AndroDialysis: Analysis of Android Intent Effectiveness in Malware Detection

Abstract The wide popularity of Android systems has been accompanied by increase in the number of malware targeting these systems. This is largely due to the open nature of the Android framework that facilitates the incorporation of third-party applications running on top of any Android device. Inter-process communication is one of the most notable features of the Android framework as it allows the reuse of components across process boundaries. This mechanism is used as gateway to access different sensitive services in the Android framework. In the Android platform, this communication system is usually driven by a late runtime binding messaging object known as Intent. In this paper, we evaluate the effectiveness of Android Intents (explicit and implicit) as a distinguishing feature for identifying malicious applications. We show that Intents are semantically rich features that are able to encode the intentions of malware when compared to other well-studied features such as permissions. We also argue that this type of feature is not the ultimate solution. It should be used in conjunction with other known features. We conducted experiments using a dataset containing 7406 applications that comprise 1846 clean and 5560 infected applications. The results show detection rate of 91% using Android Intent against 83% using Android permission. Additionally, experiment on combination of both features results in detection rate of 95.5%.

[1]  Niu Yan,et al.  A3: Automatic Analysis of Android Malware , 2013, CloudCom 2013.

[2]  Concha Bielza,et al.  Discrete Bayesian Network Classifiers , 2014, ACM Comput. Surv..

[3]  Hojung Cha,et al.  DevScope: a nonintrusive and online power analysis tool for smartphone hardware components , 2012, CODES+ISSS.

[4]  Sakir Sezer,et al.  Analysis of Bayesian classification-based approaches for Android malware detection , 2016, IET Inf. Secur..

[5]  Kun Chang Lee,et al.  Exploring the Optimal Path to Online Game Loyalty: Bayesian Networks versus Theory-Based Approaches , 2011, UCMA.

[6]  Heng Yin,et al.  DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android , 2013, SecureComm.

[7]  Silva Filho,et al.  Static analysis of implicit control flow: resolving Java reflection and Android intents , 2016 .

[8]  Hojung Cha,et al.  AppScope: Application Energy Metering Framework for Android Smartphone Using Kernel Activity Monitoring , 2012, USENIX Annual Technical Conference.

[9]  Ali Feizollah,et al.  Evaluation of machine learning classifiers for mobile malware detection , 2014, Soft Computing.

[10]  Aiman Abu Samra,et al.  Analysis of Clustering Technique in Android Malware Detection , 2013, 2013 Seventh International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[11]  Ali Feizollah,et al.  A Study Of Machine Learning Classifiers for Anomaly-Based Mobile Botnet Detection , 2013 .

[12]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[13]  Veelasha Moonsamy,et al.  Mining permission patterns for contrasting clean and malicious android applications , 2014, Future Gener. Comput. Syst..

[14]  Nicu Sebe,et al.  Learning Bayesian network classifiers for facial expression recognition both labeled and unlabeled data , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[15]  Matthew L. Dering,et al.  Composite Constant Propagation: Application to Android Inter-Component Communication Analysis , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[16]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[17]  Anthony Desnos,et al.  Android: Static Analysis Using Similarity Distance , 2012, 2012 45th Hawaii International Conference on System Sciences.

[18]  Chun-Ying Huang,et al.  Performance Evaluation on Permission-Based Detection for Android Malware , 2013 .

[19]  Chao Yang,et al.  DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications , 2014, ESORICS.

[20]  Win Zaw,et al.  Permission-Based Android Malware Detection , 2013 .

[21]  Michael Backes,et al.  AppGuard - Enforcing User Requirements on Android Apps , 2013, TACAS.

[22]  Maria Papadaki,et al.  Evaluation of anomaly-based IDS for mobile devices using machine learning classifiers , 2012, Secur. Commun. Networks.

[23]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[24]  Yuan Zhang,et al.  Vetting undesirable behaviors in android apps with permission use analysis , 2013, CCS.

[25]  Tao Xie,et al.  WHYPER: Towards Automating Risk Assessment of Mobile Applications , 2013, USENIX Security Symposium.

[26]  Lior Rokach,et al.  Mobile malware detection through analysis of deviations in application network behavior , 2014, Comput. Secur..

[27]  Christopher Krügel,et al.  TriggerScope: Towards Detecting Logic Bombs in Android Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[28]  Patrick Traynor,et al.  MAST: triage for market-scale mobile malware analysis , 2013, WiSec '13.

[29]  Yajin Zhou,et al.  Android Malware , 2013, SpringerBriefs in Computer Science.

[30]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[31]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[32]  Ninghui Li,et al.  Using probabilistic generative models for ranking risks of Android apps , 2012, CCS.

[33]  Marcelo d'Amorim,et al.  Static Analysis of Implicit Control Flow: Resolving Java Reflection and Android Intents (T) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[34]  R. F. Brown,et al.  PERFORMANCE EVALUATION , 2019, ISO 22301:2019 and business continuity management – Understand how to plan, implement and enhance a business continuity management system (BCMS).

[35]  Michalis Faloutsos,et al.  ProfileDroid: multi-layer profiling of android applications , 2012, Mobicom '12.

[36]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[37]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[38]  Juan E. Tapiador,et al.  Dendroid: A text mining approach to analyzing and classifying code structures in Android malware families , 2014, Expert Syst. Appl..

[39]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[40]  David Heckerman,et al.  Learning Bayesian Networks: Search Methods and Experimental Results , 1995 .

[41]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[42]  Ainuddin Wahid Abdul Wahab,et al.  A review on feature selection in mobile malware detection , 2015, Digit. Investig..

[43]  Pedro Larrañaga,et al.  Structure Learning of Bayesian Networks by Genetic Algorithms: A Performance Analysis of Control Parameters , 1996, IEEE Trans. Pattern Anal. Mach. Intell..

[44]  Gonzalo Álvarez,et al.  PUMA: Permission Usage to Detect Malware in Android , 2012, CISIS/ICEUTE/SOCO Special Sessions.

[45]  Nick Cercone,et al.  Bayesian network modeling for evolutionary genetic structures , 2010, Comput. Math. Appl..

[46]  Juan E. Tapiador,et al.  Power-aware anomaly detection in smartphones: An analysis of on-platform versus externalized operation , 2015, Pervasive Mob. Comput..

[47]  Nir Friedman,et al.  Bayesian Network Classifiers , 1997, Machine Learning.

[48]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[49]  Mansour Ahmadi,et al.  Clustering android malware families by http traffic , 2015, 2015 10th International Conference on Malicious and Unwanted Software (MALWARE).