Académique Documents
Professionnel Documents
Culture Documents
vii
viii
apps, we rely on API level information within the bytecode since it conveys
substantial semantics about the apps behaviour. More specifically, we focus
on critical API calls and their package level information.
Rather than simply treating the individual api calls as items, we represent
an item as a combination of caller and callee api. We capture one level of
control flow and context between caller and callee. Each item in our model is
of the form A%B, where A is the caller and B is the callee. We use
Androguard [8], a reverse engineering tool to perform API level feature
extraction and data flow analysis. In summary,
Chapt Pag
er e
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.4 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Background Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Android System
2.1 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Linux kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.2 Libraries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.3 Android runtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Application
2.1.4 framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.1.5 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2 Dalvik Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1 Hardware constraints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.2 Bytecode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Application components . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.1 . 11
2.3.2 Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3.3 Native code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3.4 Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4 Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4.1 Types of malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.4.2 Malware distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.4.3 Malware data sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4 Android Malware Detection Using Permissions and Api
calls . . . . . . . . . . . . . . . . . 19
Android Application
4.1 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.1.1 Android Security Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Android Permission
4.1.2 Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2 Static analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.2.1 Androguard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
ix
CONTE
x NTS
4.2.2 APK Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Monkey and
4.2.3 Monkeyrunner . . . . . . . . . . . . . . . . . . . . . . . .... 24
4.2.4 AndroViewClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... 24
4.3 Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... 25
4.3.1 Droidbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... 25
4.3.2 Taintdroid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... 25
Reverse engineering Android
4.4 App . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Static Feature Extraction and Refinement . . .
4.4.1 ............ . . . . . 27
4.5 Proposed Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Application categories . . . . . . . . . . . . . . . . . .
4.5.1 ....... . . . . . 27
Bayesian Classification Model . . . . . . . . . . . .
4.5.2 ......... . . . . . 28
Experiment Results and
4.6 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.6.1 Data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Evaluation
4.6.2 measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5 Android Malware Detection using Association Rule based
Classification . . . . . . . . . . .34
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.1.1 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Background Information . . . . . . . . . . . . . . . . . . . . .
5.2 ....... . . . . . 36
5.2.1 Association Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
5.2.2 Apriori Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
The Frequent Itemset Mining
5.2.3 Stage . . . . . . . . . . . . . . . . . . . . . . . 36
The Rule Generation Stage . . . . . . . . . . . . . . .
5.2.4 ........ . . . . . 37
Reverse engineering Android
5.2.5 App . . . . . . . . . . . . . . . . . . . . . . . . 37
Generation of
5.2.6 items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5.3 Proposed Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Feature Extraction and
5.3.1 Refinement . . . . . . . . . . . . . . . . . . . . . . . . 39
Classification rule
5.3.2 mining . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Generating the Complete Set of CARs . . . . . .
5.3.3 ........... . . . . . 41
The CBA-RG
5.3.4 algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Building a
5.3.5 Classifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Experimental Results and Discussions . . . . . . . . . . .
5.4 .......... . . . . . 43
5.4.1 Data set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Evaluation
5.4.2 measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
6 Conclusions and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
List of Figures
Pag
Figure e
Android malware growth in
1.1 2014 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Android low level system architecture . . . . . . . . . . . . . . . . . . . . . .
2.1 . . . . 6
Android application build
2.2 process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.1 Android Folder Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4.2 AndroidManifest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.3 Taintdroid Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Different Stages in Feature
4.4 Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Top 20 permissions & Api calls with the Highest Difference
4.5 Between Malware and
Benign Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
4.6 Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.7 Error Rate & Accuracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
True Negative & False Positive
4.8 Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
True positive & False Negative
4.9 Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.1
0 Precision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.1
1 Recall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.1 Apriori algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Different Stages in Feature
5.2 Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Top 20 APIs with the Highest Difference Between Malware and
5.3 Benign Apps . . . . . 40
5.4 Preision & Recall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.5 TP Rate & FP Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Android malware detection analysis with different classifiers from the
5.6 Precision-Recall
view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
xi
Chapter 1
Introduction
1.1 Motivation
With an estimated market share of 70% to 80%, Android has become the
most popular operating system for smartphones and tablets [4]. Within the
past several years, the popularity of smartphones and other kinds of mobile
devices like tablets has risen significantly. This fact is accompanied by the
large amount and variety of mobile applications (typically abbreviated as
apps) and the increased functionality of the mobile devices themselves.
Several mobile operating systems are available, with iOS and Android being
the most popular ones according to latest studies. As a side effect of this
popularity, centralized application marketplaces like Google Play and Apple’s
App Store have massively grown. Such marketplaces enable developers to
upload their own applications in a convenient way and users can download
these apps directly to their mobile devices. Besides the official markets from
platform vendors (e.g., Google and Apple) and manufacturers (e.g., Samsung
and HTC), a large number of unofficial third-party marketplaces have
emerged. Most of these markets contain thousands of apps and have millions
of downloaded apps per month.
