Malware Apps Research Articles

Significant Permission Identification for Machine Learning Based Android Malware Detection

Abstract: The dreadful rate of growth of malicious apps has become a significant issue that sets back the prosperous mobile scheme. A recent report indicates that a brand new malicious app for golem is introduced each ten seconds. To combat this serious malware campaign, we'd like a scalable malware detection approach that may effectively and expeditiously determine malware apps. varied malware detection tools are developed, together with system-level and network-level approaches. However, scaling the detection for an outsized bundle of apps remains a difficult task. during this paper, we tend to introduce SIGPID, a malware detection system supported permission usage analysis to address the speedy increase within the range of golem malware. rather than extracting and analyzing all golem permissions, we tend to develop 3-levels of pruning by mining the permission information to spot the foremost important permissions that may be effective in identifying between benign and malicious apps. SIGPID then utilizes machine-learning based mostly classification ways to classify totally different families of malware and benign apps. Our analysis finds that solely twenty two permissions square measure important. we tend to then compare the performance of our approach, victimisation solely twenty two permissions, against a baseline approach that analyzes all permissions. The results indicate that once Support Vector Machine (SVM) is employed because the classifier, we are able to bring home the bacon over ninetieth of preciseness, recall, accuracy, and F-measure, that square measure concerning constant as those created by the baseline approach whereas acquisition the analysis times that square measure four to thirty two times but those of victimisation all permissions. Compared against alternative progressive approaches, SIGPID is more practical by sleuthing ninety three.62% of malware within the information set, and 91.4% unknown/new malware samples. Keywords: SIGPID (Significant Permission Identification), SVM(Support Vector Machine), Android, Malware, Benign, Data pruning

Learning-Based Detection for Malicious Android Application Using Code Vectorization

The malicious APK (Android Application Package) makers use some techniques such as code obfuscation and code encryption to avoid existing detection methods, which poses new challenges for accurate virus detection and makes it more and more difficult to detect the malicious code. A report indicates that a new malicious app for Android is created every 10 seconds. To combat this serious malware activity, a scalable malware detection approach is needed, which can effectively and efficiently identify the malware apps. Common static detection methods often rely on Hash matching and analysis of viruses, which cannot quickly detect new malicious Android applications and their variants. In this paper, a malicious Android application detection method is proposed, which is implemented by the deep network fusion model. The hybrid model only needs to use the sample training model to achieve high accuracy in the identification of the malicious applications, which is more suitable for the detection of the new malicious Android applications than the existing methods. This method extracts the static features in the core code of the Android application by decompiling APK files, then performs code vectorization processing, and uses the deep learning network for classification and discrimination. Our experiments with a data set containing 10,170 apps show that the decisions from the hybrid model can increase the malware detection rate significantly on a real device, which verifies the superiority of this method in the detection of malicious codes.

Anti-malware engines under adversarial attacks

Mobile phones have crawled into our lives with such rapidity and have reformed our lives in a short span. Malware is entangled with all forms of mobile applications causing havoc and distress. State of the art malware detection systems have exercised learning-based techniques successfully to discriminate benign contents from malware. But, Machine Learning (ML) models are vulnerable to adversarial samples and are not intrinsically robust against adversarial attacks. The adversarial samples generated against ML models degrade the model's performance. Adversarial attacks are utilized by malware authors to hinder the working of ML-based malware detection approaches. This article coheres into the effects of evasion attacks on an anti-malware engine utilizing a feed forward deep neural network model. Experiments on Android malware apps is explored by structuring a comprehensive feature engineering scheme for the Drebin dataset through static analysis. The results demonstrate the realistic threat and demand the need to develop adaptive defenses to foster a secure learning model which is immune to adversarial attacks.

