0% found this document useful (0 votes)
12 views19 pages

SAMADroid A Novel 3-Level Hybrid Malware Detection Model For Android Operating System

Uploaded by

manishk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
12 views19 pages

SAMADroid A Novel 3-Level Hybrid Malware Detection Model For Android Operating System

Uploaded by

manishk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Received October 13, 2017, accepted November 20, 2017, date of publication January 12, 2018,

date of current version February 28, 2018.


Digital Object Identifier 10.1109/ACCESS.2018.2792941

SAMADroid: A Novel 3-Level Hybrid Malware


Detection Model for Android Operating System
SABA ARSHAD1 , MUNAM A. SHAH1 , ABDUL WAHID1 , AMJAD MEHMOOD2 ,
HOUBING SONG 3 , (Senior Member, IEEE), AND HONGNIAN YU4, 5
1 Department of Computer Science, COMSATS Institute of Information Technology, Islamabad 45550, Pakistan
2 Instituteof Information Technology, Kohat University of Science and Technology, Kohat 26000, Pakistan
3 Department of Electrical, Computer, Software, and Systems Engineering, Embry-Riddle Aeronautical University, Daytona Beach, FL 32114 USA
4 School of Computer Science and Network Security, Dongguan University of Technology, Shongshanhu 523808, China
5 Faculty of Sciences and Technology, Talbot Campus, Bournemouth University, Bournemouth BH12 5BB, U.K.

Corresponding author: Amjad Mehmood ([email protected])

ABSTRACT For the last few years, Android is known to be the most widely used operating system and this
rapidly increasing popularity has attracted the malware developer’s attention. Android allows downloading
and installation of apps from other unofficial market places. This gives malware developers an opportunity
to put repackaged malicious applications in third-party app-stores and attack the Android devices. A large
number of malware analysis and detection systems have been developed which uses static analysis, dynamic
analysis, or hybrid analysis to keep Android devices secure from malware. However, the existing research
clearly lags in detecting malware efficiently and accurately. For accurate malware detection, multilayer
analysis is required which consumes large amount of hardware resources of resource constrained mobile
devices. This research proposes an efficient and accurate solution to this problem, named SAMADroid,
which is a novel 3-level hybrid malware detection model for Android operating systems. The research
contribution includes multiple folds. First, many of the existing Android malware detection techniques are
thoroughly investigated and categorized on the basis of their detection methods. Also, their benefits along
with limitations are deduced. A novel 3-level hybrid malware detection model for Android operating systems
is developed, that can provide high detection accuracy by combining the benefits of the three different
levels: 1) Static and Dynamic Analysis; 2) Local and Remote Host; and 3) Machine Learning Intelligence.
Experimental results show that SAMADroid achieves high malware detection accuracy by ensuring the
efficiency in terms of power and storage consumption.

INDEX TERMS Accuracy, android operating system, dynamic analysis, efficiency, hybrid malware
detection, machine learning, memory usage, performance overhead, power consumption, static analysis.

I. INTRODUCTION
Android operating system is known to be the most popular
and widely used operating system. According to the Gartner
report, Android dominated the operating system market
by capturing 81.7% of total market shares by the end
of 2016 [1]. Figure 1 shows the market shares of Android
operating system on yearly basis. It can be observed that
Android has become the most widely used operating system
over the years. With the increasing popularity of Android OS
every year, Android malware attacks are also growing rapidly. FIGURE 1. Android market shares.
TrendMicro declared that number of Android malwares has
increased to 10.6 million [2]. classified as two main approaches: Static Analysis Approach
Figure 2 depicts the yearly increase in Android malwares. and Dynamic Analysis Approach. In Static analysis, appli-
A lot of antimalware techniques have been proposed to pro- cations are analyzed by scanning all the code included in
tect Android devices from malwares. These techniques can be the application package instead of executing them. This is

2169-3536 2018 IEEE. Translations and content mining are permitted for academic research only.
VOLUME 6, 2018 Personal use is also permitted, but republication/redistribution requires IEEE permission. 4321
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

