Skip to main content
Log in

DroidWard: An Effective Dynamic Analysis Method for Vetting Android Applications

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

As the number of Android malicious applications has explosively increased, effectively vetting Android applications (apps) has become an emerging issue. Traditional static analysis is ineffective for vetting apps whose code have been obfuscated or encrypted. Dynamic analysis is suitable to deal with the obfuscation and encryption of codes. However, existing dynamic analysis methods cannot effectively vet the applications, as a limited number of dynamic features have been explored from apps that have become increasingly sophisticated. In this work, we propose an effective dynamic analysis method called DroidWard in the aim to extract most relevant and effective features to characterize malicious behavior and to improve the detection accuracy of malicious apps. In addition to using the existing 9 features, DroidWard extracts 6 novel types of effective features from apps through dynamic analysis. DroidWard runs apps, extracts features and identifies benign and malicious apps with Support Vector Machine (SVM), Decision Tree (DTree) and Random Forest. 666 Android apps are used in the experiments and the evaluation results show that DroidWard correctly classifies 98.54% of malicious apps with 1.55% of false positives. Compared to existing work, DroidWard improves the TPR with 16.07% and suppresses the FPR with 1.31% with SVM, indicating that it is more effective than existing methods.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. DroidBox. https://github.com/pjlantz/droidbox, 2014.

References

  1. F-Secure, Threat Report 2015. https://www.f-secure.com/documents/996508/1030743/Threat_Report_2015.pdf (2015)

  2. Greenberg, A.: Scanner identifies thousands of malicious Android apps on Google Play, other markets. http://www.scmagazine.com/scanner-identifies-thousands-of-malicious-android-apps-on-google-play-other-markets/article/435387/ (2015)

  3. Hirst, S.: Lookout Discovers SocialPath Malware in Google Play Store. https://vpncreative.net/2015/01/10/lookout-socialpath-malware-google-play (2015)

  4. Lockheimer, H.: Android and Security. http://googlemobile.blogspot.com/2014/02/android-and-security.html (2014)

  5. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. IEEE Symposium on Security and Privacy, pp. 95–109, 2012

  6. Enck, W., Gilbert, P., Han, S., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    Article  Google Scholar 

  7. Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: Efficient and comprehensive mobile app classification through static and dynamic analysis. 39th IEEE Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 422–433, 2015

  8. Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., et al.: Andrubis–1,000,000 apps later: a view on current Android malware behaviors. Third International IEEE Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), p 3-17, 2014

  9. Felt, A. P., Chin, E., Hanna, S., et al.: Android permissions demystified. 18th ACM Conference on Computer and communications security, pp. 627-638, 2011

  10. Dietz, M., Shekhar, S., Pisetsky, Y., et al.: QUIRE: lightweight provenance for smart phone operating systems. USENIX Security Symposium, vol. 31, 2011

  11. Afonso, V.M., de Amorim, M.F., Grégio, A.R.A., et al.: Identifying Android malware using dynamically obtained features. J. Comput. Virol. Hacking Tech. 11(1), 9–17 (2015)

    Article  Google Scholar 

  12. Wang, W., Guan, X., Zhang, X.: Processing of massive audit data streams for real-time anomaly intrusion detection. Comput. Commun. 31(1), 58–72 (2008)

    Article  Google Scholar 

  13. Wang, W., Liu, J., Pitsilis, G., et al.: Abstracting massive data for lightweight intrusion detection in computer networks. Information Sciences (online first), 2016

  14. Wang, W., Guyet, T., Quiniou, R., et al.: Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowl.-Based Syst. 70, 103–117 (2014)

    Article  Google Scholar 

  15. Wang, W., Battiti, R.: Identifying intrusions in computer networks with principal component analysis, First International Conference on Availability, Reliability and Security. IEEE, p 1-8, 2006

  16. Zhang, X., Furtlehner, C., Germain-Renaud, C., et al.: Data stream clustering with affinity propagation. IEEE Trans. Knowl. Data Eng. 26(7), 1644–1656 (2014)

    Article  Google Scholar 

  17. Zhang, X.L., Lee, T.M.D., Pitsilis, G.: Securing recommender systems against shilling attacks using social-based clustering. J. Comput. Sci. Technol. 28(4), 616–624 (2013)

    Article  Google Scholar 

  18. Wang, W., Zhang, X., Gombault, S.: Constructing attribute weights from computer audit data for effective intrusion detection. J. Syst. Softw. 82(12), 1974–1981 (2009)

    Article  Google Scholar 

  19. Guan, X., Wang, W., Zhang, X.: Fast intrusion detection based on a non-negative matrix factorization model. J. Netw. Comput. Appl. 32(1), 31–44 (2009)

    Article  Google Scholar 

  20. Wang, W., Guan, X., Zhang, X., Yang, L.: Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Comput. Secur. 25(7), 539–550 (2006)