Game Theory based Cyber-Insurance to Cover Potential Loss from Mobile Malware Exploitation

Potential for huge loss from malicious exploitation of software calls for development of principles of cyber-insurance. Estimating what to insure and for how much and what might be the premiums poses challenges because of the uncertainties, such as the timings of emergence and lethality of malicious apps, human propensity to favor ease by giving more privilege to downloaded apps over inconvenience of delay or functionality, the chance of infection determined by the lifestyle of the mobile device user, and the monetary value of the compromise of software, and so on. We provide a theoretical framework for cyber-insurance backed by game-theoretic formulation to calculate monetary value of risk and the insurance premiums associated with software compromise. By establishing the conditions for Nash equilibrium between strategies of an adversary and software we derive probabilities for risk, potential loss, gain to adversary from app categories, such as lifestyles, entertainment, education, and so on, and their prevalence ratios. Using simulations over a range of possibilities, and using publicly available malware statistics, we provide insights about the strategies that can be taken by the software and the adversary. We show the application of our framework on the most recent mobile malware data (2018 ISTR report—data for the year 2017) that consists of the top five Android malware apps: Malapp, Fakeinst, Premiumtext, Maldownloader , and Simplelocker and the resulting leaked phone number, location information, and installed app information. Uniqueness of our work stems from developing mathematical framework and providing insights of estimating cyber-insurance parameters through game-theoretic choice of strategies and by showing its efficacy on a recent real malicious app data . These insights will be of tremendous help to researchers and practitioners in the security community.

Multimodal information fusion for android malware detection using lazy learning

Android has a large number of users that are accumulating with each passing day. Security of the Android ecosystem is a major concern for these users with the provision of quality services. In this paper, multimodal analysis of malware apps has been presented. We exploit static, dynamic, and visual features of apps to predict the malicious apps using information fusion. The proposed study applies case-based reasoning; for catalyzing the process of training and validation over renowned datasets with enriched feature-set. Our proposed semi-supervised technique uses benign and malicious apps to predict and classify malware. The prediction process uses a hybrid analysis of malware. The proposed approach, due to the efficient and adaptive nature of CBR, outperforms prevalent approaches. Our approach has an accuracy of 95% and reduced rate of false negative rate and a better precision metric, which beat the state-of-the-art techniques.

APP-NTS: a network traffic similarity-based framework for repacked Android apps detection

The popularity of Android brings much functionality to its users but it also brings many threats. Repacked Android application is one such threat which is the root of many other threats such as malware, phishing, adware, and economical loss. Earlier many techniques have been proposed for the detection of repacked application but they have their limitations and bottlenecks. The issue of malware and duplicate apps affecting the smartphones are being reported on a large scale and has drawn the attention of many researchers. Major of these issues target Android-based phones. Repackaged apps are usually infected versions of popular apps. Adversaries download a popular Android app, and obtain the code using reverse engineering and then add their code (often malicious) to it and repackage and release the app. The existing methods focus primarily on the extraction of apps’ behavior and comparing the same with their static code. These have the least chance of detecting the code obfuscation and the dynamic behavior of apps. Therefore, a framework of App-NTS is proposed which extracts the dynamic behavior of the apps from the network traffic analysis. The dynamic vantage point algorithm used for the comparative analysis of the apps’ behavior, which significantly helps in reducing the time complexity. Experimental analysis has detected 365 repacked apps from 8645 apps that are downloaded from various online markets and have also brought dramatic results in terms of better performance with Mean Square Error value decreased by 41% and Log loss reduced by 35.2%. There is an increase in accuracy of 18.3% when compared to other states of the art techniques.

MEGDroid: A model-driven event generation framework for dynamic android malware analysis

The tremendous growth of Android malware in recent years is a strong motivation for the vast endeavor in detection and analysis of malware apps. A prominent approach for this purpose is dynamic analysis in which providing complex interactions with the samples under analysis is a need. Event generation tools are almost used to provide such interactions, but they have deficiencies for effective malware analysis. For example, anti-static and anti-dynamic analysis techniques employed by the malware prevent event generators to extract sufficient information for generating appropriate events. As a result, they fail to trigger malicious payloads or obtain high code coverage in most cases. In this paper, we aim to present a new framework to improve the event generation process for dynamic analysis of Android malware. We propose MEGDroid, a Model Driven Engineering (MDE) framework in which malware-related information is automatically extracted and represented as a domain-specific model. This model, then is used to generate appropriate events for malware analysis using model-to-model and model-to-code transformations. The proposed model-driven artifacts also provide required facilities to put the human in the loop for properly taking his/her knowledge into account. The proposed framework has been realized as an Eclipse plugin and we performed extensive practical analysis on a set of malware samples selected from the AMD dataset. The experimental results showed that MEGDroid considerably increases the number of triggered malicious payloads as well as the execution code coverage compared with Monkey and DroidBot, as two state of the art general-purpose and malware specific event generators respectively. The proposed MDE approach, enhances the event generation process through both automatic event generation and analyzer user involvement who can efficiently direct the process to increase the effectiveness of the generated events considering small amount of information that is extractable from the malware code.

