LEMSOFT: Leveraging Extraction Method and Soft Voting for Android Malware Detection

With the widespread popularity of Internet of Things (IoT) devices based on the Android system, the amount of Android malware targeting IoT devices continues to increase, causing great economic losses. Accordingly, efficient and accurate Android malware detection methods are particularly important. Recently, many Android malware detection and classification methods have been proposed, but most of them ignore the deep relationships among software. In this paper, we propose a graph compression algorithm with reachability relationship extraction (GCRR) and design an Android malware detection and classification method called GCDroid based on this algorithm. A theoretical analysis shows that GCRR can reasonably extract the reachability relationships among APKs and compress a large heterogeneous APK-API relationship graph into a homogeneous APKs graph. Experiments show that GCDroid based on GCRR greatly reduces the required time consumption while improving detection accuracy. Compared with the existing excellent static Android malware detection methods, GCDroid improves upon their detection accuracies by 1.53%-39.13% on different datasets and outperforms the benchmark methods in terms of Android malware classification. Furthermore, compared with those of the baseline methods that are similar to GCDroid, GCDroid’s time consumption for model training and other aspects is only one-tenth as high or even less.

The rapid growth of malware has become a serious problem that threatens the security of the mobile ecosystem and needs to be studied and resolved. Android is the main target of attackers due to its open source and popularity. To solve this serious problem, an accurate and efficient malware detection method is needed. Most existing methods use a single type of feature, which can be easily bypassed, resulting in low detection accuracy. In addition, although multiple types of features are used in some methods to solve the drawbacks of detection methods using a single type of feature, there are still some problems. Firstly, due to multiple types of features, the number of features in the initial feature set is extremely large, and some methods directly use them for training, resulting in excessive overhead. Furthermore, some methods utilize feature selection to reduce the dimensionality of features, but they do not select highly distinguishable features, resulting in poor detection performance. In this article, an effective and accurate method for identifying Android malware, which is based on an analysis of the use of seven types of static features in Android is proposed to cope with the rapid increase in the amount of Android malware and overcome the drawbacks of detection methods using a single type of feature. Instead of utilizing all extracted features, we design three levels of feature selection methods to obtain highly distinguishable features that can be effective in identifying malware. Then a fully densely connected convolutional network based on DenseNet is adopted to leverage features more efficiently and effectively for malware detection. Compared with the number of features in the original feature set, the number of features in the feature set obtained by the three levels of feature selection methods is reduced by about 97%, but the accuracy is only reduced by 0.45%, and the accuracy is more than 99% in a variety of machine learning methods. Moreover, we compare our detection method with different machine learning models, and the experimental results show that our method outperforms general machine learning models. We also compare the performance of our detection method with two state-of-the-art neural networks. The experimental results show that our detection model can greatly reduce the training cost and still achieve good detection performance, reaching an accuracy of 99.72%. In addition, we compare our detection method with other similar detection methods that also use multiple types of features. The results show that our detection method is superior to the comparison methods.

Android OS devices are the most widely used mobile devices globally. The open-source nature and less restricted nature of the Android application store welcome malicious apps, which present risks for such devices. It is found in the security department report that static features such as Android permissions, manifest files, and API calls could significantly reduce malware app attacks on Android devices. Therefore, an automated method for malware detection should be installed on Android devices to detect malicious apps. These automated malware detection methods are developed using machine learning methods. Previously, many studies on Android OS malware detection using different feature selection approaches have been proposed, indicating that feature selection is a widely used concept in Android malware detection. The feature dependency and the correlation of the features enable the malicious behavior of an app to be detected. However, more robust feature selection using automated methods is still needed to improve Android malware detection methods. Therefore, this study proposed an automated ANN-method-based Android malware detection method. To validate the proposed method, two public datasets were used in this study, namely the CICInvestAndMal2019 and Drebin/AMD datasets. Both datasets were preprocessed via their static features to normalize the features as binary values. Binary values indicate that certain permissions in any app are enabled (1) or disabled (0). The transformed feature sets were given to the ANN classifier, and two main experiments were conducted. In Experiment 1, the ANN classifier used a simple input layer, whereas a five-fold cross-validation method was applied for validation. In Experiment 2, the proposed ANN classifier used a proposed feature selection layer. It includes selected features only based on correlation or dependency with respect to benign or malware apps. The proposed ANN-method-based results are significant, improved, and robust and were better than those presented in previous studies. The overall results of using the five-fold method on the CICInvestAndMal2019 dataset were a 95.30% accuracy, 96% precision, 98% precision, and 92% F1-score. Likewise, on the AMD/Drebin dataset, the overall scores were a 99.60% accuracy, 100% precision and recall, and 99% F1-score. Furthermore, the computational cost of both experiments was calculated to prove the performance improvement brought about by the proposed ANN classifier compared to the simple ANN method with the same time of training and prediction.