    Article  Google Scholar 

  21. Huang, X., Li, J., Li, J., et al.: Securely outsourcing attribute-based encryption with checkability. IEEE Trans. Parallel Distrib. Syst. 25(8), 2201–2210 (2014)

    Article  Google Scholar 

  22. Li, J., Li, J., Chen, X., et al.: Identity-based encryption with outsourced revocation in cloud computing. IEEE Trans. Comput. 64(2), 425–437 (2015)

    Article  MathSciNet  MATH  Google Scholar 

  23. Li, J., Li, Y.K., Chen, X., et al.: A hybrid cloud approach for secure authorized deduplication. IEEE Trans. Parallel Distrib. Syst. 26(5), 1206–1216 (2015)

    Article  Google Scholar 

  24. Li, J., Chen, X., Li, M., et al.: Secure deduplication with efficient and reliable convergent key management. IEEE Trans. Parallel Distrib Syst. 25(6), 1615–1625 (2014)

    Article  Google Scholar 

  25. Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android. Technical report, University of Maryland (2009)

  26. Pandita, R., Xiao, X., Yang, W., et al.: Whyper: towards automating risk assessment of mobile applications, Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 527-542, 2013

  27. Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and api calls. IEEE 25th International Conference on Tools with Artificial Intelligence. IEEE, pp. 300-305, 2013

  28. Arp, D., Spreitzenbarth, M., Hubner, M., et al.: DREBIN: effective and explainable detection of android malware in your pocket. In: The 2014 Network and Distributed System Security Symposium (NDSS), pp. 1–12

  29. Apvrille, A., Strazzere, T.: Reducing the window of opportunity for Android malware Gotta catch’em all. J. Comput. Virol. 8(1–2), 61–71 (2012)

    Article  Google Scholar 

  30. Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in android applications for malicious application detection. IEEE Transactions on Information Forensics and Security 9, pp. 1869–1882 (2014)

  31. Liu X, Liu J, Wang W, Exploring sensor usage behaviors of Android applications based on data flow analysis. IPCCC, p 1-8, 2015

  32. Su, D., Wang, W., Wang, X., Liu, J.: Anomadroid: profiling Android applications’ behaviors for identifying unknown malapps. 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom), 2016

  33. Liu, X., Zhu, S., Wang, W., Liu, J.: Alde: privacy risk analysis of analytics libraries in the android ecosystem. 12th EAI International Conference on Security and Privacy in Communication Networks (SecureComm), 2016

  34. Spreitzenbarth, M., Freiling, F., Echtler, F., et al.: Mobile-sandbox: having a deeper look into android applications. Proceedings of the 28th Annual ACM Symposium on Applied Computing. ACM, pp. 1808-1815, 2013

  35. Monkeyrunner. https://developer.android.com/studio/test/monkeyrunner/index.html

  36. Apvrille, A.: Apktool: a tool for reverse engineering android apk files. https://ibotpeaches.github.io/Apktool/

  37. Ho, T.H., Dean, D., Gu, X., et al.: PREC: practical root exploit containment for android devices. Proceedings of the 4th ACM conference on data and application security and privacy. ACM, pp. 187-198, 2014

  38. Anzhi Market. http://www.anzhi.com

  39. Virustotal. https://www.virustotal.com/

  40. Burges, C.J.C.: A tutorial on support vector machines for pattern recognition. Data Min. Knowl. Discov. 2(2), 121–167 (1998)

    Article  Google Scholar 

  41. Quinlan, J.: C4.5: programs for machine learning. Morgan Kaufmann Publishers, Burlington (1993)

    Google Scholar 

  42. Wang, W., Gombault, S., Guyet, T.: Towards fast detecting intrusions: using key attributes of network traffic, Internet Monitoring and Protection, ICIMP’08. The Third International Conference on. IEEE , p 86–91, 2008

  43. Wang, W., He, Y., Liu, J., et al.: Constructing important features from massive network traffic for lightweight intrusion detection. IET Inf. Secur. 9(6), 374–379 (2015)

    Article  Google Scholar 

  44. Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)

    Article  MATH  Google Scholar 

  45. Le Thanh, H.: Analysis of malware families on android mobiles: detection characteristics recognizable by ordinary phone users and how to fix it. J. Inf. Secur. 4(04), 213 (2013)

    Google Scholar 

Download references

Acknowledgements

This work was supported in part by the Scientific Research Foundation through the Returned Overseas Chinese Scholars, Ministry of Education of China, under Grant K14C300020, in part by Shanghai Key Laboratory of Integrated Administration Technologies for Information Security, in part by ZTE Corporation, and in part by the 111 Project under Grant B14005.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yubin Yang.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yang, Y., Wei, Z., Xu, Y. et al. DroidWard: An Effective Dynamic Analysis Method for Vetting Android Applications. Cluster Comput 21, 265–275 (2018). https://doi.org/10.1007/s10586-016-0703-5

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-016-0703-5

Keywords

Navigation