Feature Subset Selection for Malware Detection in Smart IoT Platforms.

Malicious software (“malware”) has become one of the serious cybersecurity issues in Android ecosystem. Given the fast evolution of Android malware releases, it is practically not feasible to manually detect malware apps in the Android ecosystem. As a result, machine learning has become a fledgling approach for malware detection. Since machine learning performance is largely influenced by the availability of high quality and relevant features, feature selection approaches play key role in machine learning based detection of malware. In this paper, we formulate the feature selection problem as a quadratic programming problem and analyse how commonly used filter-based feature selection methods work with emphases on Android malware detection. We compare and contrast several feature selection methods along several factors including the composition of relevant features selected. We empirically evaluate the predictive accuracy of the feature subset selection algorithms and compare their predictive accuracy and the execution time using several learning algorithms. The results of the experiments confirm that feature selection is necessary for improving accuracy of the learning models as well decreasing the run time. The results also show that the performance of the feature selection algorithms vary from one learning algorithm to another and no one feature selection approach performs better than the other approaches all the time.

Detection of malicious Android applications using Ontology-based intelligent model in mobile cloud environment

Mobile Cloud Computing (MCC) is a computing model that makes mobile devices resourceful by executing mobile applications (apps) in the cloud and storing data in cloud servers. MCC faces several security threats in both the Cloud and Mobile environments. Among several threats, malicious apps are the most threatening ones, because they can perform various malicious activities in both environments. The traditional malware detection methods may not detect new types of malware or rapidly changing malware behavior. So, there is a need to develop an accurate model for detecting malicious apps in the MCC environment. Scalability and Knowledge Reusability are challenging issues in existing detection methods. To overcome these issues, the proposed model uses an effective Ontology-based intelligent model based on app permissions to detect malware apps. This model extracts the relationship between the static features from the apps and builds an Apps Feature Ontology (AFO). A concept vector set for apps is created using the items obtained from the AFO. The most discriminant features are selected using optimization algorithms like Particle Swarm Optimization, Social Spider Algorithm (SSA), and Gravitational Search Algorithm to reduce the dimension of the concept vector set. Various classifiers are applied to the reduced set. The efficiency of the proposed approach was evaluated on datasets obtained from the AndroZoo repository and VirusShare. The experimental results reveal that the proposed model can correctly detect malware using the Random Forest (RF) classifier with SSA and achieve higher detection accuracy with the lesser fall-out and less detection speed than existing Android malware detection techniques. Specifically, RF with SSA obtained higher accuracy, F1-score, and reduction in the fall-out of 94.11%, 93%, and 3%, respectively.

HybriDroid: an empirical analysis on effective malware detection model developed using ensemble methods

Malware detection from the smartphone has become a challenging issue for academicians and researchers. In this research paper, we applied five distinct machine learning algorithms and three different ensemble methods to develop a model for detecting malware from an Android-based smartphone. In this study, we proposed a framework that helps in selecting the right sets of the feature with an aim to improve the performance of the malware detection models. The proposed malware detection framework is then validated by considering two distinct performance parameters, i.e., accuracy and F-measure as a benchmark to detect malware from real-world apps. We performed an empirical study on thirty different categories of Android apps. The experimental data set consists of 1,94,659 benign apps and 67,538 malware apps that are collected from different promised repositories. Empirical results reveal that the models developed by using the proposed feature selection framework are able to detect more malware-infected apps when compared to all extracted feature sets. Moreover, the malware detection model build by using nonlinear ensemble decision tree forest (NDTF) approach is achieved a detection rate of 98.8%. In addition to that, the proposed malware detection framework is more effective in detecting malware-infected apps as compared to different anti-virus scanners and different frameworks or approaches developed in the literature.

