Research On Android Malware Detection

In the era of mobile Internet,mobile smart terminals have become an indispensable part of our lives.Applications developed on various mobile operating systems have sprung up,greatly enriching our lives.However,the research on information security is significantly slower than the development of mobile platforms.Malicious applications are flooding the thirdparty application market,and the information security of smartphone users is facing serious threats.Android is the world’s most popular operating system,and naturally becomes the largest target for malicious hackers.To spread malicious applications is an important attack method.Traditional malware detection methods urgently require more advanced techniques against sophisticated malicious applications.To solve this problem,this article focuses on Android malware detection based on static analysis,dynamic analysis,and machine learning.The main contributions of this paper can be summarized as follows:Aiming at the problem that the detection method based on the coarse-grained permission mechanism leads to a high false alarm rate when the permissions of a malicious application are fewer or similar to a benign application,the Android malware detection method based on finegrained permissions is proposed.Firstly,from the dangerous permissions defined by Google and the 20 most frequent permissions of 86798 malicious applications collected by Andro Mal Share,the permissions with high information gain are extracted,which are further classified into the fine-grained permissions including the dangerous permissions applied to the components for the first time.Then,we take the fine-grained permissions and the other multiclass behavioral features of the malicious application as the features of the machine learning algorithm,which better represent the difference between the malicious application and the benign application.The experiment results prove that the method can solve the problems mentioned above,and detect more malware families while ensuring accuracy.Aiming at the problems of the existing Flow Droid-based analysis methods,such as low detection efficiency and inability to detect the communication of tainted data between components,a static method is proposed to detect the leakage of tainted data within and between components.At first,the detection method checks whether the application meets the leak requirements and then divides the application into components to detect the leakage of tainted data.Based on the detection results of a single component and the parameters of the Intercomponent Communication(ICC)method,it can detect the leakage based on the Intent mechanism.Besides,the proposed method logically connects the components that contain custom global variables of the Application class to detect whether there is a leakage based on it.Considering the spontaneous characteristics of the malware and the further improvement of analysis efficiency,we do not take the corresponding callbacks that meet the user need into the virtual main function.The experiment results demonstrate this method can accurately detect the leakage of tainted data within and between components.Compared with similar methods,it can analyze more applications.Aiming at the problem of existing dynamic taint analysis can not track tainted data transmitting through Unix domain sockets,we propose the method that can solve the problem for the first time.Firstly,we conduct a systematic study on Unix domain sockets applied to Android and identify the scenarios where information flow uncaught by the existing dynamic taint systems can result in information leakage.Then,the Android system is modified and extended based on Taint Droid and NDroid to implement tracking information flow through Unix domain sockets.The three proof-of-concept applications for transmitting tainted data based on different types of Unix domain sockets respectively run on Taint Droid,NDroid,and the modified system named JDroid.The experimental results demonstrate that only JDroid can effectively identify the leakage of tainted data through the Unix domain sockets and further improve dynamic taint analysis.Aiming at the problem of high-dimensional features reducing the efficiency of machine learning and mutual restriction between the high-dimensionality and detection accuracy,we propose a feature selection method based on FP-Growth to create the feature set,and Relief algorithm,Binary Particle Swarm Optimization(BPSO)algorithm,and Information Gain to select the feature subset.Firstly,we use the FP-growth algorithm to dig out Application Programming Interfaces(API)maximal frequent itemsets of 25 malware families and 10 types of benign applications respectively.Then,we merge the API maximal frequent itemsets as the feature set,and then use the Relief algorithm to remove repeating features and the BPSO algorithm to remove redundant features.Eventually,Information Gain is used to select the specified number of the features.The experiment results demonstrate that the API features extracted by FP-growth are more specific than the features selected randomly and the feature subset selected by the Relief algorithm,PSO algorithm,and Information Gain can improve the performance of the classifiers.In conclusion,Android malware detection methods based on static method,dynamic method,and machine learning are proposed.The experimental results demonstrate that the methods proposed in this paper further improve the performance of Android malware detection and have practical significance.