1) We thoroughly investigate most of the existing antivirus


programs that act against malwares to protect Android
systems and categorize them on the basis of their detec-
tion methods.
2) We provide an easy and concise view of the exist-
ing malware detection and protection mechanisms and
deduce their benefits and limitations.
3) We developed a novel 3-level hybrid malware detection
model for Android operating systems, that can provide
high detection accuracy by combining the benefits of
FIGURE 2. Android malware growth. three different levels and ensure the resource efficiency.
4) Through SAMADroid, we provide explanation to
useful for identifying the malicious code of applications Android users about the behavior of application. This
which only executes at specific conditions, e.g., system feature of SAMADroid helps the Android users to
reboots etc. but it cannot detect the encrypted and dynam- become aware of behavior of different applications.
ically loaded malicious code. While in Dynamic anal- The rest of the paper is organized as follows: Section II
ysis, only runtime behavior of application is analyzed, contains the literature review of existing Android malware
e.g., system call tracing etc. It can detect the encrypted detection techniques that uses hybrid analysis. In Section III,
and dynamically loaded malicious data. A better solution we explained our proposed solution, SAMADroid, which
to overcome the limitations of both analysis approaches overcomes the resource consumption problem and achieves
is to use a hybrid analysis, which is a combination of high detection accuracy at low mobile resource consump-
the static and dynamic analysis technique. These limita- tion. Section IV comprises of experiments performed during
tions force the researchers to develop the hybrid analy- development of SAMADroid and the results obtained and
sis mechanisms to achieve high detection rates. Although finally the paper is concluded in Section V.
hybrid analysis techniques succeed to achieve high accu-
racy by combining the benefits of static and dynamic anal- II. LITERATURE REVIEW
ysis approaches but they fail to ensure the efficiency of Standalone static and dynamic analyses have their own lim-
mobile resources. Existing Antimalware techniques that are itations due to which efforts have been made towards the
hybrid of static and dynamic analysis are either performed development of hybrid antimalware techniques. Although
on the local host (on-device) or at remote host (off-device). the hybrid detection schemes have resolved the problem of
On-device hybrid analysis helps to generate the quick analy- accuracy in malware detection up to some extent but still
sis results but mobile devices are usually resource constrained they are inefficient. We have categorized the existing Android
and requires more hardware resources to perform the hybrid malware detection hybrid techniques as follows:
analysis on the device. Instead, analysis on the remote server 1) Static and Dynamic Analysis
helps to reduce the resource consumption of mobile devices 2) Static, Dynamic Analysis and Machine Learning
but it generates unrealistic results, thus lowering the detection 3) Static, Dynamic Analysis and Local, Remote Host.
accuracy.
In this paper, a novel 3-level hybrid Android malware A. STATIC AND DYNAMIC ANALYSIS
detection model is proposed named as SAMADroid. It is a This category includes Android malware detection tech-
hybrid between three levels for malware analysis and detec- niques that uses hybrid of static and dynamic analysis to
tion: i) Static & Dynamic Analysis; ii) Local & Remote Host; achieve high malware detection accuracy.
iii) Machine Learning Intelligence. In static analysis phase, Bläsing et al. [4] proposed an Android application sandbox
experiments are performed for feature selection, in order to which can detect suspicious behavior in Android applications
obtain the features which can provide maximum and useful by analyzing the app both statically and dynamically. In static
information about the application behavior. For this pur- analysis phase, Android application is decompressed first and
pose, Drebin’s features sets are used, with little alterations. then decompiled by using Baksmali tool [5]. Static patterns
Drebin is a static analysis malware detection framework are then extracted by scanning the decompiled smali files.
which detects malwares with high accuracy, although it lacks Static patterns include usage of Runtime.Exec() method, java
dynamic analysis and cannot detect encrypted and dynami- native libraries, reflection, permissions, service and IPC pro-
cally loaded malicious code [3]. For dynamic analysis, system vision. While in the dynamic analysis phase, the application
calls are traced at runtime. Different machine learning algo- is installed and executed on the Android emulator. Monkey
rithms are applied and their performance is compared to get tool is used to operate the application with random user inputs
the most accurate machine learning technique. The proposed e.g. gestures, touches and clicks. AASandbox placed in the
scheme is designed to overcome the resource efficiency prob- kernel space uses loadable kernel module for execution of the
lem of the existing anti-malware systems. Our contribution application under fully controlled environment and creates
includes multiple folds. the logs by hijacking the system calls. Mathematical behavior

