Instance based security risk value estimation for Android applications

Abstract

Android has emerged as the widest-used operating system for smartphones and mobile devices. Security of this platform mainly relies on applications (apps) installed by the device owner since permissions and sandboxing have reduced the attack surface. Android antivirus programs detect known malware based on their signature, but they cannot detect zero-day viruses. Therefore, estimating security risk could be helpful for comparing and selecting apps that are more likely to be malicious or benign based on the estimated risk values. Therefore, systematic assistance for making appropriate decisions can significantly improve the security of Android-based devices. Additionally, Android markets can leverage estimated risks to recognize suspicious apps for further analysis. In this study, a new metric is introduced for effective risk estimation of untrusted apps. While previously proposed risk measurements are based on features such as permissions and function calls, our devised metric benefits from previously known malicious and non-malicious app instances. The metric uses previously identified malware and normal app samples to compute the security risk of untrusted apps. Thus, previously known samples are represented in the feature space, and for each untrusted input app, the risk is estimated using distances to malicious and non-malicious app instances. Moreover, to increase the metric's detection rate, an instance and feature weighting schema is suggested. Empirical evaluations on various datasets show that the proposed instance-based metric has higher detection rates and is more effective than a previously proposed feature based on risk score measurements.