This fast growth rate also has a downside: attackers have realized that
rogue apps can be used to target smartphones and in the recent past,
malicious software for smartphones became popular. Mobile threat
researchers indeed recognize an alarming increase of Android malware from
2013 to 2014 and estimate that the number of detected malicious apps is now
in the range of 120,000 to 718,000 [3]. In the summer of 2012, the
sophisticated Euro grabber attack showed that mobile malware may be a very
lucrative business by stealing an estimated 36, 000, 000 from bank customers
in Italy, Germany, Spain and the Netherlands [1].
Android’s open design allows users to install applications that do not
necessarily originate from the Google Play Store. With over 1 million apps
available for download via Google’s official channel, and possibly another
million spread among third-party app stores, we can estimate that there are
over 20,000 new applications being released every month. This requires
malware researchers and app store administrators to have access to a scalable
solution for quickly analyzing new apps and identifying and isolating
malicious applications.
1
Google reacted to the growing interest of miscreants in Android by
revealing Bouncer in February 2012, a service that checks apps submitted to
the Google Play Store for malware. However, research has shown that
Bouncer’s detection rate is still fairly low and that it can easily be bypassed
[32]. A large body of similar research on Android malware has been
proposed, but none of them provide a comprehensive solution to obtain a
thorough understanding of unknown applications: Blasing et al [13] limit
their research to a system call analysis, Enck et al [22]. focuses on taint
tracking, Rastogi [42] et al. and Spreitzenbarth et al [49]. track only specific
API invocations, and work done by Yan and Yin [56] is bound to use an
emulator.
1.3 Contributions
With attention to the rapid growth of malicious Apps and the disappointing
results of current security software [60], there is a pressing need to develop
effective solution to deal with malware. Instead of using static signatures, an
effective alternative solution is to use characteristic and Heuristic-based
methods which try to detect malware by observing the statistic characteristic
and features of mobile applications. One of the most popular Heuristic
methods is malware detection based on static requested permissions, which
checks what types of resources, such as Wi-Fi network, user location, and
user contact information, an App is requested for installation (Android
provides over 130 permissions for
2
Figure 1.1: Android malware growth in 2014
developers to control the resources that an App can request [30]). Although
pure permission based method is simple and have shown moderate results but
thier performance is not reliable. Mainly because developers can freely
request any permission they want, in order to mock the requested permissions
of benign applications. On the other hand, observing dynamic behaviors of
Apps, such as dynamic API calls, is far more accurate than permission based
methods in capturing runtime activities of the App. Analyzing app’s runtime
dynamic behaviors is not simple and requires large volume of resources
implying overhead and process time. Motivated by the above observations,
we propose a framework for analyzing and classifying Android applications
based on learning techniques. The framework rests on a combination of
requested permission, static API call behaviors and extracts features from
these parameters and builds classifiers to detect malicious applications.
1.4 Outline
3
Finally, in Chapter 6, we propose a number of future research directions and
possible extensions to our implementations and conclude our work.
4
Chapter 2
Background Information
The Android software stack is illustrated in figure 2.1. In this figure, green
items are components written in native code (C/C++), while blue items are
Java components interpreted and executed by the Dalvik Virtual Machine.
The bottom red layer represents the Linux kernel components and runs in
kernel space.
In the following subsections, we briefly discuss the various abstraction
layers using a bottom-up approach. For a more detailed overview, we refer to
existing studies [20]
Android uses a specialized version of the Linux Kernel with a few special
additions. These include wakelocks (mechanisms to indicate that apps need to
have the device stay on), a memory management system that is more
aggressive in preserving memory, the Binder IPC driver, and other features
that are important for a mobile embedded platform like Android.
5
Figure 2.1: Android low level system architecture
6
2.1.2 Libraries
A set of native C/C++ libraries is exposed to the Application Framework
and Android Runtime via the Libraries component. These are mostly external
libraries with only very minor modifications such as OpenSSL , WebKit and
bzip2 . The essential C libraries, codename Bionic, were ported from BSD’s
libc and were rewritten to support ARM hardware and Android’s own
implementation of pthreads based on Linux futexes.
7
3. Telephony Manager: The Telephony Manager provides access to
information about the telephony services on the device such as the
phone’s unique device identifier (IMEI) or the current cell location. It is
also responsible for managing phone calls.
2.1.5 Applications
Applications or apps are built on top of the Application Framework and are
responsible for the interaction between end-users and the device. It is unlikely
that an average user ever has to deal with components not in this layer. Pre
installed applications offer a number of basic tasks a user would like to
perform (making phone calls, browsing the web, reading e-mail, etc.), but
users are free to install third-party applications to use other features (e.g.,
play games, watch videos, read news, use GPS navigation, etc.). We discuss
Android applications in more detail in Section 2.3.
