

Search

Navigation