PEDAM: Priority Execution Based Approach for Detecting Android Malware

First we report on a new threat campaign, underway in Korea, which infected around 20,000 Android users within two months. The campaign attacked mobile users with malicious applications spread via different channels, such as email attachments or SMS spam. A detailed investigation of the Android malware resulted in the identification of a new Android malware family Android/BadAccents. The family represents current state-of-the-art in mobile malware development for banking trojans. Second, we describe in detail the techniques this malware family uses and confront them with current state-of-the-art static and dynamic code-analysis techniques for Android applications. We highlight various challenges for automatic malware analysis frameworks that significantly hinder the fully automatic detection of malicious components in current Android malware. Furthermore, the malware exploits a previously unknown tapjacking vulnerability in the Android operating system, which we describe. As a result of this work, the vulnerability, affecting all Android versions, will be patched in one of the next releases of the Android Open Source Project.

Background/Objectives: Now a days, Android Malware is coded so wisely that it has become very difficult to detect them. The static analysis of malicious code is not enough for detection of malware as this malware hides its method call in encrypted form or it can install the method at runtime. The system call tracing is an effective dynamic analysis technique for detecting malware as it can analyze the malware at the run time. Moreover, this technique does not require the application code for malware detection. Thus, this can detect that android malware also which are difficult to detect with static analysis of code. As Android was launched in 2008, so there were fewer studies available regarding the behavior of Android Malware Families and their characteristics. The aim of this work is to explore the behavior of 10 popular Android Malware Families focused on System Call Pattern of these families. Methods/Statistical Analysis: For this purpose, the authors have extracted the system call trace of 345 malicious applications from 10 Android Malware Families named FakeInstaller, Opfake, Plankton, DroidKungFu, BaseBridge, Iconosys, Kmin, Adrd and Gappusin using strace android tool and compared it with the system calls pattern of 300 Benign Applications to justify the behavior of malicious application. Findings: During the experiment, it is observed that the malicious applications invoke some system calls more frequently than benign applications. Different Android malware invokes the different set of system calls with different frequency. Applications/Improvements: This analysis can prove helpful in designing intrusion-detection systems for an android mobile device with more accuracy. Keywords: Android Kernal, Android Malware Installation Methods, Malware Families, System Call Analysis

The rapid proliferation of Android malware is challenging the classification of the Android malware family. The traditional static method for classification is easily affected by the confusion and reinforcement, while the dynamic method is expensive in computation. To solve these problems, this paper proposes an Android malware familial classification method based on Dalvik Executable (DEX) file section features. First, the DEX file is converted into RGB (Red/Green/Blue) image and plain text respectively, and then, the color and texture of image and text are extracted as features. Finally, a feature fusion algorithm based on multiple kernel learning is used for classification. In this experiment, the Android Malware Dataset (AMD) was selected as the sample set. Two different comparative experiments were set up, and the method in this paper was compared with the common visualization method and feature fusion method. The results show that our method has a better classification effect with precision, recall and F1 score reaching 0.96. Besides, the time of feature extraction in this paper is reduced by 2.999 seconds compared with the method of frequent subsequence. In conclusion, the method proposed in this paper is efficient and precise in the classification of the Android malware family.

As the most widely used mobile platform, Android is also the biggest target for mobile malware. Given the increasing number of Android malware variants, detecting malware families is crucial so that security analysts can identify situations where signatures of a known malware family can be adapted as opposed to manually inspecting behavior of all samples. We present EC2 (Ensemble Clustering and Classification), a novel algorithm for discovering Android malware families of varying sizes-ranging from very large to very small families (even if previously unseen). We present a performance comparison of several traditional classification and clustering algorithms for Android malware family identification on DREBIN, the largest public Android malware dataset with labeled families. We use the output of both supervised classifiers and unsupervised clustering to design EC2. Experimental results on both the DREBIN and the more recent Koodous malware datasets show that EC2 accurately detects both small and large families, outperforming several comparative baselines. Furthermore, we show how to automatically characterize and explain unique behaviors of specific malware families, such as FakeInstaller, MobileTx, Geinimi. In short, EC2 presents an early warning system for emerging new malware families, as well as a robust predictor of the family (when it is not new) to which a new malware sample belongs, and the design of novel strategies for data-driven understanding of malware behaviors.