8
application is supposed to run in its own process and has its own memory
space which means that each application should run in its own VM.
It was argued that the hardware constraints, made it hard to fulfill the
security requirements using existing Java virtual machines [2]. To overcome
these issues, Android uses the Dalvik VM. A special instance of the DVM is
started at boot time which will become the parent of all future VMs. This VM
is called the Zygote process and preloads and pre initializes all system classes
(the core libraries discussed in Section 2.1.3). Once started, it listens on a
socket and fork()s on command whenever a new application start is
requested. Using fork() instead of starting a new VM from scratch increases
the speedup time and by sharing the memory pages that contain the preloaded
system classes, Android also reduces the memory footprint for running
applications.
Furthermore, as opposed to regular stack-based virtual machines a
mechanism that can be ported to any platform the DVM is register-based and
is designed to specifically run on ARM processors. This allowed the VM
developers to add more speed optimizations.
2.2.2 Bytecode
2.3 Apps
9
Figure 2.2: Android application build process
10
2.3.1 Application components
Activities
Services
Content providers
Broadcast receivers
11
broadcast is the battery low announcement. Ordered broadcasts, on the
other hand, are first passed to the receiver with the highest priority, before
being forwarded to the receiver with the second highest priority, etc. An
example for this is the incoming SMS text message announcement. Broadcast
receivers that receive ordered broadcasts can, when done processing the
announcement, decide to abort the broad-cast so that it is not forwarded to
other receivers. In the example of incoming text messages, this allows
vendors to develop an alternative text message manager that can disable the
existing messaging applica-tion by simply using a higher priority receiver and
aborting the broadcast once it finished handling the incoming message.
Intents
2.3.2 Manifest
languages like C and C++ so that they can reuse existing code libraries
12
code usage are self-contained, CPU intensive operations such as signal
processing, game engines, and so on. Unlike Java bytecode, native code runs
directly on the processor and is thus not interpreted by the Dalvik VM.
2.3.4 Distribution
Android users are free to install any (third-party) application via the
Google Play Store (previously known as the Android Market). Google Play is
an online application distribution platform where users can download and
install free or paid applications from various developers (including Google
self). To protect the Play Store from malicious applications, Google uses an
in-house developed automated anti-virus system named Google Bouncer.
Users have the possibility to install applications from other sources than
Google Play. For this, a user must enable the unknown sources option in the
device’s settings overview and explicitly accepts the risks of doing so. By
using external installation sources, users can install APK files downloaded
from the web directly, or choose to use third-party markets. These third-party
markets sometimes offer a specialized type of applications, such as
MiKandi’s Adult app store , or target users from specific countries, like
Chinese app stores Anzhi and Xiaomi (a popular Chinese phone
manufacturer).
2.4 Malware
13
Another observed type of Android malware is classified as spyware and has
capabilities to forward private data to a remote server. In a more complex
form, the malware could also receive commands from the server to start
specific activities in which case it is part of a botnet. Spyware is likely to use
some of the components described in Section 2.3.1. Broadcast receivers are
of particular interest as they can be used to secretly intercept and forward
incoming SMS messages to a remote server or to wait for BOOT
COMPLETED to start a background service as soon as the device is started.
In the summer of 2012, the sophisticated Eurograbber attack showed that
these type of malware may be very lucrative by stealing an estimated 36, 000,
000 from bank customers in Italy, Germany, Spain and the Netherlands [1].
14
2.4.3 Malware data sets
Public access to known Android malware samples is mainly provided via
the Android Malware Genome Project [60] and Contagio Mobile [5] . The
malgenome-project was a result of the work done by Zhou and Jiang [60] and
contains over 1200 Android malware samples, classified in 49 malware
families and were collected in the period of August 2010 to October 2011.
Contagiodump offers an upload dropbox to share mobile malware samples
among security researchers and currently hosts 114 items.
2.5 Summary
Related Work
16
monly used in malware detection. Most anti-virus programs detect the
presence of a virus by using short identifiers called signatures, which consist
of sequences of bytes in the machine code of the in-fected program. A
suitable signature is one that is found in every program infected by malware,
but is significantly less likely to be found in programs where malware is not
present. The major weakness of this approach is that it cannot detect
metamorphic or unseen malware. There are several related works which
applying this approach to detect malware. Kim et al. [36] build a power
consumption history from the constructed history for power-aware malware
detection they propose a power-aware malware detection framework that
monitors, detects and analyzes previously unknown energy-depletion threats.
Their framework was composed:
Desnos et al. [17] develop an algorithm to help them construct the rules.
By converting an app to its bytecode(contains semantic information that
allows doing a better analysis) allowing for the extraction of useful
information on variables, fields, and methods. They propose a signature-
based method and also use the permission properties. The final step was to
build the control flow graphs using the collected data for malware detection.
