Android Malware Detection Based On Data Flow Dependencies Between Sensitive APIs

With the development of technology, smart phones have penetrated into all aspects of human life, become an indispensable part of daily life. And compared to the traditional PC devices, smart phones carrying more user privacy data, such as location information, contact information, fingerprint information, text messaging records, which leads to an endless stream of attacks on smart phones. The security protection of smart phone has become a problem which needs to be solved urgently. In the current smartphone market, Android platform market share has been far more than the iOS platform. Android platform has a lot of openness, which makes more and more of the attackers take it as attack target, this leads to a sharp increase in the number of Android malware. Therefore, the research for malware detection technology on the Android platform need to be proposed, and protection of the user’s privacy and maintenance of Android ecosystem has a very practical significance.Due to the threat of malware on Android platform, in this paper, we design and implement a malware detection, classification and description system called DroidADDMiner which based on data dependence and machine learning. DroidADDMiner combines the static data flow analysis and machine learning algorithm, extracts feature information based on the data flow analysis, then the machine learning algorithms using these feature information to perform malware detection, classification and description. DroidADDMiner first decompiles the APK file, translates the APP’s code to intermediate language representation. And then, selects some sensitive APIs, takes them as the basis for data flow analysis, gets data dependence relationships between these sensitive APIs. After the data dependencies between the sensitive APIs are obtained, mathematical method is used to transform these dependencies into feature vectors, which are used by machine learning algorithms to train the classifier. DroidADDMiner uses machine learning classification algorithm:Naive Bayes, Random Forest and support vector machine (SVM) for malware detection and classification. And uses association rules analysis algorithm Aprori to automatically describe the malicious behavior of a malware. This paper also evaluates DroidADDMiner’s efficiency on malware detection, classification and characterization. The experiment results show that DroidADDMiner can achieve a high detect rate with a low false positive.