4322 VOLUME 6, 2018


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

vectors are created from the static behavior logs and dynamic detection technique is only developed for Android markets,
behavior logs. These vectors can be used for the detection not for Android devices.
of suspicious behavior of the application and classification
of application either manually or automatically. Through B. STATIC, DYNAMIC ANALYSIS & MACHINE LEARNING
experimentation, they have shown that the proposed method Antimalwares that are hybrid of static and dynamic analy-
performs correctly when they have applied a handwritten sis and machine learning techniques fall into this category.
program named fork bomb that uses Runtime.Exec() and Wu et al. [12] proposed DroidDolphin, a cloud based malware
generated the static behavior vector and dynamic behavior detection framework that uses both static and dynamic anal-
vector. The output generated by the system clearly shows that ysis for malware detection. The proposed scheme consists
the program uses Runtime.Exec(). The major limitation of of four phases: preprocessing, emulation and testing, feature
AASandbox is that it provides security to Android devices extraction and machine learning. In preprocessing phase they
by hijacking the system calls. It cannot be distributed in the used APIMonitor [13] for monitoring malicious API calls.
mass market because it requires the root privileges to hijack First of all, APIMonitor reverse engineers the APK file, wraps
the system calls on a device. They have not provided accuracy the API call with DroidBox [14] version and then repackages
and efficiency measures either. the application. This process helps to identify the malicious
Zhou et al. [6] have proposed DroidRanger for detection of API calls by tracing the call logs as it generates the message
known and zero day malwares in popular Android markets. whenever the application triggers an API call. Authors have
They have collected 204,040 Android applications among recorded 25 API calls in this process. For emulation and
which 75% are from Android official market [7] and 25% are testing they installed the applications on Android Virtual
collected from four alternative Android application markets, Devices and APE_BOX which is a combination of APE [15]
eoeMarket [8], gfan [9], alcatelclub, and mmoovv. By using and DroidBox. Through DroidBox, 13 runtime activities were
static features, DroidRanger detects known malwares in two recorded. APE enables the proposed system to simulate GUI
steps: Initially it uses essential permissions, required by the based events and helps to traverse application’s code path
malware to perform the intended functionality, to filter the in order to identify the malicious behaviors. Ngram model
malicious Apps. This process greatly reduces the number of is used for feature representation. Features extracted through
Apps for further examination in second step. After permis- APIMonitorand APE_BOX are given as input to the SVM [16]
sion filtering, behavioral filtering is performed where App’s classifier and LIBSVM [17] is used for malware detection
behavior is analyzed by using information from manifest model implementation. In order to evaluate the performance
