A Family of Droids: Analyzing Behavioral Model based Android Malware Detection via Static and Dynamic Analysis

by   Lucky Onwuzurike, et al.

As smartphones play an increasingly central role in our everyday lives, the number of applications (apps) designed for the mobile ecosystem has skyrocketed. These apps are designed to meet diverse user needs, e.g., banking, communication, social networking, and as such often handle sensitive information. As a result, a growing number of cybercriminals are targeting the mobile ecosystem, by designing and distributing malicious apps that steal information or cause harm to the device's owner. Aiming to counter them, a number of techniques, based on either static or dynamic analysis, have been used to model Android malware and build detection tools. However, we often lack a good understanding of what analysis method works best and in which cases. In this paper, we analyze the performance of static and dynamic analysis methods, using the same modeling approach. Specifically, we build on MaMaDroid, a state-of-the-art detection system that relies on static analysis to create a behavioral model from the sequences of abstracted API calls. To port it to dynamic analysis, we modify CHIMP, a platform recently proposed to crowdsource human inputs for app testing, in order to extract API calls' sequences from the traces produced while executing the app on a CHIMP virtual device. We call this system AuntieDroid and instantiate it by using both automated (Monkey) and user-generated inputs. We find that combining both static and dynamic analysis yields the best performance, with F-measure reaching 0.92. We also show that static analysis is at least as effective as dynamic analysis, depending on how apps are stimulated during execution, and investigate the reasons for inconsistent misclassifications across methods. Finally, we examine the prevalence of dynamic code loading, which constitutes a possible limitation of static analysis based tools.


page 1

page 2

page 3

page 4


MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models (Extended Version)

As Android becomes increasingly popular, so does malware targeting it, t...

DroidDissector: A Static and Dynamic Analysis Tool for Android Malware Detection

DroidDissector is an extraction tool for both static and dynamic feature...

JuCify: A Step Towards Android Code Unification for Enhanced Static Analysis

Native code is now commonplace within Android app packages where it co-e...

RAICC: Revealing Atypical Inter-Component Communication in Android Apps

Inter-Component Communication (ICC) is a key mechanism in Android. It en...

apk2vec: Semi-supervised multi-view representation learning for profiling Android applications

Building behavior profiles of Android applications (apps) with holistic,...

NtMalDetect: A Machine Learning Approach to Malware Detection Using Native API System Calls

As computing systems become increasingly advanced and as users increasin...

Please sign up or login with your details

Forgot password? Click here to reset