Detecting Android Malwares by Mining Statically Registered Broadcast Receivers

Abstract

Android has a large share in the mobile apps market which makes it attractive for both malicious and good developers. Online apps markets, despite their vetting procedures, still admit malicious apps that could be downloaded mistakenly by mobile users. Detecting Android malwares has been studied by many researchers using different approaches and techniques. The vast majority of them though were focused on using the requested permissions that are declared in the AndroidManifest. xml files. A number of researchers have considered other components of the Android applications besides the permissions such as package info, activities, and process name. Some researchers pointed out Android Broadcast receivers' component but it was not discussed thoroughly like other components. In this paper, we are conducting an empirical study to investigate the usage patterns of the Broadcast receivers component by malicious and benign Android applications. In addition to processing the AndroidManifest. xml files, the source code of malware samples, in particular the onReceive() are manually analyzed. We also propose a data mining malware detection mechanism based on the statically registered Broadcast receivers. Our research shows that Android Broadcast receivers are intensively used by malware compared to benign applications. Our Java code analysis shows that malware samples fully utilize Broadcast receivers compared to benign apps. Finally, our experiments showed that using the Broadcast receivers with permissions improves the malwares prediction accuracy.