file and API calls. This information is then mapped against of proposed scheme authors have used big training dataset
the behavior rules to detect and filter the known malwares which includes 32000 malicious and 32000 benign apps.
on the basis of their behavior. Detection of unknown mal- Test set consists of 1000 benign and 1000 malicious apps.
wares is performed in two phases: In the first phase heuris- They have compared the system’s performance with the
tic based filtering is carried out. Two heuristics have been STREAM [18]. Through experimental results it is shown that
considered by the authors in this scheme. In the first heuris- the proposed scheme can achieve 86.1% accuracy which is
tic, they focused the dynamic loading of java binary code higher than that of STREAM but at the cost of low efficiency.
from remote server. Android uses DexClassLoader [10] for Wang et al. [19] proposed a hybrid malware detection
dynamic loading of java code. While evaluation, authors have scheme that detects known malwares and their variants
found that 1055 applications used this class. This heuris- through signature based misuse detection and zero-day mal-
tic enabled the system to detect zero-day malware, Plank- wares through anomaly detection. In static analysis, static
ton. The other heuristic is related to dynamic loading of features are extracted from manifest file and disassembled
native code locally such that if an app containing native dex files through Android Asset Packaging Tool [20]. For
code stored in the directory other than default directory such dynamic features extraction, Cuckoo Droid [21] is used and
app’s behavior is unusual. This heuristic helps to discover a simulation tool Robotium [22] is used to enhance Cuckoo
the malwares which attacks the OS kernel to get access on Droid. These features, static and dynamic, are then mapped
the root privileges. Through this heuristic they discovered into vector space where each dimension has a value 0 or 1.
DroidDreamLight [11], a zero-day malware from Android’s In order to enhance the accuracy and performance, different
official market. In the second phase, it performs dynamic feature selection methods are applied for misuse and anomaly
execution monitoring to inspect the runtime behavior of the detection. After feature selection, Linear SVC classifier [23]
applications on the basis of heuristics. API calls and their is applied. If the application is classified as a malware,
arguments are recorded in order to detect the malicious the system further detects whether it is a known malware or a
behavior of dynamically loaded java code and system calls variant of known malware family. On the basis of similarity
are traced for detection of malicious behavior performed by in signature it classifies the malware and updates the train-
the app by dynamically loading native code. Among 204,040 ing database. On the other hand, if misuse detection cannot
applications DroidRanger successfully detected 211 infected detect the malicious behavior in application then anomaly
applications where 40 apps contained zero-day malware and detection is performed. It uses One-Class SVM classifier [24].
171 apps were infected from known malware. This malware If any abnormal behavior is detected it classifies the app as

