Android Malware Detection Method Based on Permission Complement and API Calls

YANG Jiyun; TANG Jiang; YAN Ran; XIANG Tao

doi:10.1049/cje.2020.00.217

Volume 31 Issue 4

Jul. 2022

Turn off MathJax

Article Contents

Article Navigation > Chinese Journal of Electronics > 2022 > 31(4): 773-785

YANG Jiyun, TANG Jiang, YAN Ran, et al., “Android Malware Detection Method Based on Permission Complement and API Calls,” Chinese Journal of Electronics, vol. 31, no. 4, pp. 773-785, 2022, doi: 10.1049/cje.2020.00.217

Citation:

YANG Jiyun, TANG Jiang, YAN Ran, et al., “Android Malware Detection Method Based on Permission Complement and API Calls,” Chinese Journal of Electronics, vol. 31, no. 4, pp. 773-785, 2022, doi: 10.1049/cje.2020.00.217

Citation:

PDF( 3103 KB)

Android Malware Detection Method Based on Permission Complement and API Calls

doi: 10.1049/cje.2020.00.217

1.
College of Computer Science, Chongqing University, Chongqing 400044, China

Funds: This work was supported by the Technological Innovation and Application Projects of Chongqing (cstc2019jscx-msxmX0077)

More Information

Author Bio:
received the B.S., M.S. and Ph.D. degrees in computer science from Chongqing University, China, in 2000, 2003, and 2008, respectively. He is currently a Professor of the College of Computer Science, Chongqing University. His research interests include cryptanalysis, Android malware, and machine learning. (Email: yangjy@cqu.edu.cn)

received the B.S. degree in computer science from Chongqing University of Education, China, in 2017. He is currently pursuing the M.S. degree in the College of Computer Science, Chongqing University, China. His current research interests include Android security and static program analysis

received the B.S., M.S. degree in computer science from Chongqing University, China, in 2016 and 2019, respectively. Her research interests include machine learning and dynamic program analysis

received the B.S., M.S. and Ph.D. degrees in computer science from Chongqing University, China, in 2003, 2005, and 2008, respectively. He is currently a Professor with the College of Computer Science, Chongqing University. He has published over 90 papers on international journals and conferences. He also served as a Referee for numerous international journals and conferences. His research interests include multimedia security, cloud security, data privacy, and cryptography. (Email: txiang@cqu.edu.cn)
Received Date: 2020-07-22
Accepted Date: 2021-12-09

Available Online: 2022-01-07

Publish Date: 2022-07-05

Abstract

Abstract

The dynamic code loading mechanism of the Android system allows an application to load executable files externally at runtime. This mechanism makes the development of applications more convenient, but it also brings security issues. Applications that hide malicious behavior in the external file by dynamic code loading are becoming a new challenge for Android malware detection. To overcome this challenge, based on dynamic code loading mechanisms, three types of threat models, i.e. Model I, Model II, and Model III are defined. For the Model I type malware, its malicious behavior occurs in DexCode, so the application programming interface (API) classes were used to characterize the behavior of the DexCode file. For the Model II type and Model III type malwares whose malicious behaviors occur in an external file, the permission complement is defined to characterize the behaviors of the external file. Based on permission complement and API calls, an Android malicious application detection method is proposed, of which feature sets are constructed by improving a feature selection method. Five datasets containing 15,581 samples are used to evaluate the performance of the proposed method. The experimental results show that our detection method achieves accuracy of 99.885% on general dataset, and performes the best on all evaluation metrics on all datasets in all comparison methods.
- Android,
- Malware detection,
- Dynamic code loading,
- Permission complement

FullText(HTML)

References(32)

