1 Introduction
-
We propose a practical Android malware detection system, MAPAS, that find malware based on malicious behavioral features. To this end, MAPAS learns API call graphs of malware and detects malware based on analyzed patterns of API call graphs used for malicious behaviors. MAPAS employs a deep learning algorithm not to use a classifier model generated by the algorithm but only to discover common features of malware. MAPAS performs malware detection with a lightweight classifier for the efficiency.
-
We implement a prototype of MAPAS and thoroughly evaluate it. Also, we compare MAPAS against MaMaDroid to demonstrate the effectiveness and efficiency of it. Our evaluation results show that MAPAS achieves better performance than MaMaDroid in terms of the usage of computing resources as well as the accuracy for detecting new malware. Also, MAPAS can generally detect any type of malware with high accuracy.
2 Background
2.1 Detecting android malware
2.2 Typical features used for static analysis-based malware detection approaches
2.3 Unpractical machine/deep learning-based android malware detection approaches
3 Goal
4 Design
4.1 Design overview
4.2 Data preprocessing for generating training dataset
4.3 Deep learning and identifying high-weight API call graphs from malware
android.content
and the sink is java.net
. This call graph can leak user’s sensitive information over the network.4.4 Malware detection
5 Evaluation
5.1 Experimental configuration
No. | Weight score | API call graph |
---|---|---|
1 | 3.51E\(-\)06 | android.content.pm \(->\) java.lang |
2 | 3.48E\(-\)06 | android.text.style \(->\) java.lang |
3 | 3.27E\(-\)06 | java.security.cert \(->\) java.lang |
4 | 3.22E\(-\)06 | android.graphics.drawable \(->\) java.lang |
5 | 3.19E\(-\)06 | java.security \(->\) java.lang |
6 | 3.09E\(-\)06 | android.webkit \(->\) android.util |
7 | 2.90E\(-\)06 | android.accounts \(->\) java.lang |
8 | 2.90E\(-\)06 | android.webkit \(->\) android.widget |
9 | 2.78E\(-\)06 | org.xmlpull.v1 \(->\) java.lang |
... | ... | ... |
4312 | 1.47E\(-\)18 | com.google.firebase \(->\) javax.xml.parsers |
CPU (%) | GPU (MiB) | RAM (MB) | Time (s) | Accuracy (%) | |
---|---|---|---|---|---|
MAPAS | 1.0925 | None | 157.543 | 21.1799 | 93.2 |
CNN | 1.5425 | 10,590 | 2070.3692 | 15.9171 | 83 |
5.2 Finding high-weight features
5.3 Performance evaluation of MAPAS with the CNN classifier model
5.4 Performance evaluation of MAPAS with MaMaDroid
Category | Accuracy (%) | Category | Accuracy (%) | ||
---|---|---|---|---|---|
MAPAS | MaMaDroid+RF | MAPAS | MaMaDroid+RF | ||
Airpush | 99.99 | 71 | FakeUpdates | 100 | 20 |
AndroRAT | 100 | 84 | Finspy | 100 | 100 |
Andup | 100 | 78 | Fjcon | 100 | 100 |
Aples | 100 | 0 | Fobus | 100 | 100 |
BankBot | 92.61 | 100 | Fusob | 100 | 100 |
Bankun | 100 | 16 | GingerMaster | 100 | 73 |
Boqx | 99.53 | 81 | GoldDream | 100 | 81 |
Boxer | 100 | 0 | Gorpo | 100 | 100 |
Cova | 64.71 | 65 | Gumen | 100 | 99 |
Dowgin | 100 | 97 | Jisut | 99.79 | 13 |
DroidKungFu | 99.82 | 87 | Kemoge | 100 | 93 |
Erop | 100 | 100 | Koler | 100 | 81 |
FakeAngry | 100 | 20 | Ksapp | 100 | 83 |
FakeAV | 100 | 80 | Kuguo | 100 | 100 |
FakeDoc | 100 | 100 | Kyview | 100 | 95 |
FakeInst | 98.06 | 43 | Leech | 100 | 26 |
FakePlayer | 100 | 24 | Lnk | 100 | 600 |
FakeTimer | 100 | 0 | Lotoor | 94.51 | 60 |
Mecor | 100 | 0 | SpyBubble | 100 | 50 |
Minimob | 100 | 75 | Stealer | 100 | 100 |
Mmarketpay | 100 | 93 | Steek | 100 | 100 |
MobileTX | 100 | 0 | Svpeng | 100 | 100 |
Mseg | 100 | 86 | Tesbo | 100 | 100 |
Mtk | 100 | 100 | Triada | 100 | 95 |
Nandrobox | 100 | 42 | Univert | 100 | 100 |
Ogel | 100 | 100 | UpdtKiller | 100 | 62 |
Opfake | 100 | 88 | Utchi | 100 | 100 |
Penetho | 100 | 56 | Vidro | 100 | 87 |
Ramnit | 100 | 12 | VikingHorde | 85.71 | 57 |
Roop | 100 | 100 | Vmvol | 100 | 100 |
RuMMs | 100 | 73 | Winge | 100 | 58 |
SimpleLocker | 93.67 | 70 | Youmi | 100 | 93 |
SlemBunk | 100 | 18 | Zitmo | 100 | 46 |
Smskey | 100 | 43 | Ztorg | 100 | 90 |
SmsZombie | 100 | 0 | Average accuracy | 98.98 | 68.63 |
Spambot | 100 | 80 |