DroidMat: Android Malware Detection

Published on Sep 03, 2023

Abstract

Recently, the threat of Android malware is spreading rapidly, especially those repackaged Android malware. Although understanding Android malware using dynamic analysis can provide a comprehensive view, it is still subjected to high cost in environment deployment and manual efforts in investigation. In this study, we propose a static feature-based mechanism to provide a static analyst paradigm for detecting the Android malware.

The mechanism considers the static information including permissions, deployment of components, Intent messages passing and API calls for characterizing the Android applications behavior. In order to recognize different intentions of Android malware, different kinds of clustering algorithms can be applied to enhance the malware modeling capability. Besides, we leverage the proposed mechanism and develop a system, called DroidMat. First, the DroidMat extracts the information (e.g., requested permissions, Intent messages passing, etc) from each application’s manifest file, and regards components (Activity, Service, Receiver) as entry points drilling down for tracing API Calls related to permissions. Next, it applies K-means algorithm that enhances the malware modeling capability.

The number of clusters are decided by Singular Value Decomposition (SVD) method on the low rank approximation. Finally, it uses kNN algorithm to classify the application as benign or malicious. The experiment result shows that the recall rate of our approach is better than one of well-known tool, Androguard, published in Blackhat 2011, which focuses on Android malware analysis. In addition, DroidMat is efficient since it takes only half of time than Androguard to predict 1738 applications as benign or malicious.

MODULES:

Getting Installed Apps

Getting Running Tasks

Extract Information

Malware Detection

MODULES DESCRIPTION:

Getting Installed Apps:

Android has a growing selection of third party applications, which can be acquired by users either through an app store such as Google Play or the Amazon Appstore, or by downloading and installing the application's APK file from a thirdparty site. The Play Store application allows users to browse, download and update apps published by Google and third-party developers, and is pre-installed on devices that comply with Google's compatibility requirements. The app filters the list of available applications to those that are compatible with the user's device, and developers may restrict their applications to particular carriers or countries for business reasons. But most of the users download the APK files from third party servers and installed into mobiles, Most of the apps from trusted sources are not malware, but the third party server providing malwares in modified APK. So user has the power to list all the apps installed in their mobile, then user can identifies the Application is malware or Benign.

Getting Running Tasks:

In Android, processes and Applications are two different things. An app can stay "running" in the background without any processes eating up your phone's resources. Android keeps the app in its memory so it launches more quickly and returns to its prior state. When your phone runs out of memory, Android will automatically start killing tasks on its own, starting with ones that you haven't used in awhile. Mostly malwares are running in the background without the user knowledge, so that can be send and receive anonymous data to any remote server. User can detect the application and remove it, If the user not opened any app but they automatically running in the background, its known as malware.

Extract Information:

Android security model highly relies on permission-based mechanism. There are about 130 permissions that govern access to different resources. Whenever the user installs a new app, he would be prompt to approve or reject all permissions requested by the application. In this module if user select’s any running application its Manifest permissions are shown to the user. It can be easy for the user to identify the malware. For example a gaming application requires SMS permission, but there is no need for SMS in that application. So the application can send premium rated SMS to any number in background.

Malware Detection:

There are many malwares are floating in the web that can be affecting the android OS, so we maintaining a huge collection of malware database to easily find the identified malwares. If the user scan the entire application installed in their mobile each application will be compared to our malware database if any app found malware, our system shows error and instruct the user to uninstall the particular application. User no needs to scan for every time for malware when installed any application, our system automatically scan the newly installed application for malware whenever user install any new application. If the application is found malware It show the error.