VOLUME 6, 2018 4323


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

zero-day malware and update the training database. For eval- Weka tool [30] and applied the two machine learning tech-
uation, they have used 12000 benign apps from different niques, SVM [31], [32] and Random Forest [33]. The data set
china App stores and 5560 malware samples. Results shows consists of 997 malicious files and 490 benign files. Results
that the misuse detection can detect with 98.79% true posi- show that the proposed scheme can classify the unknown
tive rate and anomaly detector can detect with 98.76% true applications with 98.7% accuracy but this scheme requires
positive rate. large storage and computation resources.
Patel and Buddadev [25] proposed a malware detection DroidDetector is an online system developed for detec-
system that performs both static and dynamic analysis of tion of Android malwares [34]. It performs both static and
application under observation and then applies machine dynamic analysis at remote server and then applies deep
learning technique in order to create rules. These rules are learning for separation of malwares from legitimate apps.
then used to classify the application as benign or malware. For static analysis, permissions and sensitive API calls are
In static analysis phase, it extracts the permission related used. These static features are extracted using 7-zip [35],
parameters e.g. intents, services and broadcast receivers from AXML-Printer2 [36], TinyXml [37] and Baksmali tools [4].
the manifest file by using Android Asset Packaging Tool [20]. Dynamic behaviors are extracted for dynamic analysis
In dynamic analysis, the system executes the application on through DroidBox tool. Each Android application is executed
Android emulator [26] and extracts the features related to in the DroidBox for specific period of time and its dynamic
user interactions, java based and native based function calls. behavior is monitored. The extracted features, both static and
Once the permission based and behavior based features are dynamic, are then embed into feature vectors. These fea-
collected, they are stored into CSV file. In the next stage, fea- tures are given as input to deep learning model for detection
ture selection is performed on the basis of information gain. of malicious applications. For evaluation of DroidDetector,
Selected features are recorded in the CSV file along with the authors have used 20,000 legitimate apps from Google Play
name of the application and class of application e.g. malware store and malware apps from Contagio mobile, 500 apps, and
or benign. This CSV file is then used by the rule generation Genome project, 1260 apps. Experimental results show that it
module for creating rules that are used to correctly classify can detect malwares with 96.7% accuracy. Dynamic analysis
the application. It classifies the application by mapping the is performed at remote server for a specific period of time.
permissions against the function calls e.g. if an app tries to Major limitation of this technique is that malwares which do
send message or access device id by API calls and does not not show malicious behavior during that monitoring interval
mention the permission request for message sending or access may evade the detection system.
to device id then such an application is classified as malicious. Liu et al. [38] proposed a hybrid malware detection scheme
For experiments authors have used datasets of various sources which can detect the malicious behavior by static or dynamic
(Droidkin [27] and contagioDump [28]). Experimental results analysis of the application. It initially decompiles the applica-
show that they achieved high detection rate of 96.4% but at tion by using Apktool [39] and applies a program that analyses
low efficiency because they performed both static analysis, the decompiled results of the application and automatically
dynamic analysis and machine learning based detection on switches the application to static or dynamic analysis pro-
local device which results in high scanning time, high power cedure. If the app is successfully decompiled then static
consumption and high resource/storage consumption. analysis is performed where manifest file [40] is scanned and
Shijo and Salim [29] have proposed a hybrid malware permissions and API keywords in Smali files are extracted as
detection technique which integrates the static analysis and static features. Feature vector is generated from these features
dynamic analysis and then applies machine learning for and passed to machine learning classifier for classification
detection. In static analysis phase, the system extracts PSI as of the application as benign or malware. On the other hand,
static features from the binary code files. On the other hand, if application is not correctly decompiled, as a result of any
in dynamic analysis Cuckoo malware analyzer is used for transformation technique [41], then dynamic analysis is per-
dynamic feature extraction by execution of application. formed on the application. Firstly, it installs and executes the
API call logs are extracted from the binary executable files application on the experimental device and traces the system
and their sequence is used to distinguish between malicious call logs by using Strace tool [42]. Feature vector is generated
and benign apps. These API call sequence are analyzed on the from these logs and passed to machine learning classifier
basis of n-gram based method in which API call grams are for evaluation. For performance evaluation, authors collected
created for each file and sorted according to the occurrence malware dataset from Gnome Project and benign apps dataset
frequency in each file. API call grams below the threshold form Wandoujia [43], an Android app market, and applied
value are eliminated and remaining call grams are used for SVM [32], Naive Bayes [44] and kNN [45], [46], machine
feature vector creation. Once the static and dynamic feature learning algorithms, on the dataset. Experimental results of
vectors are created the proposed scheme concatenates the two static analysis show that the proposed scheme can achieve
feature vectors for each file in order to produce an integrated 99% accuracy while 90% accuracy is achieved as a result
feature vector and input these feature vectors to two different of dynamic analysis. Limitations of this technique includes
machine learning techniques for classification. For evaluat- that static analysis is performed if the application is correctly
ing the performance of proposed system authors have used decompiled; in that case, dynamic analysis is not performed