NATICUSdroid: A malware detection framework for Android using native and custom permissions

The rapid growth of Android apps and its worldwide popularity in the smartphone market has made it an easy and accessible target for malware. In the past few years, the Android operating system (AOS) has been updated several times to fix various vulnerabilities. Unfortunately, malware apps have also upgraded and adapted to this evolution. The ever-increasing number of native AOS permissions and developers’ ability to create custom permissions provide plenty of options to gain control over devices and private data. Therefore, newly created permissions could be of great importance in detecting current malware. Previous popular works on malware detection used apps collected during 2010–2012 to propose malware detection and classification methods. A majority of permissions used in those apps are not as widely used or do not exist anymore. In this work, we present a novel malware detection framework for Android called NATICUSdroid, which investigates and classifies benign and malware using statistically selected native and custom Android permissions as features for various machine learning (ML) classifiers. We analyze declared permissions in more than 29,000 benign and malware collected during 2010–2019 to identify the most significant permissions based on the trend. Subsequently, we collect these identified permissions that include both the native and custom permissions. Finally, we use feature selection techniques and evaluate eight ML algorithms for NATICUSdroid to distinguish benign apps from malware. Experimental results show that the Random Forest classifier based model performed best with an accuracy of 97%, a false-positive rate of 3.32%, and an f-measure of 0.96.

Android malware detection through machine learning on kernel task structures

With the advent of smart phones, the popularity of free Android applications has risen rapidly. This has led to malicious Android apps being involuntarily installed, which violate the user privacy or conduct attack. Malware detection on Android platforms therefore is a growing concern because of the undesirable similarity between malicious behavior and benign behavior, which can lead to slow detection, and allow compromises to persist for comparatively long periods of time in infected phones.The contributions of this paper are first a multiple dimensional, kernel feature-based framework and feature weight-based detection (WBD) designed to categorize and comprehend the characteristics of Android malware and benign apps. Furthermore, our software agent is orchestrated and implemented for the data collection and storage to scan thousands of benign and malicious apps automatically. We examine 112 kernel attributes of executing the task data structure in the Android system and evaluate the detection accuracy with a number of datasets of various dimensions. We find that memory- and signal-related features contribute to more precise classification than schedule-related and other descriptors of task states listed in our paper. Particularly, memory-related features provide fine-grain classification policies for preserving higher classification precision than the signal-related and others. Furthermore, we study and evaluate 80 newly infected attributes of the Android kernel task structure, prioritizing the 70 features of most significance based on dimensional reduction to optimize the efficiency of high-dimensional classification.Our second contribution is that our experiments demonstrate that, as compared to existing techniques with a short list of task structure features (16 or 32 features), our method can achieve 94%-98% accuracy and 2%–7% false positive rate, while detecting malware apps with reduced-dimensional features that adequately abbreviate online malware detections and advance offline malware inspections.

Hybrid classification of Android malware based on fuzzy clustering and the gradient boosting machine

The widespread use of smartphones in recent years has led to a significant rise in the sophistication and number of Android malicious applications (apps) targeting smartphone users. Android-based smartphones attract attackers more than other smartphones due to the popularity and open source features of the Android environment. Malware apps pose a potential threat to the security of Android-based smartphones because of the storage of confidential and private information. To improve the classification efficiency of Android malicious apps, this paper proposes a hybrid approach for the classification of Android malware by integrating the fuzzy C-means clustering (FCM) algorithm with the light gradient boosting machine (LightGBM). First, the fuzzy clustering method is utilized for generating highly significant clusters of the Android apps’ permissions that reflect the certain characteristics of the Android apps. The primary goal of using fuzzy clustering is to produce new features by gathering Android app permissions with related patterns together in clusters. Second, the LightGBM is employed to take the app’s permissions and their clusters resulting from FCM as inputs and outputs the classification result as a malware or goodware app after the training. The advantages of using LightGBM are its high learning efficiency and precise classification. The significance of the proposed approach is illustrated by conducting several experiments using a well-known dataset containing benign and malware Android apps. The results of the experiments show that the suggested approach outperforms the other approaches and attains the highest accuracy (94.63%), area under the curve (AUC) (98.74%) and precision (97.70%).