The increasing number of mobile devices using the Android operating system in the market makes these devices the first target for malicious applications. In recent years, several Android malware applications were developed to perform certain illegitimate activities and harmful actions on mobile devices. In response, specific tools and anti-virus programs used conventional signature-based methods in order to detect such Android malware applications. However, the most recent Android malware apps, such as zero-day, cannot be detected through conventional methods that are still based on fixed signatures or identifiers. Therefore, the most recently published research studies have suggested machine learning techniques as an alternative method to detect Android malware due to their ability to learn and use the existing information to detect the new Android malware apps. This paper presents the basic concepts of Android architecture, Android malware, and permission features utilized as effective malware predictors. Furthermore, a comprehensive review of the existing static, dynamic, and hybrid Android malware detection approaches is presented in this study. More significantly, this paper empirically discusses and compares the performances of six supervised machine learning algorithms, known as K-Nearest Neighbors (K-NN), Decision Tree (DT), Support Vector Machine (SVM), Random Forest (RF), Naïve Bayes (NB), and Logistic Regression (LR), which are commonly used in the literature for detecting malware apps.

Objective. High frequency oscillations (HFOs) are a promising biomarker of tissue that instigates seizures. However, ambiguous data and random background fluctuations can cause any HFO detector (human or automated) to falsely label non-HFO data as an HFO (a false positive detection). The objective of this paper was to identify quantitative features of HFOs that distinguish between true and false positive detections. Approach. Feature selection was performed using background data in multi-day, interictal intracranial recordings from ten patients. We selected the feature most similar between randomly selected segments of background data and HFOs detected in surrogate background data (false positive detections by construction). We then compared these results with fuzzy clustering of detected HFOs in clinical data to verify the feature’s applicability. We validated the feature is sensitive to false versus true positive HFO detections by using an independent data set (six subjects) scored for HFOs by three human reviewers. Lastly, we compared the effect of redacting putative false positive HFO detections on the distribution of HFOs across channels and their association with seizure onset zone (SOZ) and resected volume (RV). Main results. Of the 15 analyzed features, the analysis selected only skewness of the curvature (skewCurve). The feature was validated in human scored data to be associated with distinguishing true and false positive HFO detections. Automated HFO detections with higher skewCurve were more focal based on entropy measures and had increased localization to both the SOZ and RV. Significance. We identified a quantitative feature of HFOs which helps distinguish between true and false positive detections. Redacting putative false positive HFO detections improves the specificity of HFOs as a biomarker of epileptic tissue.

Present research proposes the application of unsupervised and supervised machine‐learning techniques to characterize Android malware families. More precisely, a novel unsupervised neural‐projection method for dimensionality‐reduction, namely, Beta Hebbian Learning (BHL), is applied to visually analyze such malware. Additionally, well‐known supervised Decision Trees (DTs) are also applied for the first time in order to improve characterization of such families and compare the original features that are identified as the most important ones. The proposed techniques are validated when facing real‐life Android malware data by means of the well‐known and publicly available Malgenome dataset. Obtained results support the proposed approach, confirming the validity of BHL and DTs to gain deep knowledge on Android malware.

Android malware has become a serious threat for our daily life, and thus there is a pressing need to effectively mitigate or defend against them. Recently, many approaches and tools to analyze Android malware have been proposed to protect legitimate users from the threat. However, most approaches focus on malware detection, while only a few of them consider malware classification or malware characterization. In this paper, we propose an extension of CDGDroid to classifying and characterizing Android malware families automatically. We first perform static analysis used in CDGDroid to extract control-flow graphs and data-flow graphs on the instruction level. Then we encode the graphs into matrices, and use them to build the family classification models via deep learning. For family characterization, we extract the n-gram sequences from the graphs, which are filtered according to the weights of the classification model built for the target family. And then we construct a vector space model and select the top-k sequences as a characterization of the target family. We have conducted some experiments to evaluate our approach and have identified that the family classification model taking the horizontal combination of CFG and DFG as features offers the best performance in terms of accuracy among all the models. Compared with CDGDroid, Drebin and many antivirus tools gathered in VirusTotal, our family classification model gives a better performance. Finally, We have also conducted experiments on family characterization, and the experimental results have shown that our characterization can capture the malicious behaviors of the testing families.

