LSCDroid: Malware Detection Based on Local Sensitive API Invocation Sequences

Abstract

Malware detection is an important and challenging issue in the Android ecosystem. Many approaches have been proposed to distinguish malicious applications from benign ones, but few of them can represent the behavior patterns of malicious applications and help understand their intention. In this paper, we propose LSCDroid, a malware detecting approach that cannot only detect malware but also help understand the malware's intention by analyzing its behavior patterns. LSCDroid uses local sensitive application programming interface (API) invocation (LSAI) sequences as features to detect malware and represent different malicious behavior patterns. We first extract LSAI sequences of malicious applications based on their function-call graphs. After removing redundant sequences and merging fragmented ones, we obtain a set of LSAI sequences that can be used to effectively detect malicious applications. We further manually analyze the semantic of the obtained sequences and find that a large fraction of them can be used to characterize different behavior patterns of malware and help understand their intention, e.g., sending SMS message stealthily, obtaining geographical information, remote control, and root privilege. We design a machine learning based malware detection and classification algorithm by taking the obtained sequences as input features. Experimental results show that the accuracy and recall of LSCDroid on multiple datasets are both higher than 0.98. Meanwhile, LSCDroid can classify malware families with an accuracy higher than 0.96. Moreover, LSCDroid can represent the behavior patterns and help understand intention of malware by mapping their LSAI sequences to some typical malicious behaviors.