K-NEAREST NEIGHBOUR CLASSIFIER USAGE FOR PERMISSION BASED MALWARE DETECTION IN ANDROID

ABSTRACT
 Android application platform is making rapid progress in these days. This development has made it the target of malicious application developers. This situation provides a numerical increase in malware apps, diversity in techniques, and rise of damage. Therefore, it is very critical to detect these software and escalation the security of mobile users. Static and dynamic analysis, behaviour scrutiny, machine learning methods are used to ensure security. In this study, K-nearest Neighbourhood (KNN) classifier, one of the machine learning methods, is used. Thus, it is aimed to detect malignant mobile software successfully and quickly. The tests is conducted with dataset includes 492 malware and 697 benign applications. In the proposed algorithm, neighbour number 5 and distance metric is preferred as Minkowski. 80% of dataset randomly selected is reserved for training and 20% for testing. As a result, while 94.1% accuracy is achieved, precision 91.2%, recall 92.7% recall and f1-measure is 92.4%. The high value obtained in f1-measure shows that the proposed model is successful in detecting both malware and benevolent software. The success of using KNN algorithm in classification of malicious apps in the Android has been demonstrated.

Exploring permissions in android applications using ensemble-based extra tree feature selection

<span>The fast development of mobile apps and its usage has led to increase the risk of exploiting user privacy. One method used in Android security mechanism is permission control that restricts the access of apps to core facilities of devices. However, that permissions could be exploited by attackers when granting certain combinations of permissions. So, the aim of this paper is to explore the pattern of malware apps based on analyzing permissions by proposing framework utilizing feature selection based on ensemble extra tree classifier method and machine learning classifier. The used dataset had 25458 samples (8643 malware apps & 16815 benign apps) with 173 features. Three dataset with 25458 samples and 5, 10 and 20 features respectively were generated after using the proposed feature selection method. All the dataset was fed to machine learning. Support Vector machine (SVM), K Neighbors Classifier, Decision Tree, Naïve bayes and Multilayer Perceptron (MLP) classifiers were used. The classifiers models were evaluated using true negative rate (TNR), false positive rate (FNR) and accuracy metrics. The experimental results obtained showed that Support Vector machine and KNeighbors Classifiers with 20 features achieved the highest accuracy with 94 % and TNR with rate of 89 % using KNeighbors Classifier. The FNR rate is dropped to 0.001 using 5 features with support vector machine (SVM) and Multilayer Perceptrons (MLP) classifiers. The result indicated that reducing permission features improved the performance of classification and reduced the computational overhead.</span>

Analysis of Permissions Correlation for Android Apps Using Statistical SVD Approach

Nowadays, almost all the users use Android applications in their smart phones for various reasons Since Android is free operating system, android-apps can be easily downloaded via biggest open app stores and third-party mobile app markets. But these applications were not guaranteed whether these are malware apps or not by legitimate organizations. As mobile phones are glued with most of the people, malware applications threaten all of them for their private information. So, the work of analysis for the apps is very important. The proposed system analyzes the correlation patterns of app’s permissions that must be used in all android apps by developers by using a statistical technique called singular value decomposition (SVD). The analysis phase uses the numbers of malware samples 50 to 300 from https://www.kaggle.com/goorax/static-analysis-of-android-malware-of-2017. The proposed system evaluates the risk level (High, Medium, and Low) of Android applications based on the correlation patterns of permissions. The system accuracy is 85% for both malware and goodware applications.
 Nowadays, almost all the users use Android applications in their smart phones for various reasons Since Android is free operating system, android-apps can be easily downloaded via biggest open app stores and third-party mobile app markets. But these applications were not guaranteed whether these are malware apps or not by legitimate organizations. As mobile phones are glued with most of the people, malware applications threaten all of them for their private information. So, the work of analysis for the apps is very important. The proposed system analyzes the correlation patterns of app’s permissions that must be used in all android apps by developers by using a statistical technique called singular value decomposition (SVD). The analysis phase uses the numbers of malware samples 50 to 300 from https://www.kaggle.com/goorax/static-analysis-of-android-malware-of-2017. The proposed system evaluates the risk level (High, Medium, and Low) of Android applications based on the correlation patterns of permissions. The system accuracy is 85% for both malware and goodware applications.