Enck et al. [23] proposed Kirin, security service that perform the certification
of applications. They define a variety of potential dangerous permission
combinations as rules to block the installation of potential unsafe
applications. Our approach is different in a way that, these techniques are not
adaptive to a new Android malware and they require continuous update of the
signatures.
Behavior based malware detection techniques focus on analyzing the
behavior of a program to con-clude whether it is malicious or not. Behavior
based usually applies machine learning algorithm for learning known
malware behavior and pattern to predict unknown or novel malware.
Instead of using predefined signatures for malware detection, data mining
and machine learning techniques provide an effective way to dynamically
extract malware patterns [46] [53]. A study done by Sami et al. [44]
employed data mining technique with features generated from Windows
executable API calls. They achieved acceptable results in a very large scale
dataset with about 35,000 portable executable files. Another behavioral foot
printing method device by Jiang et all. [33] also provides a dynamic approach
to detect self-propagating malware. For smartphone based mobile computing
plat-form, recent years have witnessed an increasing number of more
sophisticated malware attacks such as repackaging. A recent research by
Zhou et al. [60] systematically characterizes existing Android malware from
various aspects, including installation methods,activation mechanism and the
nature of malicious payloads. A study conducted with four representative
mobile security tools with over 1200 malware samples showed that the
current malware detection solutions are outdated and need to be up-graded to
the next generation.
From another perspective, Shabtai et al. [47] propose a behavior-based
Android malware detection approach, Andromaly, to protect the smartphone.
They test a series of feature selection approaches for
17
finding the most representative sets of features. Andromaly applies several
different machine learning algorithms such as Logistic Regression and
Bayesian Networks to classify the collected applications as benign or
malicious. In [45], authors extract the function calls from binaries of
applications and apply their clustering mechanism, called Centroid, for
detecting unknown malware. In contrast, our approach is based on automated
analyses of Android packages. A recent paper by Sahs and Khan [43]
proposes a machine learning approach to Android Malware detection based
on (SVM). They use the Android permissions in the Manifest files as the
features and learn a single-class (SVM) model using benign samples alone.
This is contrast to our approach which uses Api calls, permissions and
categories as features for training the naive-Bayes model.
Table 3.1 shows the description and results published by various authors,
whose work is similar to that of ours.
Table 3.1: Existing
approaches
Publication Description Results
Detecting application communication
based
Comdroid -
vulnerabilities in Android
Android Malware Detection through
Manifest
DroidMat F-measure: 0.9183
and API Calls Tracing
Powerful tool to disassemble and to
decompile
Androgaurd F-measure: 0.6611
android apps
Permission Usage to detect Malware in
PUMA Android Accuracy = 83.32%
Automated Malware Detection for
Android, the
study utilizes behavior analysis of
AMDA applications as Acuraccy= 71.1538%
basis for malware
Permission-
Detecting malicious applications in
Based Detection Android
F-measure= .735849
for Android system based on permissions
Malware
Mining API-Level Features for Robust Accuracy : 99% and a
DroidAPIMin Malware
er FPR as low as 2.2%
Detection in Android
using KNN classifier.
Performs a broad static analysis, gathering
as
Derbin Accuracy: 94%
many features of an application as possible.
18
Chapter 4
19
Figure 4.1: Android Folder Structure
• API libraries that application needs to be linked against (other than the
Android framework APIs), such as Google Maps library.
20
Figure 4.2: AndroidManifest
21
Dangerous permission: regulates access to potential harmful API calls that
would give access to private user data. For example, permissions to read the
location of a user ACCESS FINE LOCATION or WRITE CONTACTS are
classified as dangerous.
Signature permission: protects access to the most dangerous privilege. The
system grants the permis-sion only if the requesting application is signed with
the same certificate as the application that declared the permission.
Signature/System permission: A permission that the system grants only to
applications that are in Android system image.
A simple straightforward idea to determine a harmful application is to
check whether the App re-quests for permissions in dangerous or higher level.
Although Android adopts an authorized permission model to control access to
its components, there is no clear evidence demonstrating how good or bad it
is to detect a malicious application based on permissions or combinations of
permissions. It should be noticed that the permissions shown to a user during
an installation process are requested permis-sions instead of required
permissions. The requested permissions are declared by an application devel-
oper manually. However, not all declared permissions are required by the
application. In addition to Google’s methods to protect Android from
malicious application, many security software companies have launched their
own security Apps.
• android.permission.READ OW N ER DAT A
• android.permission.SET W ALLP AP ER
• android.permission.DEV ICE P OW ER
22
4.2 Static analysis
4.2.1 Androguard
Androguard [8] is an interactive-oriented static analysis tool for third-
party Android applications. It allows to disassemble apps and access their
components throughout its API. Androguard’s API also provides access to
each attribute of the binary code, such as classes, methods, and variables. The
main features of its API are:
23
4.2.2 APK Tool
ApkTool [10] is a reverse engineering tool for third-party Android
applications. This tool allows to decode Android apps into Smali code [48]. It
also facilitates the modification of the app or the injection of new code before
repackaging it. Smali is a DEX code disassembler that transforms bytecode
into a syntax similar to the one used in Jasmin’s [31] and dedexer’s [16]
project. This syntax aims at alleviating the complexity of exploring Java
Virtual Machine binaries. Thus, ApkTool allows to reconstruct the original
resources into a human-friendly format to facilitate reverse engineering of the
code.
