The Research And Implementation On Detection Method Of Android Malware Based On ICC

At present,the world has entered the era of mobile Internet.The user number of smart phones is increasing year by year,and its function becomes more and more powerful.Smartphone has become a device for storing a large number of personal privacy information.The application calls the system API to get sensitive information such as user's contact information,current location and text message.However,due to the imperfect auditing mechanism of applications in many application stores,the disclosure of users' privacy has occurred.In order to protect the privacy of users and to purify the environment of the Android platform,it is necessary to detect the malware of the Android platform.There are dynamic detection methods and static detection methods for Android malware.The dynamic detection method is to collect the characteristic data when the program is running.The static detection method is to decompile the APK file,getting the source code and extracting the features from it,and establish the detection model according to the feature data.Feature data can be divided into two categories: Syntax features,such as permissions,signatures and Intent-action;Semantic features,such as API call chain.The shortcoming of extracting syntax features only is that it is necessary to update the feature combination with the updating of technology.The advantage of this method is that the complexity of the algorithm is low and the speed of detection is fast.The advantage of extracting the semantic feature only is that the semantic features can reflect the behavior of the program accurately,but it is difficult to extract the feature data and train the model.In summary,there are limitations in extracting only syntax features or semantic features.This paper proposes a detection method based on Inter-Componnet Communication(ICC),extracting the permissions and Intent-action as syntax features.And it is improved with two key-points.At first,the new approach adds a new semantic feature called Inter-Component Communication Taint Propagation Path,which covers at least two components and is formally defined as a pair of methods,Source and Sink respectively.Moreover,the path is further abstracted as a pair of classes where the methods are defined.Then,every new feature is normalized according to the proportion of its total counts found in different sample sets.At last,a model based on SVM is created and used for classification and detection.The final experimental results on 295 samples shows that the accuracy rate and the false positive rate are much better.