4324 VOLUME 6, 2018


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

on the application. Detection system will not be able to detect in the mass market. Only markets can use it for detection
the dynamically loaded data. Also, when dynamic analysis is of malicious apps on their store. Also, it is not very much
performed, only the executed code is analyzed. The code that efficient in terms of memory usage.
is not executed remains undetected, thus lacking the bene- Chuang and Wang [53] proposed a hybrid behavior model
fits of static analysis if dynamic analysis is performed and for malware detection. In a proposed technique, APK file
vice versa. of each Android application is preprocessed initially. The
Saracino et al. [47] have defined the malware types on preprocessing phase includes following steps: first of all,
the basis of their behavioral class. The proposed scheme the application is disassembled by the reverse engineering
identifies the misbehavior performed by each malware type tool, Androgaurd [54], in order to get the frequency of each
by correlating the features extracted at four different levels: API call used by the application. Then the statistics are gener-
package level, application level, user level and kernel level. ated for API calls in malicious and benign Apps. These statis-
At kernel level, it monitors and hijacks the system calls. tics are then used for ranking the APIs on the basis of usage
At application level, it monitors the critical APIs to detect difference percentage of the API. Through the statistics, it is
the malicious behaviors. User activities are monitored at user observed that the call frequency of dangerous APIs is higher
level and malicious events are detected when the user is in malicious apps than benign Apps. As a result of application
idle or not interacting the device. At the fourth level, named preprocessing two feature vectors are generated, one includes
as package level, proposed system identifies if the application APIs preferred by the malicious apps and other includes
under observation is risky or not, on the basis of permissions API preferred by the benign apps. These feature vectors
requested by the app and market information. MADAM per- are classified by the two behavior models, normal behavior
forms App Risk Assessment statically where App evaluator model and malicious behavior model. LIBSVM [17] is used
analyzes the app’s metadata, collected locally and remotely to build these models. The normal behavior model is trained
from the app market, finds if the app is risky or not and gen- on the feature set of APIs preferred by the benign apps. If new
erates the list of suspicious Apps. Static features analyzed to application, under analysis, does not act like other legitimate
assess the app’s risk level are: permissions in the manifest file, apps then it is classified as malware. On the other hand,
market place from where the app is downloaded, no of down- feature set of APIs preferred by the malicious apps is used
loads of this app, developer’s reputation and user ratings. for the training of malicious behavior model. If an application
Once the riskiness of application is identified, it is added to does not act like other malicious applications, then malicious
the app suspicious list for monitoring at runtime for malicious behavior model will classify it as benign app. After the sep-
behavior detection. Global monitoring block includes system arate analysis by each trained SVM model [23], the proposed
call monitor, user activity monitor, message monitor, activ- scheme combines the two models by using fusion logic where
ity logger and classifier. System call monitor intercepts the score is calculated for each application. If the score value is
system calls related to file operations and networks access. larger than zero, the application is classified as True (mali-
Message monitor hijacks the API calls sendTextMessage() cious), otherwise False (benign). For performance evaluation
and sendDataMessage() while the user activity monitor iden- of proposed model, they have collected 3368 malware sam-
tifies if the user is active or idle through the Android APIs. ples from Contagio mobile [55] and 6005 benign Android
The user is considered to be active if the screen is on and apps [56]. This dataset is divided into training set (dataset A)
user is actively interacting with it or the screen is off and the and test set (dataset B). Experimental results show that the
phone call is ongoing. The action logger collects the features proposed hybrid model can detect the malicious apps with
from three monitors and generates a feature vector consisting 96.69% accuracy and 95.25% detection rate. The proposed
of 14 features among which 11 features represent the system scheme cannot detect the dynamically loaded malicious code
calls. The values corresponding to these system calls shows as it only performs static analysis.
the number of times each system call is triggered in specific
time interval. User idleness feature value is ‘0’ if the user is C. STATIC, DYNAMIC ANALYSIS & ON-DEVICE,
idle and ‘1’ if the user is active. The last two features are OFF-DEVICE DETECTION
collected from message monitor which shows the number of Rodríguez-Mota [57] proposed a 2-Hybrid malware detection
messages sent in a specific time interval and messages sent test framework which is an ongoing project and performs the
to the number not in device contact list. Finally, the vector analysis and detection of malwares on the device and remote
is given as input to the kNN classifier which uses Euclidean server. The framework includes a feature collector unit which
Distance Function [48]. The proposed scheme is tested collects different features of the application, at installation.
on dataset obtained from Genome [49], contagio mobile [50] By analyzing these features local detector classifies the appli-
and virus share [51] and achieves 96.9% detection rate cation as legitimate, malware or risky. If application is clas-
which is comparable with VirusTotal [52]. Also, it is able to sified as benign, the response manager allows the installation
detect 9 such malware families that remain undetected by of the App and if the App is classified as malware, response
VirusTotal. MADAM has some limitations too but the major manager allows user to cancel the installation process. In the
limitation is that it requires root privileges on the device case of potential risk, the host based analysis does not com-
to perform detection due to which it cannot be distributed pletely classify the application as benign or malware, then