We then describe the main functions of ApkTool:
4.2.4 AndroViewClient
AndroViewClient is a Python tool that facilitates the creation of scripts for
interacting with the de-vice. A remarkable feature of AndroViewClient is its
ability to retrieve a tree view of the UI-components
24
displayed on the device at any given moment. For instance, given an Activity,
AndroViewClient allows to retrieve which other clickable views are nested
into this one. Then, it allows the user to interact with those components by,
for instance, clicking them or inserting text into a TextBox.
4.3.1 Droidbox
Droidbox is a dynamic analysis tool that allows the execution of Android
apps and provides a variety of data about how an app is behaving. More
precisely, Droidbox monitors the execution of 11 different activities:
25
Figure 4.3: Taintdroid Architecture
26
Extract Features
convert manifest.xml from
to readable manifest.xml
manifest.xml
Profile
Manifest.x -----------
ml -
-----------
Benign -
-----------
Apps -
Build -----------
Profile(s) -
-----------
Malware -
-----------
Apps -
Disassemble -----------
each .smali Extract Feature -
from .smali -----------
class.dex file to .smali files -
Android Apps
In this section, we explain the feature extraction and our proposed Naive
Bayes classifier which exploits the category information of an application.
27
Tools, etc. are highly prone to malwares while categories such as medical,
social have few malwares. In our work, we explicitly learn a model that
exploits this information.
In this section, we describe the dataset and discuss the experimental results.
28
4.6.1 Data set
Our data set consists of 25865 apps collected from Google Play [?] and
Android Malware Genome Project [61]. We collected 24335 apps from
Google Play and 1530 applications from Genome Project as shown in Table
3.1. We collected only the top free apps in each category for creating a benign
set. For the benign applications, we used VirusTotal [52] to make sure that
they are genuinely benign. Each of these benign and malware applications
belong to 30 categories as defined in android market (Table 3.1).
Table 4.1: Benign & Malware App Categories
Geniun Geniun Malwa
Category e Malware Category e re
Arcade 1409 123 Medical 499 5
Books &
References 884 10 Music & Audio 1287 30
Brain 1342 117 News & Magazine 545 20
Business 574 13 Personalization 2131 16
Cards 545 21 Photography 324 37
Casual 1658 140 Productivity 728 85
Comics 517 19 Racing 615 90
Communication 280 83 Shopping 169 10
Education 959 30 Social 683 5
Entertainment 1546 173 Sport 800 4
Finance 403 20 Sport Games 633 30
Health & Fitness 703 27 Tools 1227 275
Libraries &
Demo 564 32 Transportation 397 17
Lifestyle 1112 26 Travel & Local 602 23
Media & Video 827 37 Whether 404 12
29
Figure 4.5 shows the frequently occurring api calls and permissions in the
Android application. We consider only the api calls and permission that are
highly frequent as features. We adopted a ten-fold cross validation strategy
for our expeirments. We trained our model using 9 folds and tested on
30
remaining fold. We repeat the experiment 10 times and report the average
accuracy. This ensures a wider range of samples for the testing the classifier.
We also conducted our experiments as Aafer et al. [6] but with four
different set of top features. These top features are selected based on
frequently occurring features in our samples as shown in Figure 4.5. We refer
top 10, 15 and 25 ranked features as 10T f, 15T f and 25T f respectively and
five lowest ranked features as 5Lf.
Figure 4.7 shows the error rates and accuracy for different feature sets with
and without category information. We observe an increasing accuracy and
decreasing error rates when larger number of features are used to train the
classifier. It is also evident, by exploiting the category information, there is a
clear improvement in the accuracy and error rates. Also, note that there is
almost a difference of 20% in the performance using 5Lf and 10T f feature
sets indicating the importance of feature ranking based on the frequency of
api calls.
Figure 4.8 shows the true negative and false positive rates and Figure 4.9
shows the true positive and false negative rates using different sets of
features. We can observe in both the cases, that there is a improvement in the
performance when the category information is included in the model. Finally,
we show the precision and recall in Figure 4.10 and 4.11 with varying
number of features. As the features are increased, both precision and recall
improved and when the category information is included in the model, the
performance is even better.
We summarize the results of various measures without category
information in Table 3.2 and with category information in Table 3.3. It can be
observed from the Table 3.3 that an average improvement of 3 − 4% across
all the categories is achieved.