Android malware and its variants are a major challenge for mobile platforms. However, there are two main problems in the existing detection methods: <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">a</i> ) The detection method lacks the evolution ability for Android malware, which leads to the low detection rate of the detection model for malware and its variants. <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">b</i> ) Traditional detection methods require centralized data for model training, however, the aggregation of training samples is limited due to the infectivity of malware and growing data privacy concerns, centralized detection methods are difficult to be applied in actual detection scenarios. In this paper, we propose FEDriod, a comprehensive Android malware detection method based on federated learning architecture that protects against growing Android malware or emerging Android malware variants. Specifically, we employ genetic evolution strategy to simulate the evolution of Android malware and develop potential malware variants from typical Android malware. Then, we customize the Android malware detection model based on residual neural network to achieve high detection accuracy. Finally, to achieve the protection sensitive data, we develope a federated learning framework to allows multiple Android malware detection agencies to jointly build a comprehensive Android malware detection model. We comprehensively evaluate the performance of FEDriod on the CIC, Drebin, and Contagio authoritative datasets. Experimental results show that our local model outperforms all baseline classifiers. In the federal scenario, our proposed method is superior to the state-of-the-art detection methods, especially in the cross-dataset evaluation, the F1 of FEDriod is 98.53%. More important, we performed genetic evolution experiments on the Drebin dataset, and the results showed that our proposed method has the ability to detect Android malware variants.

Most of the current malware detection methods running on Android are based on signature and cloud technologies leading to poor protection against new types of malware. Deep learning techniques take Android malware detection to a new level. Still, most deep learning-based Android malware detection methods are too inefficient or even unworkable on Android devices due to their high resource consumption. Therefore, this paper proposes MSFDroid, a lightweight multi-source fast Android malware detection model, which uses information from the internal files of the Android application package in several dimensions to build base models for ensemble learning. Meanwhile, this paper proposes an adaptive soft voting method by dynamically adjusting the weights of each base model to overcome the noise generated by traditional soft voting and thus improves the performance. It also proposes adaptive shrinkage convolutional unit that can dynamically adjust the convolutional kernel’s weight and the activation function’s threshold to improve the expressiveness of the CNN. The proposed method is tested on public datasets and on several real devices. The experimental results show that it achieves a better trade-off between performance and efficiency by significantly improving the detection speed while achieving a comparable performance compared to other deep learning methods.

Introduction: Mobile security suffers greatly by the quick spread of Android malware, leading to the need for sophisticated detection methods that can change to meet new threats. Malware is still a difficult security issue in the Android ecosystem because it frequently obfuscates itself to avoid detection. Semantic behavior feature extraction is essential in this situation in order to build a reliable malware detection model Objectives: To provide an overview of android malware, including the impact of malware detection, the significance of malware detection, its types, and a framework for detecting Android malware that uses Transfer Learning (TL) to forecast malware in the Android ecosystem and AEs (AutoEncoders) to extract features. Methods: This study presents an integrated deep learning (DL) method for Android malware detection that combines AEs for feature extraction and TL for classification. In order to effectively depict both benign and malevolent actions, AEs are used to extract latent, highly dimensional features from both static and dynamic analytical data. Then, TL uses deep neural networks that have already been trained to identify Android apps more accurately and with less training time Results: The tests were conducted on three datasets with two labels in the "class" attribute "0" for benign and "1" for malicious in order to evaluate the effectiveness of the suggested framework. With an enhanced MAE value of 0.001 and RMSE value of 0.063 attain an 99.99% accuracy. The findings show that the proposed model achieved remarkable accuracy and has the potential to produce reliable malware detection results Conclusions: An integrated DL strategy for Android malware detection that combines AEs for feature extraction and TL for classification has been presented. AEs are used to extract high-dimensional, latent characteristics from both static (code-related) and dynamic (behavior-related) Android app analysis data. The system may thus effectively capture and reflect both beneficial and harmful behaviors.

