Machine learning-assisted signature and heuristic-based detection of malwares in Android devices

Abstract

Malware detection is an important factor in the security of the smart devices. However, currently utilized signature-based methods cannot provide accurate detection of zero-day attacks and polymorphic viruses. In this context, an efficient hybrid framework is presented for detection of malware in Android Apps. The proposed framework considers both signature and heuristic-based analysis for Android Apps. We have reverse engineered the Android Apps to extract manifest files, and binaries, and employed state-of-the-art machine learning algorithms to efficiently detect malwares. For this purpose, a rigorous set of experiments are performed using various classifiers such as SVM, Decision Tree, W-J48 and KNN. It has been observed that SVM in case of binaries and KNN in case of manifest.xml files are the most suitable options in robustly detecting the malware in Android devices. The proposed framework is tested on benchmark datasets and results show improved accuracy in malware detection.

Introduction

In recent years, smart devices have become main source of communication. Mobile phone has entered in market with a regular handset and now it has changed in to Smartphone with significant improvements in technology. Numbers of Smartphone users are greater than ever because of its available facilities. In past, mobile phone was only used to make phone calls and SMS messages. Recent situation has been changed and mobile phones are being used as camera, music player, Tablet PC, web browser etc. Today's mobile phones are equipped with multiple sensors with enhanced memory and processing power, thus enabling them to be used as personal computer.

A Smartphone requires applications and Operating System (OS) to facilitate users. Different operating systems are available for Smartphone's like iOS, Windows, Blackberry OS and Android. Android is the most famous among these platforms. Every day, approximately 1.3 million Android devices are being activated according to Google Chairmen Erich Schmidt [1]. Android provides their users a rich media support, optimized graphic system and powerful browser. Apart from this, Android OS also provides support for 24 h GPS tracking, video camera, compass and 3D-accelerometer. It yields rich Application Program Interfaces (APIs) for location and map functions. Users can easily control or process Google map on Android devices and access location at low cost. Due to the high usage of Smartphone's, every individual user is exposed to the threat of unwanted and malicious applications. Malware authors are busy in writing malicious applications with an increase in the number of Android users. The recent research illustrated that Android Apps are repacked by malicious ELF binaries for hiding calls to external binaries. Similarly, researchers are trying to find out the best malware detection methods like memory forensic technique and secure data communication methods that can prevent Android devices.

Whenever a user wants to install an application from play store, Application is downloaded first and then asked for installation after accepting all permissions. User can't install an application without accepting all permissions required by developer (hacker). Hackers usually ask for permission through which they can access user's camera, audio, text messages and all other private information. Users are uninformed of this purpose of hackers and they accept all permissions to install application. In this way, they become victim of hacker's attack. Moreover, hackers can make changes in constant strings to attack on mobile devices, as explained in feature extraction part in Section 3.

Several techniques for detecting malware have been proposed in literature which can be divided into two broad classes: Static and Dynamic Analysis-based methods. Dynamic Analysis also known as behavioural-based analysis collects information from the OS at runtime such as system calls, network access and files and memory modifications. Hybrid apps consist of both native apps, and web apps. Like native apps, they live in an app store and can take advantage of the many device features available. Like web apps, they rely on HTML being rendered in a browser, with the caveat that the browser is embedded within the app.

Often, companies build hybrid apps as wrappers for an existing web page. In that way, they hope to get a presence in the app store without spending significant effort for developing a different app. Hybrid apps are also popular because they allow cross platform development. Thus significantly reduce development costs: that is, the same HTML code components can be reused on different mobile operating systems. Tools such as PhoneGap and Sencha Touch allow people to design and code across platforms, using the power of HTML. However, developers rush to exploit off the shelf libraries in hybrid apps. Great new features are freely available without fully understanding, addressing, the security implications, increasing the chances of malware penetration in mobile devices.

In Static Analysis (signature-based analysis), information about the App and its expected behaviour consists of explicit and implicit observations in its binary/source code. Static Analysis methods are fast and effective, but various techniques can be used to dodge Static Analysis and thus render their ability to cope with polymorphic malware. There are number of signature and behaviour-based detection tools available on play store for detection of malicious Android applications. Recent study has shown that signature based malware detection tools works till a certain level. They become ineffective when malware authors make changes in apps. Such type of signature-based tools and anti-viruses could not provide protection to Android users.

Since Android is an open source and extensible platform, it allows to extract as many features as we would like. This enables to provide richer detection capabilities, not relying merely on the standard call records or power consumption patterns. The proposed method is novel in the context that it evaluates the ability to detect malicious activity on an Android device by employing Machine Learning algorithms using a variety of monitored features like permissions, providers, intent filters, process name and constant strings extracted from Android Apps. The proposed malware detection technique can also be used on diverse environments like BlackBerry, iOS etc. This work aims to find solution for following challenges:

• How to develop a malware detection system that can adapt to any kind of malware?

• How to detect malware before actual installation?

• How to scrutinize hybrid mobile apps for possible malware threat?

• How to warn Android users about malware after a download?

• Why extracting combined features of Android Apps is better way to detect malware than signature based and behaviour-based techniques?

Selection of good features from Android applications and their combination can lead to a robust malware detection system. Most of the malware detection techniques with dynamic analysis detect malware after installation of an Android App which can affect devices. To install an application, user has to allow all malicious permissions. It is not a secure way that a malware detection technique identifies malware after a device has been affected. We performed static analysis in the proposed malware detection technique to detect malware after downloading application. In this way, security of Smartphone does not compromise. When a user downloads an App from play store and identified malicious by the proposed malware detection technique, Apps will be prompted by detection system and user will be informed about malicious app before installation.

Contributions of this work are:

• A generic malware detection framework that is adaptive to different types of malware.

• Real time detection of malware using combination of string analysis and permissions.

• Performance evaluation methods to calculate precision and accuracy of malware detection in Android Apps.

As we have used hybrid approach that is both static and dynamic. Static approach will overcome the drawbacks of dynamic approach, while dynamic approach will cover the deficiencies of dynamic approach. So, all kind of malwares can be detected using the proposed approach, because the hybrid approach is used in our model. In this way, our proposed generic malware detection approach can detect different types of malware.

Before installing application, our proposed method will compare constant strings of downloaded Android Package Kit (APK) with constant strings of malware applications. The APK contains all components of an Android application and used for distribution and installation of mobile applications. If constant strings of malware application and downloaded APK do not match, user will be informed that application is malicious. Secondly, our extracted malicious keywords will be compared with manifest.xml file of application to check weather application is malware or legitimate. All these processes are executed before installation of APK file. In this manner, the proposed system can detect malware before installing an application.

The remainder of this paper is organized as follows. Section 2 summarizes related work, and Section 3 introduces the proposed framework. Section 4 describes the evaluation scheme and experimental setup, finally Section 5 concludes the paper.