Android Malware Detection Through Vector-based And ICC Privilege Graph Inference

Since the Android’s anticoding technology is more and more mature now, malicious developers can reverse coding Android applications easily, bringing some malicious loads into it, and then take place it into Android markets after repackaging it. These loads in the malicious applications usually make some malicious components which can run silently at the background of the system to avoid detection.In our study, we put forward a mechanism that we consider both vector-based method and Inter-Component Communication privilege directed graph inference method. We bring them together in our mechanism for detect the suspected of malicious software. Most information of static is considered in our mechanism, such as components’ deployment, how to delivery messages of Intent, calling method of API and so on. We take them into account so that our mechanism could describe the behaviors of the Android application. In order to identify the different intention of Android malware, a variety of clustering algorithms are used in this mechanism. For improving the correctness of the Android malware prediction,we establish the inter-component communication privileges directed graph. It is a structured combination including permissions and components, and it can detect components of suspicious.In addition, we have to develop a system with the proposed mechanism, named XDroidMat. First of all, the XDroidMat extracts the message from each AndroidManifest.xml file, and take the components for breakthrough points discussing deeply to tracking information about ICC and Calls of API and permissions. Secondly, we apply classification algorithm like KNN for classifying applications into benign and malicious. Thirdly, for improving the correctness of the Android malware prediction, XDroidMat incontestably the directed privilege graph of ICC for benign applications. At the end of all, it uses kinds of algorithm, for example PageRank, to give each component score. If a component get score which is higher than predefined threshold, XDroidMat could be detected as a malicious component. The application which owned this component would be considered as a malicious Android malware.