Android malware is an ongoing threat to billions of smart devices’ security, ranging from mobile phones to car infotainment systems. Despite numerous approaches and previous studies to develop solutions for detecting and preventing Android malware, the rapid continuous development of new malware variants requires a careful reconsideration and the development of effective methods to identify malware families given a meager number of malware instances. In this paper, we present DroidMalVet, a novel Android malware family classification and detection approach that does not require to perform complex program analyses or utilize large feature sets. DroidMalVet is the first to use a promising, diverse, and small set of software metrics as features in a supervised learning platform to classify and detect various Android malware families. Our extensive empirical evaluations on two large public malware datasets show that DroidMalVet accurately detects both small and large malware families with F-Score accuracy of 94.4% and 96%, and AUC equal to 99.5% and 99.7% on the malware families in Drebin and AMD datasets, respectively. Moreover, our results demonstrate the superior performance of DroidMalVet in detecting small families (i.e., families with few samples). DroidMalVet complements existing approaches and presents an early warning tool for detecting known and emerging malware families.

Number of malicious programs for Android is rising at explosive rate. McAfee security vendor has mentioned in report, that Android platform is the most vulnerable target for hackers and by now, around six millions unique malware programs have been observed. The most rampant Android malicious program is found to be SMS Trojans, discerned by experts. Man-in-middle (MiM), man-in-the-mobile (MitMo), etc. are examples of SMS Trojans. The second common troop of threat belongs to plangton, hamob, AdWare, AndroidOS. These are detected as Trojans, but are useful type of apps. All these apps what does is, demonstrate advertising. The last group of malware is more dangerous as it made hackers to get root access on Android operating system of various smart-phones. So, to increase secure usage, preventive measures against such attacks are necessary. In this paper, we author have discussed Android malware family, its types, lifecycle, attacking mechanism, patch cycle and concluded with the comparative analysis of various existing Android malware.

Number of malicious programs for Android is rising at explosive rate. McAfee security vendor has mentioned in report, that Android platform is the most vulnerable target for hackers and by now, around six millions unique malware programs have been observed. The most rampant Android malicious program is found to be SMS Trojans, discerned by experts. Man-in-middle (MiM), man-in-the-mobile (MitMo), etc. are examples of SMS Trojans. The second common troop of threat belongs to plangton, hamob, AdWare, AndroidOS. These are detected as Trojans, but are useful type of apps. All these apps what does is, demonstrate advertising. The last group of malware is more dangerous as it made hackers to get root access on Android operating system of various smart-phones. So, to increase secure usage, preventive measures against such attacks are necessary. In this paper, we author have discussed Android malware family, its types, lifecycle, attacking mechanism, patch cycle and concluded with the comparative analysis of various existing Android malware.

Summary False positive detections, such as species misidentifications, occur in ecological data, although many models do not account for them. Consequently, these models are expected to generate biased inference. The main challenge in an analysis of data with false positives is to distinguish false positive and false negative processes while modelling realistic levels of heterogeneity in occupancy and detection probabilities without restrictive assumptions about parameter spaces. Building on previous attempts to account for false positive and false negative detections in occupancy models, we present hierarchical Bayesian models that utilize a subset of data with either confirmed detections of a species’ presence (CP model) or both confirmed presences and confirmed absences (CACP model). We demonstrate that our models overcome the challenges associated with false positive data by evaluating model performance in Monte Carlo simulations of a variety of scenarios. Our models also have the ability to improve inference by incorporating previous knowledge through informative priors. We describe an example application of the CP model to quantify the relationship between songbird occupancy and residential development, plus we provide instructions for ecologists to use the CACP and CP models in their own research. Monte Carlo simulation results indicated that, when data contained false positive detections, the CACP and CP models generated more accurate and precise posterior probability distributions than a model that assumed data did not have false positive errors. For the scenarios we expect to be most generally applicable, those with heterogeneity in occupancy and detection, the CACP and CP models generated essentially unbiased posterior occupancy probabilities. The CACP model with vague priors generated unbiased posterior distributions for covariate coefficients. The CP model generated unbiased posterior distributions for covariate coefficients with vague or informative priors, depending on the function relating covariates to occupancy probabilities. We conclude that the CACP and CP models generate accurate inference in situations with false positive data for which previous models were not suitable.

