Lightweight versus obfuscation-resilient malware detection in android applications

Abstract

By increasing growth of mobile applications, providing their security has become significant. Among mobile operating systems, Android is the most popular one, and hence, it has drawn more attention from malware programmers. One of the main challenges in designing a malware detection mechanism is handling obfuscation, where malware programmers try to change malware codes, such that they cannot be detected by malware detectors, while they keep their functionalities. In this paper, we propose an obfuscation-resilient method, called ORDroid, which can detect mutated and transformed malwares. We have used RNN and NLP neural networks for achieving this purpose. Our assumption is that the model is run on a server, before the application is published for end users. Users may get an application from different sources, and hence, it is necessary to design methods that can run on end users’ mobile phones. The challenge that should be considered when designing such methods is the limitation of computation and energy resources on a mobile phone. In the second part of this paper, we propose a lightweight malware detection method, called LightDroid. The main idea of this method is to select a minimal number of features from AndroidManifest file, along with a number of picture-based features from Dalvik executable file in a way that the accuracy of the resulting model is close to the state-of-the-art methods, while its complexity is as low as possible. We have fully implemented our proposed methods, as well as some of the state-of-the-art methods, including Drebin and RevealDroid. The results show that LightDroid is the most lightweight one, with 97.49% accuracy on the test data. Evaluation of ORDroid shows that, considering the overall accuracy of both test and transformed data, our model is the best comparing to the most related methods with the accuracy of 98.07% on the normal and 93.00% on the transformed data.