Android Malware Detection Based On Static Analysis

With the development of Economics,online-shopping has become an important part in people's daily life.Many logistics android applications show up in the Android market during this time.However,some malware disguise as benign applications to steal personal data and have done a lot of damages to android users' privacy.What's more,many malware can use code confusion or repackage technique to avoid the detection.Faced these threats,traditional static analysis has some weak points to overcome,especially it is hard to compromise the detection accuracy and cost.This paper presents a mixed android malware detection system to balance the cost and accuracy.The main contents and results of this article are as follows:1)The paper concludes the advantages and disadvantages of detection methods based on overall signature and muti-level signature and builds a malware database that contain over 11000 malware's MD5 values.2)The paper presents a D-S theory-based method to detect benign applications and intercepts unknown malware.3)The paper implements a 2-phase static analysis system based on the classic “Cache and Ram” technique,in which light weight analysis module and precious analysis module are combined to balance the detection cost and accuracy.The former module uses overall signature and permission-based detection method.The latter one combines data flow analysis and machine learning technique.The experiment of light weight analysis module uses known malware?unknown malware and benign applications with the ratio of 1:1:1.The result shows the system can detect all the known malware,intercept most of the unknown malware and detect majority of the benign applications.The detection speed on average is less than 10 seconds.The precious analysis module uses 200 malware and benign applications to build the classification model and uses 50 malware and 50 benign applications to test the model and the accuracy is about 91%.In the integration experiment,the system is tested by 50 benign applications and 48 of them are detected correctly.The average detection time has been improved to less than 60 seconds compared with traditional data flow analysis.Also,the system can detect malware that use code confusion or repackage technique when it compares with traditional signature-based detection method.However,the weights used in permission-categories based detection method are subjective and the precious analysis module cannot detect malware using dynamic payloads.In the future,it still has a lot to work on.