Automated static analysis and classification of Android malware using permission and API calls models

In this paper, we propose a heuristic approach to static analysis of Android applications based on matching suspicious applications with the predefined malware models. Static models are built from Android capabilities and Android Framework API call chains used by the application. All of the analysis steps and model construction are fully automated. Therefore, the method can be easily deployed as one of the automated checks provided by mobile application marketplaces or other interested organizations.
Using the proposed method, we analyzed the Drebin and ISCX malware collections in order to find possible relationships and dependencies between samples in collections, and a large fraction of Google Play apps collected between 2013 and 2016 representing benign data. Analysis results show that a combination of relatively simple static features represented by permissions and API call chains is enough to perform binary classification between malware and benign apps, and even find the corresponding malware family, with an appropriate false positive rate of about 3 %. Malware collections exploration results show that modern Android malware rarely uses obfuscation or encryption techniques to make static analysis more difficult, which is quite the opposite of what we see in the case of the “Wintel” endpoint platform family.
We also provide the experiment-based comparison with the previously proposed state-of-the-art Android malware detection method adagio. This method outperforms our proposed method in resulting detection coverage (98 vs 91 % of malicious samples are covered) while at the same time causing a significant number of false alarms corresponding to 9.3 % of benign applications on average.