We also report the measure Area under Curve (AUC) which defines the
total area under the Receiver Operation Characteristic (ROC) curve, for
different number of features. We can see that AUC for 10f, 15f, and 25f is
very close to 1 implying a very good performance.
31
32
4.7 Summary
5.1 Introduction
34
the significance of the rules). Classification rules are of the form P − > c,
where P is a pattern in the training data and c is a predefined class label
(target).
As part of this thesis, we study and build classifiers from association rules.
Given that association rules are descriptive in nature, they are useful in
learning about relationships in the data. The learned relationships can be
helpful in analyzing the domain. But usefulness of the rules can be further
extended if predictive models can be extracted from the rules. Given that the
number of rules produced is a function of the minsupport and the
minconfidence thresholds, the challenge is to generate an appropriate number
of rules that can be useful in developing predictive models.
We combine the association rule mining and classification rule mining
techniques to build a classifier. The integration is done by focusing on mining
a special subset of association rules, called class associ-ation rules (CARs).
To select the best features that distinguish between malware from benign
apps, we rely on API level information within the bytecode since it conveys
substantial semantics about the apps behaviour. More specifically, we focus
on critical API calls and their package level information.
Rather than simply treating the individual api calls as items, we represent
an item as a combination of caller and callee api. We capture one level of
control flow and context between caller and callee. Each item in our model is
of the form A%B, where A is the caller and B is the callee. We use
Androguard [8], a reverse engineering tool to perform API level feature
extraction and data flow analysis.
Association rule based classification is introduced in [37]. They propose an
Apriori like algorithm called CBA-RG for generating rules and another
algorithm called CBA-CB for building the classifier. The rules generated by
CBA-RG are called classification association rules (CARs), as they have a
prede-fined class label or target. From the generated CARs, a subset is
selected based on the heuristic criterion that the subset of rules can classify
the training set accurately.
Many other classification systems have been built based on association
rules [58]and [57]. In our work, we have implemented an association rule-
based classifier system in the WEKA framework. WEKA is a data mining
system developed at the University of Waikato and has become very popu-lar
among the academic community working on data mining. We have chosen to
develop this system in WEKA as we realize the usefulness of having such a
classifier in the WEKA environment. To generate classification association
rules, we make use of the CBA algorithm [40]. CBA is an extended version of
the Apriori algorithm that is capable of mining associations from set-valued
and temporal datasets.
More generally, we have adapted the algorithm to generate only rules that
satisfy user specified constraints. We achieve this by integrating these
constraints into the mining phase so that we can use the constraints to prune
itemsets that would not yield rules of the type that the user desires.
35
– Build a framework to generate models from CARs.
– Build a classifier using the CARs to classify the malware apps from
the genuine apps.
36
Figure 5.1: Apriori algorithm
item(s) must be the same in both itemsets. This ensures that the generated
candidate is of size k and that most of the subsets of the set are frequent.
Before counting support for all the items in C3 , the Apriori property is
applied. The Apriori property [7] states that all nonempty subsets of an
itemset must be frequent for this itemset to be frequent. The Apriori property
prunes the search space. The Apriori algorithm continues to generate frequent
itemsets until it cannot generate any more candidate itemsets.
The frequent itemsets produced are used to generate association rules that
satisfy minimum support and minimum confidence. For each frequent
itemset, all possible splits of the itemset into two part (antecedent and
consequent) are generated and the rule so generated is outputted by the
Apriori if the rule satisfies the minimum confidence condition.
The information in the android app’s bytecode can be used to describe its
behavior. We can extract information ranging from coarse-grained levels as
packages to fine-grained levels such as api calls from the bytecode. In this
work we focus on extracting API level information since they clearly capture
the app’s behavior. More specifically, we consider class name, method name
of the callee and the package name of the caller. The bytecode also consists of
user defined functions, we represent them as USERFUNC.
Reverse Engineering is a process by which we discover and understand the
complete working of an app. We use tools like Androguard[8], ApkTool [10],
Smali/Baksmali [48] and Android SDK for reverse engineering a Android
Application.
37
Androguard [8] is a python based tool which is used to disassemble and to
decompile android app’s. It decompiles the bytecode to smali code.
Smali/Baksmali [48] is an assembler/disassembler for the dex format used by
dalvik, Android’s Java VM implementation.
After extracting the api calls using Androgaurd, we identify the caller and
the callee parts from the smali code.
For example: consider the following hypothetical code. Let A() be a user
defined function. getDevi-ceId and getActiveNetworkInfo are the api calls
made inside the function a().
• USERFUNC%getDeviceId
• USERFUNC%getActiveNetworkInfo
38
Extract api level
information Classifier Genuine
Android
.smali Profile CBA
Apps
Disassemble each Malware class.dex
file to
.smali
Let D represent the number of android apps. Let I be the set of all items in
D, where each item is of the form A%B , where A is the caller and B is the
callee api’s, and Y be the set of class labels.