Recently, the threat of Android malware is spreading rapidly, especially those repackaged Android malware. Although understanding Android malware using dynamic analysis can provide a comprehensive view, it is still subjected to high cost in environment deployment and manual efforts in investigation. In this study, we propose a static feature-based mechanism to provide a static analyst paradigm for detecting the Android malware. The mechanism considers the static information including permissions, deployment of components, Intent messages passing and API calls for characterizing the Android applications behavior. In order to recognize different intentions of Android malware, different kinds of clustering algorithms can be applied to enhance the malware modeling capability. Besides, we leverage the proposed mechanism and develop a system, called Droid Mat. First, the Droid Mat extracts the information (e.g., requested permissions, Intent messages passing, etc) from each application's manifest file, and regards components (Activity, Service, Receiver) as entry points drilling down for tracing API Calls related to permissions. Next, it applies K-means algorithm that enhances the malware modeling capability. The number of clusters are decided by Singular Value Decomposition (SVD) method on the low rank approximation. Finally, it uses kNN algorithm to classify the application as benign or malicious. The experiment result shows that the recall rate of our approach is better than one of well-known tool, Androguard, published in Black hat 2011, which focuses on Android malware analysis. In addition, Droid Mat is efficient since it takes only half of time than Androguard to predict 1738 apps as benign apps or Android malware.

Android malware poses a serious threat to cyberspace security, and many researchers are committed to researching fast and effective methods for Android malware detection. However, the latest Android malware usually uses escape techniques such as code obfuscation, so the traditional machine learning methods gradually become invalid. In recent years, deep learning has been gradually applied in the field of Android malware detection due to its powerful data processing and feature representation capabilities, and has achieved convincing performance. This paper conducts a review and research on the related achievements of Android malware detection based on deep learning in recent years, and classifies Android malware detection methods according to different characteristics and different networks. At the same time, a systematic introduction on deep learning model algorithms, such as RNN, CNN, Attention Mechanism, etc., is made. Besides, we analyze most commonly used datasets and evaluation indicators. The outcomes of this paper can provide a more comprehensive overview for researchers in the field, aiming to inspire researchers to make more and better achievements in Android malware detection.KeywordsMalware detectionAndroid systemDeep learningNeural network

Unprecedented growth and prevalent adoption of the Android Operating System (OS) have triggered a substantial transformation, not only within the smartphone industry but across various categories of intelligent devices. These intelligent devices store a wealth of sensitive data, making them enticing targets for malicious individuals who create harmful Android applications to steal this data for malicious purposes. While numerous Android malware detection methods have been proposed, the exponential growth in sophisticated and malicious Android apps presents an unprecedented challenge to existing detection techniques. Some of the researchers have attempted to classify malicious Android applications into families through static analysis of applications but most of them are evaluated on applications of previous API levels. This paper introduces a novel dataset compromising of 2019 to 2021 applications and proposes a Deep Learning based Malware Detection and Family Classification method (DeepMDFC) to detect and classify emerging malicious Android applications through static analysis and deep Artificial Neural Networks. Experimental findings indicate that DeepMDFC surpasses standard machine learning algorithms, achieving accuracy rates of 99.3% and 96.7% for Android malware detection and classification, respectively, with a limited size feature set. The performance of DeepMDFC is also assessed using the benchmark dataset (DREBIN) and results showed that DeepMDFC surpasses these methods in terms of performance. Furthermore, it leverages the proposed dataset to construct a prediction model that adeptly identifies malicious Android applications from both the years 2022 and 2023. This process the potency and resilience of DeepMDFC against emerging Android applications.