The recent surge in the development and application of species occurrence models has been associated with an acknowledgment among ecologists that species are detected imperfectly due to observation error. Standard models now allow unbiased estimation of occupancy probability when false negative detections occur, but this is conditional on no false positive detections and sufficient incorporation of explanatory variables for the false negative detection process. These assumptions are likely reasonable in many circumstances, but there is mounting evidence that false positive errors and detection probability heterogeneity may be much more prevalent in studies relying on auditory cues for species detection (e.g., songbird or calling amphibian surveys). We used field survey data from a simulated calling anuran system of known occupancy state to investigate the biases induced by these errors in dynamic models of species occurrence. Despite the participation of expert observers in simplified field conditions, both false positive errors and site detection probability heterogeneity were extensive for most species in the survey. We found that even low levels of false positive errors, constituting as little as 1% of all detections, can cause severe overestimation of site occupancy, colonization, and local extinction probabilities. Further, unmodeled detection probability heterogeneity induced substantial underestimation of occupancy and overestimation of colonization and local extinction probabilities. Completely spurious relationships between species occurrence and explanatory variables were also found. Such misleading inferences would likely have deleterious implications for conservation and management programs. We contend that all forms of observation error, including false positive errors and heterogeneous detection probabilities, must be incorporated into the estimation framework to facilitate reliable inferences about occupancy and its associated vital rate parameters.

Recent years have seen an increase in sales of intelligent gadgets, particularly those using the Android operating system. This popularity has not gone unnoticed by malware writers. Consequently, many research efforts have been made to develop learning models that can detect Android malware. As a countermeasure, malware writers can consider adversarial attacks that disrupt the training or usage of such learning models. In this paper, we train a wide variety of machine learning models using the KronoDroid Android malware dataset, and we consider adversarial attacks on these models. Specifically, we carefully measure the decline in performance when the feature sets used for training or testing are contaminated. Our experimental results demonstrated that elementary adversarial attacks pose a significant threat in the Android malware domain.

Recently, Android application becomes popular and important in human’s daily work, life, entertainment. However, because of open source of Android application, more and more malware aim to this platform and launch various malicious attacks to threaten Android users’ security. Previous research works focus on using static behavioral analysis to detect Android malware, which cannot capture dynamic behaviors and in-efficiency to detect Android malware. In this paper, we present a Android application two-stage detection scheme that using two kinds of dynamic behavioral characteristics to detect Android malware. This framework first uses system call statistics to identify potential malicious apps. After verification, if the software is clean, the application will then be released to the relevant markets. To mitigate against false negative cases, users who run new apps can invoke our network traffic monitoring (NTM) tool which triggers network traffic capture upon detecting some suspicious behaviors e.g. detecting sensitive data being sent to output stream of an open socket. The network traffic will be analyzed to see if it matches network characteristics observed from malware apps. If suspicious network traffic is observed, the relevant Android markets will be notified to remove the application from the repository. We trained our system call and network traffic classifiers using 32 families of known Android malware families and some typical normal apps. Later, we evaluated our framework using other malware and normal apps that used in the training set. Our experimental results using 120 test apps (which consist of 50 malware and 70 normal apps) indicate that we can achieve a 94.2% and 99.2% accuracy with J.48 and Random forest classifier respectively using our framework.