The Android platform is highly targeted by malware developers, which aim to infect the maximum number of mobile devices by uploading their malicious applications to different app markets. In order to keep a healthy Android ecosystem, app-markets check the maliciousness of newly submitted apps. These markets need to (a) correctly detect malicious app, and (b) speed up the detection process of the most likely dangerous applications among an overwhelming flow of submitted apps, to quickly mitigate their potential damages. To address these challenges, we propose TriDroid, a market-scale triage and classification system for Android apps. TriDroid prioritizes apps analysis according to their risk likelihood. To this end, we categorize the submitted apps as: botnet, general malware, and benign. TriDroid starts by performing a (1) Triage process, which applies a fast coarse-grained and less-accurate analysis on a continuous stream of the submitted apps to identify their corresponding queue in a three-class priority queuing system. Then, (2) the Classification process extracts fine-grained static features from the apps in the priority queue, and applies three-class machine learning classifiers to confirm with high accuracy the classification decisions of the triage process. In addition to the priority queuing model, we also propose a multi-server queuing model where the classification of each app category is run on a different server. Experiments on a dataset with more than 24K malicious and 3K benign applications show that the priority model offers a trade-off between waiting time and processing overhead, as it requires only one server compared to the multi-server model. Also it successfully prioritizes malicious apps analysis, which allows a short waiting time for dangerous applications compared to the FIFO policy.
Read full abstract