TrojanDetector: A Multi-Layer Hybrid Approach for Trojan Detection in Android Applications

Abstract

Trojan Detection—the process of understanding the behaviour of a suspicious file has been the talk of the town these days. Existing approaches, e.g., signature-based, have not been able to classify them accurately as Trojans. This paper proposes TrojanDetector—a simple yet effective multi-layer hybrid approach for Trojan detection. TrojanDetector analyses every downloaded application and extracts and correlates its features on three layers (i.e., application-, user-, and package layer) to identify it as either a benign application or a Trojan. TrojanDetector adopts a hybrid approach, combining static and dynamic analysis characteristics, for feature extraction from any downloaded application. We have evaluated our scheme on three publicly available datasets, namely (i) CCCS- CIC-AndMal-2020, (ii) Cantagio-Mobile, and (iii) Virus share, by using simple yet state-of-the-art classifiers, namely, random forest (RF), decision tree (DT), support vector machine (SVM), and logistic regression (LR) in binary—class settings. SVM outperformed its counterparts and attained the highest accuracy of 96.64%. Extensive experimentation shows the effectiveness of our proposed Trojan detection scheme.