Android, the most popular mobile operating system, has attracted millions of users around the world. Meanwhile, the number of new Android malware instances has grown exponentially in recent years. On the one hand, existing Android malware detection systems have shown that distilling the program semantics into a graph representation and detecting malicious programs by conducting graph matching are able to achieve high accuracy on detecting Android malware. However, these traditional graph-based approaches always perform expensive program analysis and suffer from low scalability on malware detection. On the other hand, because of the high scalability of social network analysis, it has been applied to complete large-scale malware detection. However, the social-network-analysis-based method only considers simple semantic information (i.e., centrality) for achieving market-wide mobile malware scanning, which may limit the detection effectiveness when benign apps show some similar behaviors as malware. In this article, we aim to combine the high accuracy of traditional graph-based method with the high scalability of social-network-analysis--based method for Android malware detection. Instead of using traditional heavyweight static analysis, we treat function call graphs of apps as complex social networks and apply social-network--based centrality analysis to unearth the central nodes within call graphs. After obtaining the central nodes, the average intimacies between sensitive API calls and central nodes are computed to represent the semantic features of the graphs. We implement our approach in a tool called IntDroid and evaluate it on a dataset of 3,988 benign samples and 4,265 malicious samples. Experimental results show that IntDroid is capable of detecting Android malware with an F-measure of 97.1% while maintaining a True-positive Rate of 99.1%. Although the scalability is not as fast as a social-network-analysis--based method (i.e., MalScan ), compared to a traditional graph-based method, IntDroid is more than six times faster than MaMaDroid . Moreover, in a corpus of apps collected from GooglePlay market, IntDroid is able to identify 28 zero-day malware that can evade detection of existing tools, one of which has been downloaded and installed by more than ten million users. This app has also been flagged as malware by six anti-virus scanners in VirusTotal, one of which is Symantec Mobile Insight .

The use of smartphones is increasing rapidly and the malicious intrusions associated with it have become a challenging task that needs to be resolved. A secure and effective technique is needed to prevent breaches and detect malicious applications. Through deep learning methods and neural networks, the earliest detection and classification of malware can be performed. Detection of Android malware is the process to identify malicious attackers and through the classification method of malware, the type is categorized as adware, ransomware, SMS malware, and scareware. Since there were several techniques employed so far for malware detection and classification, there were some limitations like a reduced rate of accuracy and so on. To overcome these limitations, a deep learning-based automated process is employed to identify the malware. In this paper, initially, the datasets are collected, and through the preprocessing method, the duplicate and noisy data are removed to improve accuracy. Then the separated malware and benign dataset from the preprocessing phase is dealt with in feature selection. The reliable features are extracted in this process by Meta-Heuristic Artificial Jellyfish Search Optimizer (MH-AJSO). Further by the process of classification, the type of malware is categorized. The classification method is performed by the proposed Dense Dilated ResNet101 (DDResNet101) classifier. According to the type of malware the breach is prevented and secured on the android device. Although several methods of malware detection are found in the android platform the accuracy is effectively derived in our proposed system. Various performance analysis is performed to compare the robustness of detection. The results show that better accuracy of 98% is achieved in the proposed model with effectiveness for identifying the malware and thereby breaches and intrusion can be prevented.

The Android mobile operating system runs roughly 95% of mobile phones worldwide making it a major target for malware. To counter the threat there continues to be significant research efforts in mobile malware detection. One of the key tools used in these efforts is supervised machine learning. Significant progress has been made in detection accuracy but one necessary step in that process often is overlooked or treated with less importance than it should, feature selection, i.e., determining which attributes of Android are most effective as inputs into machine learning models.To tackle this research problem, we have tested 11 feature selection techniques and analyzed their performance on three large primary Android feature sets used by researchers: Permissions, Intents and API Calls. The generated feature sets were validated using three popular machine learning classifiers. As an ongoing research effort, in this paper, we specifically answer the following research questions: 1) How does machine learning model accuracy vary across feature selection algorithms? 2) How does feature set size affect model accuracy across feature selection methods? and 3) What are the primary guidelines for building a feature set in Android malware detection? Answers to these key research questions provided significant insights in Android malware detection and will shed light on other malware detection methods.