VOLUME 6, 2018 4325


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

detailed analysis is performed at remote server. The cloud Monet uses static features, from manifest file and disassem-
manager obtains the app’s information from feature collec- bled code files, and dynamic behavior of applications for
tor and performs dynamic analysis on the data at remote detection of variants of known malware families. It consists
server. If any malicious behavior is detected in the application of client end application that executes on Android device,
the remote server sends data to local device to be stored monitors the applications and generates the signatures. These
in local database for future detection of such apps. At this signatures are forwarded to server which performs further
initial stage, they have collected 39 Trojan samples and listed detection by applying signature matching algorithm and
69 permissions requested in these malware samples. They sends back the detection results. For evaluation of Monet,
compared their results with [58], [59] and found that from authors used dataset of 3723 malwares and 500 legitimate
top 20 frequently requested permissions, 17 permissions are applications. Through experimental results, it is shown that
reported in these cited studies. Efficiency and accuracy mea- Monet can detect variants of known malware families with
sures cannot be determined at this stage. 99% accuracy. Monet causes overall 7.4% performance over-
Jang et al. [60] have proposed Andro-Dumpsys, and head and 8.3% memory overhead which is not negligible for
Android antimalware system. In Andro-Dumpsys, client resource constrained smart phones. Thus, Monet is good at
application running on the Android device captures the appli- accuracy but lacks resource efficiency.
cation specific information and sends it to the server where A detailed comparative study of existing Android malware
detailed analysis and emulation based execution of appli- detection hybrid techniques that lie in these three categories,
cation is performed. The application specific information discussed above, is described in Table 1.
includes the hash code of application and package name.
If the application is available in the repository, the analysis is III. PROPOSED SCHEME
performed. Otherwise apk file is forwarded to the server from SAMADroid is a 3-level hybrid malware detection model for
client device. Key features used for the analysis includes the Android devices. It is hybrid between following three levels
serial number of the developer certificate, which is allocated for malware analysis and detection.
to each developer during account registration. This feature
helps to recognize the applications developed by malware A. LEVEL 1: STATIC AND DYNAMIC ANALYSIS
developers quickly. Other features include suspicious API At Level 1, the hybrid of static and dynamic analysis provides
sequence, intent filters, permissions, system commands and a highly accurate analysis as it combines the benefits of
the forged files. Using these features, malicious behavior two analysis techniques. Through static analysis, it scans all
of applications is identified. Experimental results show that the code of application and analyzes the malicious behavior
Andro-Dumpsys can detect malware applications with 99% of application without executing it. In static analysis phase,
accuracy. The major limitation of this technique is that it uses static features are extracted from the manifest file and dex
emulation based detection, which can be easily evaded by the code files of the application. Motivated from Drebin [3], same
malwares. Also, the sending of complete apk file to server sets of static features are used for static analysis, with a little
consumes lot of battery power and money at client device. alteration, in order to achieve high detection accuracy. These
Talha et al. [61] proposed APK Auditor, an Android mal- static feature sets are grouped as follows:
ware detection system that uses permissions as static analysis S1 : Requested Hardware Components
features for malware behavior detection. It consists of three S2 : Requested Permissions
components: 1) Signature database, which contains the signa- S2 : Application Components (Service, Receiver, Content
tures of all the applications; 2) Android client, which provides Provider)
a service of malware analysis to the users; 3) Central server, S4 : Intent filters
which is responsible for connecting android client with sig- S5 : Suspicious API calls
nature database. Central server performs the analysis without S6 : Restricted API calls
downloading the application on the client device, thus saving All the above static features are extracted using Android
the hardware resources. It extracts the permissions requested Asset Packaging Tool andBaksmali tool.
by the application and computes the permission malware In dynamic analysis phase, system executes the applica-
score (PMS). Then it combines the PMS for each application tion on the real device and analyzes its runtime behavior
and classifies the application as malware if the application which also includes the monitoring of dynamically loaded
malware score exceeds threshold value. APK Auditor uses and decrypted code. System calls are used as dynamic fea-
Logistic Regression [62]–[64] for calculating threshold value tures. Applications installed on real Android devices are ana-
by using 70% of available dataset as training data. Perfor- lyzed by system call tracing. These system calls allow us to
mance of proposed scheme is evaluated on 30% dataset. overcome the limitations of static analysis and analyze the
Results shows that APK Auditor achieves 92.5% specificity application’s behavior in real time environment.
but it lacks the benefits of dynamic analysis as it cannot detect
the dynamic malicious payloads. B. LEVEL 2: LOCAL AND REMOTE HOST
In [65], a detection system is proposed named Monet, Level 2 is a hybrid of local and remote host. Detailed static
which can detect the variants of known malwares. analysis is performed on the remote host to achieve highly

4326 VOLUME 6, 2018


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

TABLE 1. Hybrid malware detection techniques.

VOLUME 6, 2018 4327


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

TABLE 1. (Continued.) Hybrid malware detection techniques.

4328 VOLUME 6, 2018


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

TABLE 1. (Continued.) Hybrid malware detection techniques.

