Detecting Malicious Android Apps using the Popularity and Relations of APIs

Abstract

Accurate malware detection is important to protect Android users against the growing number of sophisticated malwares. In this paper, we propose a simple but efficient malware detection methodology that identifies the subset of Android APIs as classification features. Since each app needs to use a set of Android APIs to fulfill its main objective, the list of APIs used in an app represents the app’s characteristic. Our methodology constructs two ranked lists of Android APIs, namely benign_API_list and malicious_API_list. The benign_API_list contains the most commonly invoked APIs among benign apps and the malicious_API_list contains the most commonly invoked APIs among malicious apps. Then, for a given suspicious app, we compute the sum of inverse values of the rankings of the used benign APIs and also the sum of inverse value s of the ranking of the used malicious APIs. We determine whether the app is benign or malicious by comparing the two sums. More specifically, if the sum of inverse values based on benign apps is larger than the one based on malicious apps, we determine that the given app is benign. Otherwise, we determine that the given app is malicious. Our experimental evaluation shows that the proposed methodology achieves an accuracy of 87.35%~89.93% for Android malware detection. The proposed method can be possibly utilized in features selections in machine learning-based malware detection algorithms.