Empirical Evaluation of a System Call-Based Android Malware Detector

Abstract

The extensive use of smartphones and increased popularity of Android operating system have proliferated in malware attacks. In order to overcome these malicious attacks, numerous malware detectors are now available and have been described in various literature. A majority of detectors rely on system calls, as these are non-bypassable interface for user applications to system services. In order to defeat the system call-based detectors, an adversary usually deploys mimicry attack (see Section 5.2) through which a sequence of system calls are injected into malicious apps to alter the actual sequence. It is evident that signature-based detectors result in high false alarm rate, due to such mimicry attacks. Therefore, in this paper, we propose a non-signature-based malware detector, that is not vulnerable to mimicry attack, by keeping the false alarm rate very low. In the present work, two different environment settings have been created for monitoring the deviation in the behaviour of synthetic user events, against those of real ones, through application executions. Feature selection was carried out by employing “Scatter Assessment” method on 2100 apps. Extensive experimentation has been carried out to select a concise set of features. The proposed method selects features in such a way, that it minimizes and maximizes the intra- and inter-class variances, respectively. Such a variance optimization allows us to evade mimicry attacks. The method has been validated for effectiveness and applicability, by means of two different datasets comprising of real samples. An area under curve of 1.0 with accuracy in the range of 99.8–100% was obtained, proving the efficacy of the proposed malware scanner.