Intelligent mobile malware detection using permission requests and API calls

Malware is a serious threat that has been used to target mobile devices since its inception. Two types of mobile malware attacks are standalone: fraudulent mobile apps and injected malicious apps. Defending against the cyber threats of mobile malware requires a strong understanding of the permissions declared in applications and application programmeinterface (API) calls. In this paper, we propose an effective classification model that combines permission requests and API calls. As Android apps use a large number of APIs, we propose three different grouping strategies for choosing the most valuable API calls to maximize the likelihood of identifying Android malware apps: the ambiguous group, risky group, and disruptive group. The results demonstrate that compared with benign apps, malicious applications invoke a different set of API calls and that mobile malware often requests dangerous permissions to access sensitive data more often than benign apps. Empirical results obtained with a real malware dataset containing 27,891 Android apps suggest that our proposed method is effective at detecting mobile malware apps and achieves an F-measure of 94.3%. Our model can significantly assist in the process of malware forensic investigation and mobile application analysis.

GOOGLE PLAY STORE BASED APPLICATIONS FOR SEARCH RANK FRAUD AND MALWARE DETECTION

Google play store contains million of apps and thousands of applications are published on every day. To promote the app and make the users to download is becoming complicated; the published try to increase the visibility of the app on the search console. Also it becomes difficult for the users to identify the malware app and download the good one. Few publishers on the play store try to increase their apps rank with fraud and black hat methods. The publishers increase their ranking by create fake bot reviews; provide fake rating through fake accounts. This misleads the users to download the malware apps from the store. In the proposed model, we try to identify the fair reviews and fake reviews by mining the reviewer profile, their rating patterns. With help of fair play detection we also identify that most of the malware apps use fraud ranking strategies to improve their downloads.

Empirical Study on Intelligent Android Malware Detection based on Supervised Machine Learning

The increasing number of mobile devices using the Android operating system in the market makes these devices the first target for malicious applications. In recent years, several Android malware applications were developed to perform certain illegitimate activities and harmful actions on mobile devices. In response, specific tools and anti-virus programs used conventional signature-based methods in order to detect such Android malware applications. However, the most recent Android malware apps, such as zero-day, cannot be detected through conventional methods that are still based on fixed signatures or identifiers. Therefore, the most recently published research studies have suggested machine learning techniques as an alternative method to detect Android malware due to their ability to learn and use the existing information to detect the new Android malware apps. This paper presents the basic concepts of Android architecture, Android malware, and permission features utilized as effective malware predictors. Furthermore, a comprehensive review of the existing static, dynamic, and hybrid Android malware detection approaches is presented in this study. More significantly, this paper empirically discusses and compares the performances of six supervised machine learning algorithms, known as K-Nearest Neighbors (K-NN), Decision Tree (DT), Support Vector Machine (SVM), Random Forest (RF), Naïve Bayes (NB), and Logistic Regression (LR), which are commonly used in the literature for detecting malware apps.

Finding Grade Fake and Virus Identifying in Play Store

Deceitful behaviors in Google Play, the leading favored robot application market, fuel search ranking misuse as well as malware proliferation. to spot malware, previous job has actually centred on application practicable and also permission analysis. during this paper, we often tend to introduce Justice, a distinct system that finds and leverages traces left by scammers, to sight each malware as well as applications based on go looking rank fraudulence. Fair game correlates review tasks as well as unambiguously incorporates identified testimonial relations with linguistic and also task signals obtained from Google Play application expertise (87 K applications, 2.9 M evaluations, and 2.4 M customers, gathered over 0.5 a year), to spot suspicious applications. Fair game attains over ninety-five plc. accuracy in categorizing gold normal datasets of malware, unethical as well as Bonafede apps. we tend to reveal that seventy-five plc. of the identified malware apps have interaction in search rank fraud. Fair Play discovers numerous dishonest applications that presently escape Google Baby bouncer's detection innovation. Fair Play furthermore helped the creation of rather one,000 reviews, reportable for 193 apps, that reveal a new sort of "forceful" review project: users are troubled into composing favorable evaluations and also mount as well as assess alternative applications.