Y 2 {Benign, M alware}. We say that a data case d 2 D contains X ✓ I, a
subset of items, if X ✓ d. A class association rule (CAR) is an implication of
the form X ! y , where X ✓ I, and y 2 Y. A rule X ! y holds in D with
confidence c if c% of cases in D that contain X are labelled with class y. The
rule X ! y has support s in D if s% of the cases in D containsX and are
labelled with class y.
Our objectives are
1. To generate the complete set of CARs that satisfy the user specified
minimum support (called minsup) and minimum confidence (called
minconf ) constraints, and
39
5.3.3 Generating the Complete Set of CARs
The CBA (classification based associations) [37] consists of two parts, a
rule generator (called CBA-RG), which is based on algorithm Apriori for
finding association rules [7], and a classifier builder (called CBA-CB). This
section discusses CBA-RG. The next section discusses CBA-CB.
41
Line 1-3 represents the first pass of the algorithm. It counts the item and
class occurrences to de-termine the frequent 1- ruleitems(line 1). From this
set of 1-ruleitems, a set of CARs (called CAR 1 ) is generated by genRules
(line 2). CAR1 is subjected to a pruning operation (line 3). Pruning is also
done in each subsequent pass to CAR k (line 16). The function pruneRules
uses the pessimistic error rate based pruning method in C4.5 [41]. It prunes a
rule as follows: If rule r’s pessimistic error rate is higher than the pessimistic
error rate of rule r00 (obtained by deleting one condition from the conditions
of r), then rule r is pruned. This pruning can cut down the number of rules
generated substantially.
For each subsequent pass, say pass k, the algorithm performs 4 major
operations. First, the frequent ruleitems Fk−1 found in the (k-1)th pass are used
to generate the candidate ruleitems Ck using the condidateGen function. It
then scans the database and updates various support counts of the candidates
in Ck. After those new frequent ruleitems have been identified to form F k, the
algorithm then produces the rules CARk using the genRules function. Finally,
rule pruning is performed on these rules.
The candidateGen function is similar to the function Apriori-gen in
algorithm Apriori.
The final set of class association rules is in CARs. Those remaining rules
after pruning are in prCARs.
42
4: temp = ;
5: for each case d 2 D do
6: IF d satisfies the conditions of r Then
store d.id in temp and mark r if it correctly classifies d;
7: IF r is marked
Then insert r at
the end of C;
delete all the cases with the ids in
temp from D; selecting the default
class for th current C; compute the
total number of errors of C;
8: end for
9: end for
10: Find the first rule p in C with the lowest total number of errors and drop
all the rules after p in
C;
11: Add the default class associated with p to end of C, and return C (our
classifier).
12: end procedure
Our algorithm for building the classifier has 3 following steps.
1. Sort the set of generated rules R according to the relation >. This is to
ensure that we will choose the highest precedence rules for our classifier.
2. Select rules for the classifier from R following the sorted sequence. For
each rule r, we go through D to find those cases covered by r (they
satisfy the conditions of r). We mark r if it correctly classifies a case d.
d.id is the unique identification number of d. If r can correctly classify at
least one case (i.e., if r is marked), it will be a potential rule in our
classifier. Those cases it covers are then removed from D. A default class
is also selected (the majority class in the remaining data), which means
that if we stop selecting more rules for our classifier C this class will be
the default class of C . We then compute and record the total number of
errors that are made by the current C and the default class . This is the
sum of the number of errors that have been made by all the selected rules
in C and the number of errors to be made by the default class in the
training data. When there is no rule or no training case left, the rule
selection process is completed.
In this section, we describe the dataset and discuss the experimental results.
43
5.4.1 Data set
Our data set consists of 1449 apps in total. We collected 1008 top free apps
across different category from Google Play [51] to create a benign set. Our
malware set consists of 441 apps taken from Android malware Genome
Project [61]. We used VirusTotal [52] to make sure that our benign set is free
from any malware.
44
Figure 5.6: Android malware detection analysis with different classifiers from
the Precision-Recall view.
45
forest fits a number of decision tree classifiers on various sub-samples of the
dataset and use averaging to improve the predictive accuracy and control
over-fitting. We observed the RF classifier has a accuracy of 0.75. Finally our
approach CBA gives us an accuracy of 0.85 when the support value during
association rule mining is set at 0.7.
Table 1 lists some interesting rules that were used by the classifier. Each
rule gives us the com-bination of the items which were used by our classifier
to distinguish between a genuine and mal-ware app and the confidence
associated with the rule. For ex: Rule 1 in the Table 1 says that, the rule, i.e
combination of USERFUNC%getSubscriberId, USERFUNC
%openConnection, SendSmsMes-sage%sendTextMessage classifies an app
as malware with a confidence of 0.71.
