Research On Android Malware Static Detection Method Based On Multiple Features

With the rapid development of mobile Internet, mobile devices such as smart phones and tablets have become an essential part of the modern people. And mobile devices based on the Android system in the current mobile market occupy a major position, which catches attention of Android malicious code developers. Smart phones and other mobile devices once are infected, the attacker can easily get much private information of the user, such as user's phone number, location and so on. Furthermore, they can also truncate the user's short message, and even remove the user's mobile phone application. That has brought a series of serious harm. As a result, the malicious code detection technology based on the Android system research is particularly important at present. Although the traditional detection method based on the malicious code signature can get accurate detection, but for the unknown malicious code, it does not work. Therefore, this paper analyzes kinds of Android system static features, and presents an Android malicious code detection method based on multiple features by the selection of features and machine learning algorithms.This paper extracted three types features, the Android permissions features, system API features, structure features based on function call relationship graph. For the extraction of permissions, first we should decompile the Android applicat ion, then the permissions applied in the installation are recorded in the configuration file for the application. For the extraction of system API feature, in the Dalvik bytecode files gained from decompilation, we can retrieve system API call, and then extract the system API call. For the extraction of the structure features based on function call relationship graph, we rely on the Android applications function call relationship graph. First of all, we use static analysis tool Androguard to extract Android application function call relationship graph, then we create the graph kernels with function call relationship graph to compute similarity between graphs. Finally, this paper creates detection model with each feature respectively, and products our detection model by the way of model fusion.In this paper, through the experiment on the many kinds of static features, we compare the detection ability of different static features. The experimental results showed that the fusion between the structure features based on function call relation graph and the semantic features such as permissions and API in Android malware detection has played good effect, the proposed detection model in this paper can effectively improve the unknown Android malicious code detection ability.