Detection of Android Malicious Apps Based on the Sensitive Behaviors

The number of malicious applications (apps) targeting the Android system has exploded in recent years. The evolution of malware makes it difficult to detect for static analysis tools. Various behavior-based malware detection techniques to mitigate this problem have been proposed. The drawbacks of the existing approaches are: the behavior features extracted from a single source lead to the low detection accuracy and the detection process is too complex. Especially it is unsuitable for smart phones with limited computing power. In this paper, we extract sensitive behavior features from three sources: API calls, native code dynamic execution, and system calls. We propose a sensitive behavior feature vector for representation multi-source behavior features uniformly. Our sensitive behavior representation is able to automatically describe the low-level OS-specific behaviors and high-level application-specific behaviors of an Android malware. Based on the unified behavior feature representation, we provide a light weight decision function to differentiate a given application benign or malicious. We tested the effectiveness of our approach against real malware and the results of our experiments show that its detection accuracy up to 96% with acceptable performance overhead. For a given threshold t (t=9), we can detect the advanced malware family effectively.