In recent years, the rapid increase in the number and type of Android malware has brought great challenges and pressure to malware detection systems. As a widely used method in android malware detection, static detecting has been a hot topic in academia and industry. However, in order to improve the accuracy of detection, the existing static detecting methods sacrifice the excessively high analysis complexity and time cost. Moreover, the correlation between static features leads to redundancy of a large amount of data. Therefore, this paper proposes a static detecting method of Android malware based on sensitive pattern. It uses an improved FP-growth algorithm to mine frequent combinations of sensitive permissions and API calls in malicious apps and benign apps, which avoids the generation of redundant information. In addition, this paper adopts multi-layered gradient boosting decision trees algorithm to train the detection model. And a dual similarity combination method is proposed to measure the similarity between different sensitive patterns. The experimental results show that our proposed detection method has high accuracy and great generalization ability.

PurposeThe openness of the Android operating system offers users convenience but also exposes them to a multitude of malicious applications. Consequently, analyzing applications before installation has become a crucial research area in mobile security. Static analysis, known for its accuracy and low cost, is a prominent method within this field. This paper aims to propose an ML/DL-based approach to detect benign and malicious applications in APK format.Design/methodology/approachThe analysis method, detailed further in the paper, consists of five steps. Step 1, each APK file in the sample set undergoes decompilation to convert it into source code. Then, directed API call graph (DACG) generator is used to analyze the decompiled source code from Step 1 and extract API calls. After that, the authors apply the graph2vec method to convert the DACG data set into characteristic subgraphs. Next, saving the necessary features that each model needs to learn from the vector set. This helps reduce the vector dimensionality for each model type and reduces time and noise by eliminating unnecessary features. Finally, training and evaluating the ability to detect Android malware based on popular machine learning algorithms such as Random Forest, support vector machine, K-nearest neighbor, logistic regression and one of the most powerful machine learning algorithms currently available, gradient boosting regression.FindingsThe authors come to the conclusion, feature graphs based on API call graphs are effective in detecting Android malware. Experimental results demonstrate the proposed method’s superiority over existing detection methods on a data set of 7,000 samples, achieving TPR > 97%, FPR < 1% and AUC∼0.98. Following these steps, a final classification will determine the safety of the tested application, aiding users in avoiding malware installation.Research limitations/implicationsAlthough some limitations remain to be addressed, the DACG construction method holds significant potential for further exploration. Future research will focus on integrating dynamic analysis techniques to broaden the detectable and classifiable Android malware categories. In addition, the authors aim to adapt the methodology for broader applicability to other system types, including the widely used ELF systems in Linux.Originality/valueIn the study, the authors addressed the issue of generating graph-based feature for Android malware detection in a meaningful, practical and efficient way. The results can be used as a pattern for similar scenarios and applications.

Feature Selection (FS) provides a vital role in the android malware detection system. The researchers have presented FS methods and tested them on benchmark datasets, including static types of features extracted from applications. This paper studies FS methods used in traditional android malware detection systems. These FS methods are implemented on the benchmark datasets such as Genome project, Google PlayStore, AndroZoo, and Drebin consist of static types of extracted features from applications. These traditional methods are studied and implemented on the latest dataset, such as CIC-MalDroid2020 dataset, which includes the latest types of malware and 470 dynamic types of features. The experimentation is performed on CIC-MalDroid2020 dataset with the Random Forest (RF) classifier using traditional FS methods, and performance is compared with the original feature set. Finally, the investigation with the RF classifier on CIC-MalDroid2020 dataset using the obtained 80 features from 470 original features by the ReliefF method produces higher precision of 97.4647% and a lower FAR of 0.1409 for malware detection.