An Android Malware Detection System Based On Manifest And API Calls

Currently, the number of malwares installed in smart phones is increasing explosively. Viruses, Trojans, advertising, and spams are coming in thick and fast, which has brought serious threats to the network security of nation, community, and individuals. It is an eternal challenge to detect and prevent malwares' flooding in android applications.The security performance of android application relies on the security information in android Manifest file, which includes information about permissions, hardware features, intent filters and so on, and some certain API calls. This article proposes an android malware detection system based on Manifest and API calls, combining with static detection,dynamic detection and machine learning algorithms. The system introductions have following five aspects.Firstly, at the data preparation phase: benign android applications and malwares are collected from android application markets and university laboratories, research institutions or security companies separately. Then, we use ApkTool to decompile all android applications,obtaining the manifest files and smali files. Meanwhile, dynamic logcat files of the android application are got through Droid Box; Secondly, at the feature extraction and regularization phase, main features are generated from manifest files, smali files and logcat files, and then feature dictionary is structured. With the dictionary, we generate and normalize feature vectors; Thirdly, at the dimensionality reduction and feature purification phase: attribute subset selections are used on the feature vector matrix to reduce dimension of the vector. Then, the vector matrix is purified by using the methods of de-contamination, removing duplicate and de-ambiguity; Fourthly, at the machine learning phase, we train and test dataset utilizing methods such as Naive Bayesian, Bayesian Network, Random Tree, Decision Tree, K Nearest Neighbor and Random Forest; Fifthly, at the experimental results evaluation phase, experiment results of machine learning classifiers are evaluated by indicators including true positive rate (TPR)?false positive rate (FPR)?Precision?Recall?F-Measure?AUC and Accuracy.We use the 10-fold cross validation and random oversampling algorithm during experiment on 43822 benign applications and 8454 malicious applications, with parameter of random forest set to 100.The detection system makes a better performance evaluated on indictors such as TPR, FPR, Precision, Recall, F-Measure, and AUC. The detection efficiency is 99.6% and the false positive ratio is 0.3%.