References

[1]	IDC, “Smartphone market share,” available at: http://www.idc.com/prodserv/smartphone-os-market-share.jsp, 2020.
[2]	Forbes, “Many popular android apps leak sensitive data, leaving millions of consumers at risk,” available at: https://www.forbes.com/sites/ajdellinger/2019/06/07/many-popularandroid-apps-leak-sensitive-data-leaving-millions-of-consumers-atrisk/, 2019.
[3]	Symantec, Internet Security Threat Report, vol.3, available at: https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf, Mountain View, CA, USA: Symantec Corporation, 2019.
[4]	Y. Zhauniarovich, M. Ahmad, O. Gadyatskaya, et al., “StaDynA: Addressing the problem of dynamic code updates in the security analysis of android applications,” in Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY’15), San Antonio, TX, USA, pp.37–48, 2015.
[5]	M. Ahmad, V. Costamagna, B. Crispo, et al., “StaDART: Addressing the problem of dynamic code updates in the security analysis of android applications,” Journal of Systems and Software, vol.159, article no.110386, 2020. doi: 10.1016/j.jss.2019.07.088
[6]	S. Poeplau, Y. Fratantonio, A. Bianchi, et al., “Execute this! Analyzing unsafe and malicious dynamic code loading in Android applications,” in Proceedings 2014 Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, pp.23–26, 2014.
[7]	L. Breiman, “Random forests,” Machine Learning, vol.45, no.1, pp.5–32, 2001. doi: 10.1023/A:1010933404324
[8]	D. Arp, M. Spreitzenbarth, M. Hübner, et al., “DREBIN: Effective and explainable detection of Android malware in your pocket,” in Proceedings of 2014 Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, pp.35–40, 2014.
[9]	J. Li, L. Sun, Q. Yan, et al., “Significant permission identification for machine-learning-based android malware detection,” IEEE Transactions on Industrial Informatics, vol.14, no.7, pp.3216–3225, 2018. doi: 10.1109/TII.2017.2789219
[10]	A. Martín, R. Lara-Cabrera, and D. Camacho, “Android malware detection through hybrid features fusion and ensemble classifiers: The AndroPyTool framework and the OmniDroid dataset,” Information Fusion, vol.52, pp.128–142, 2019. doi: 10.1016/j.inffus.2018.12.006
[11]	A. I. Aysan, F. Sakiz, and S. Sen, “Analysis of dynamic code updating in Android with security perspective,” IET Information Security, vol.13, no.3, pp.269–277, 2019. doi: 10.1049/iet-ifs.2018.5316
[12]	A. P. Felt, E. Chin, S. Hanna, et al., “Android permissions demystified,” in Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11), Chicago, IL, USA, pp.627–638, 2011.
[13]	M. Scalas, D. Maiorca, F. Mercaldo, et al., “On the effectiveness of system API-related information for Android ransomware detection,” Computers & Security, vol.86, pp.168–182, 2019.
[14]	P. Vinod, A. Zemmari, and M. Conti, “A machine learning based approach to detect malicious android apps using discriminant system calls,” Future Generation Computer Systems, vol.94, pp.333–350, 2019. doi: 10.1016/j.future.2018.11.021
[15]	C. J. C. Burges, “A tutorial on support vector machines for pattern recognition,” Data Mining and Knowledge Discovery, vol.2, no.2, pp.121–167, 1998. doi: 10.1023/A:1009715923555
[16]	G. E. Hinton, S. Osindero, and Y. W. Teh, “A fast learning algorithm for deep belief nets,” Neural Computation, vol.18, no.7, pp.1527–1554, 2006. doi: 10.1162/neco.2006.18.7.1527
[17]	Y. Freund and R. E. Schapire, “A decision-theoretic generalization of on-line learning and an application to boosting,” Journal of Computer and System Sciences, vol.55, no.1, pp.119–139, 1997. doi: 10.1006/jcss.1997.1504
[18]	R. Raphael, P. Vinod, and B. Omman, “X-ANOVA ranked features for Android malware analysis,” 2014 Annual IEEE India Conference (INDICON), Pune, India, pp.1–6, 2014.
[19]	W. Yang, X. Xiao, B. Andow, et al., “AppContext: Differentiating malicious and benign mobile app behaviors using context,” in Proceedings of IEEE/ACM 37th IEEE International Conference on Software Engineering, Florence, Italy, pp.303–313, 2015.
[20]	T. Yang, H. Cui, and S. Niu, “Dynamic loading vulnerability detection for android applications through ensemble learning,” Chinese Journal of Electronics, vol.26, no.5, pp.960–965, 2017. doi: 10.1049/cje.2017.07.001
[21]	W. Wang, Y. Li, X. Wang, et al., “Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers,” Future Generation Computer Systems, vol.78, pp.987–994, 2018. doi: 10.1016/j.future.2017.01.019
[22]	H. Zhu, Z. You, Z. Zhu, et al., “DroidDet: Effective and robust detection of android malware using static analysis along with rotation forest model,” Neurocomputing, vol.272, pp.638–646, 2018. doi: 10.1016/j.neucom.2017.07.030
[23]	A. Pektaş and T. Acarman, “Learning to detect Android malware via opcode sequences,” Neurocomputing, vol.396, pp.599–608, 2020. doi: 10.1016/j.neucom.2018.09.102
[24]	S. Y. Yerima, S. Sezer, and G. McWilliams, “Analysis of Bayesian classification-based approaches for Android malware detection,” IET Information Security, vol.8, no.1, pp.25–36, 2014. doi: 10.1049/iet-ifs.2013.0095
[25]	S. Liang and X. Du, “Permission-combination-based scheme for Android mobile malware detection,” in Proceedings of International Conference on Communications, Sydney, Australia, pp.2301–2306, 2014.
[26]	A. Martín, V. Rodríguez-Fernández, and D. Camacho, “CANDYMAN: Classifying Android malware families by modelling dynamic traces with Markov chains,” Engineering Applications of Artificial Intelligence, vol.74, pp.121–133, 2018. doi: 10.1016/j.engappai.2018.06.006
[27]	Y. Xue, G. Meng, Y. Liu, et al., “Auditing anti-malware tools by evolving android malware and dynamic loading technique,” IEEE Transactions on Information Forensics and Security, vol.12, no.7, pp.1529–1544, 2017. doi: 10.1109/TIFS.2017.2661723
[28]	S. Wang, Z. Chen, L. Zhang, et al., “TrafficAV: An effective and explainable detection of mobile malware behavior using network traffic,” in Proceedings of IEEE/ACM 24th International Symposium on Quality of Service (IWQoS), Beijing, China, pp.1–6, 2016.
[29]	X. Xiao, Z. Wang, Q. Li, et al., “Back-propagation neural network on Markov chains from system call sequences: A new approach for detecting Android malware with system call sequences,” IET Information Security, vol.11, no.1, pp.8–15, 2017. doi: 10.1049/iet-ifs.2015.0211
[30]	P. Feng, J. Ma, C. Sun, et al., “A novel dynamic android malware detection system with ensemble learning,” IEEE Access, vol.6, pp.30996–31011, 2018. doi: 10.1109/ACCESS.2018.2844349
[31]	J. Li, Z. Wang, T. Wang, et al., “An android malware detection system based on feature fusion,” Chinese Journal of Electronics, vol.27, no.6, pp.1206–1213, 2018. doi: 10.1049/cje.2018.09.008
[32]	D. Sbîrlea, M. G. Burke, S. Guarnieri, et al., “Automatic detection of inter-application permission leaks in Android applications,” IBM Journal of Research and Development, vol.57, no.6, pp.10:1–10:12, 2013. doi: 10.1147/JRD.2013.2284403