Table 5.1: Popular Rules
No Rule’s conf
USERFUNC%getSubscriberId,USERFUNC%openConnection,
Rule 1 0.71
SendSmsMessage%sendTextMessage ==> class=malware
USERFUNC%getConnectionInfo,None%getDeviceId ==>
Rule 2 class=malware 0.73
USERFUNC%getActiveNetworkInfo,USERFUNC
%openConnection,
Rule 3 0.78
USERFUNC%getDeviceId ==> class=malware
None%getDeviceId,USERFUNC%getDeviceId,USERFUNC
Rule 4 %getActiveNetworkInfo 0.78
==> class=malware
We summarize the evaluation metrics for the CBA with 0.7 support and
confidence value in Table 2.
Table 5.2: Evaluation measures for support and confidence:0.7
TP rate FP rate Precision Recall F- mes
0.954 0.617 0.780 0.954 0.858
5.5 Conclusion
We proposed, a novel approach to distinguish and detect Android malware
from the genuine app’s. The proposed technique aims to generate the
complete set of potential classification rules. We represent an item as a
combination of caller and callee api. We capture one level of control flow and
context between caller and callee. Classification based association rule
mining help in establishing the classifi-cation rules against other classifiers.
As future work, we plan to further reduce the false positives and negatives
through analysing the samples that were not correctly classified and finding
out the reasons behind the misclassification. We also want to develop
sophisticated techniques to mine the CARs.
46
Chapter 6
47
• combining association rule mining and classification rule mining for
Android malware detection.
As future work, we plan to further reduce the false positives and negatives
through analysing the samples that were not correctly classified and finding
out the reasons behind the misclassification.
48
Related Publications
50
[17] A. Desnos and P. Lantz. Droidbox: An android application sandbox for
dynamic analysis (2011). URL https://code. google. com/p/droidbox,
2014.
[18] Dex2jar. https://github.com/pxb1988/dex2jar.
[19] F. Di Cerbo, A. Girardello, F. Michahelles, and S. Voronkova. Detection
of malicious applications on android os. In Computational Forensics.
2011.
[20] dvm. David ehringer. the dalvik virtual machine architecture.
[21] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A.
Sheth. Taintdroid: An information-flow tracking system for realtime
privacy monitoring on smartphones. In OSDI, 2010.
[22] W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J.
Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow
tracking system for realtime privacy monitoring on smartphones. ACM
Transactions on Computer Systems (TOCS), 32(2):5, 2014.
[23] W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone
application certification. In ACM conference on Computer and
communications security, 2009.
[24] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android
permissions demystified. In ACM confer-ence on Computer and
communications security, 2011.
[25] A. P. Fuchs, A. Chaudhuri, and J. S. Foster. Scandroid: Automated
[28] J. Han, J. Pei, and Y. Yin. Mining frequent patterns without candidate
generation. In ACM SIGMOD Record, volume 29, pages 1–12. ACM,
2000.
[29] H. Hao, V. Singh, and W. Du. On the effectiveness of api-level access
2013.
51
[36] H. Kim, J. Smith, and K. G. Shin. Detecting energy-greedy anomalies
52
[53] J.-H. Wang, P. S. Deng, Y.-S. Fan, L.-J. Jaw, and Y.-C. Liu. Virus
detection using data mining techinques. In Security Technology, 2003.
Proceedings. IEEE 37th Annual 2003 International Carnahan Conference
on, pages 71–76. IEEE, 2003.
[54] X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Profiledroid: Multi-
layer profiling of android applications. In International conference on
Mobile computing and networking, 2012.
[55] www.appbrain.com/stats/number-of-android apps. Appbrain report,
google android application number in the market.
[56] L.-K. Yan and H. Yin. Droidscope: Seamlessly reconstructing the os and
dalvik semantic views for dynamic android malware analysis. In
USENIX security symposium, pages 569–584, 2012.
[57] Q. Yang, T. Li, and K. Wang. Building association-rule based sequential
classifiers for web-document prediction. Data mining and knowledge
discovery, 8(3):253–273, 2004.
[58] O. R. Zaıane, M.-L. Antonie, and A. Coman. Mammography
classification by an association rule-based classifier. MDM/KDD, pages
62–69, 2002.
[59] M. Zhao, F. Ge, T. Zhang, and Z. Yuan. Antimaldroid: An efficient svm-
based malware detection framework for android. In Information
Computing and Applications. 2011.
[60] Y. Zhou and X. Jiang. Dissecting android malware: Characterization and
evolution. In Security and Privacy (SP), 2012 IEEE Symposium on,
pages 95–109. IEEE, 2012.
[61] Y. Zhou and X. Jiang. Dissecting android malware: Characterization and
evolution. In Security and Privacy, 2012.
[62] Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-
stealing smartphone applications (on android). In Trust and Trustworthy
Computing. 2011.
[63] S. Zonouz, A. Houmansadr, R. Berthier, N. Borisov, and W. Sanders.
53