accurate results. On the local host, dynamic analysis is per- All the three levels of SAMADroid model are shown
formed to take the realistic inputs from the user instead of in Figure 3. Following are the major components of this
using any programmed tool, Monkey Runner, which gen- model.
erates non-realistic random input events. On the basis of
1) CLIENT END
user inputs, system call logs are generated and forwarded
to the remote server. Remote server keeps on analyzing the An Android interface application is developed for
behavior of application on the basis of logs and extracted SAMADroid client end. It provides an interface which
static features. includes all the applications currently installed on the device
either they are system applications or user applications. This
C. LEVEL 3: MACHINE LEARNING INTELLIGENCE interface allows the users to use any application through
At Level 3, the feature vectors built from analyzed features SAMADroid client application. When a user opens, and
are given as input to the machine learning intelligence unit runs any other application through SAMADroid, the appli-
to perform the detection of malicious behavior of unknown cation runs smoothly. SAMADroid monitors the applications
apps and to correctly classify them. All the applications are in background and do not affects the operations of other
classified as malicious or benign. In SAMADroid, the detec- applications running on the device. If running application is
tion operation is performed at remote host, thus keeping system application, there is no need to check whether it is
all the training dataset in memory of server, which is a malicious or not, because system apps are added in the device
resource rich system. This ultimately reduces the memory by the manufacturers. On the other hand, if the application is
overhead. user application, installed by user from any app-store, then

VOLUME 6, 2018 4329


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

FIGURE 3. Architectural diagram of SAMADroid.

SAMADroid hooks the Strace tool with that application and server where it stores the system calls recorded for specific
starts tracing the system calls invoked by the user application. applications downloaded from different app stores.
For example, Messaging application is system application,
when it is run by the user, SAMADroid does not hooks the 2) SERVER END
Strace and when SubwaySurf, a user application downloaded In order to make SAMADroid resource efficient for mem-
from Google Play Store, runs SAMADroid immediately ory and power constrained Android devices, detailed static
hooks the Strace with it. Strace only traces the system calls analysis is performed at remote host. Figure 4 shows the
instead of intercepting them. SAMADroid is designed to workflow of static analysis. On receiving identifiers from
trace only 10 specific system calls which includes system SAMADroid client application, firstly server looks into its
calls related to file operations and network access e.g. open, database of previously classified applications and searches
ioctl, brk, read, write, close, sendto, sendmsg, recvfrom, the application using package name. If the application is
recvmsg. found in the database, its classification report is forwarded
As long as the user applications keeps running on the to the client application. If the required application package
device, SAMADroid keeps on tracing the system calls of that name is not found, then its package is downloaded from the
application and generates the log file of system calls invoked app-store. The installer name is different for different app-
by the user application. This log file contains the summary of stores. This helps to get the application from that specific
system calls such as system call names, count for each system app market from which the user downloaded the application.
call, time utilized by the system calls and seconds of the time Once the application package is downloaded, static fea-
for which the system call is executed. tures are extracted from it. The application package is decom-
Also, the identifiers of that application are sent to the pressed using Android Asset Packaging Tool. This module
server so that it can immediately start the static analysis for outputs the classes.dex file and also unpacks the manifest
that application. Application Identifiers includes the package file. All the requested permissions, application components,
name, version and market name from which the application filtered intents and hardware features used by the application
is downloaded. After the log file is generated by the Strace, are extracted from manifest file.
count for each system call is forwarded to the server. If any Baksmali tool, a tool for assembling and disassembling of
system call is not found in the log file, ‘0’ value is forwarded applications, is used to disassemble the application code from
for that system call. SQL server database is maintained at the classes.dex file. The output generated by this module contains

4330 VOLUME 6, 2018


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

FIGURE 4. Static analysis flow diagram.

the smali files. These smali code files contains the Android server. It needs to request certain permissions and hardware
application java code in smali language, which is assembly components. A corresponding vector ϕ (x) for this applica-
like language. From the smali code files, the suspicious API tion looks like this
calls and restricted API calls are extracted.   ...
Once the features are extracted, feature selection is per- ... 
 0  android.hardware.wifi
formed. Arp et al. [3] of Drebin used maximum of the   android.hardware.telephony S1
features in the static analysis and achieved high accuracy 1
. . . . . .
ϕ(x) 7 →  
results using these features. Same sets of features are used   SEND_SMS

in this research and different experiments are performed to 1 S2
DELETE_PACKAGES
get the most useful features among them in feature selection 0
...
process. The features selected for the SAMADroid static
analysis are hardware components, requested permissions, b: DYNAMIC FEATURE VECTORS
application components, filtered intents, restricted API calls Once the system call features are delivered to the server, these
and suspicious API calls. features are then embedded into vector space. The frequency
of system call occurrence shows the behavior of application.
3) EMBED EXTRACTED FEATURES INTO VECTOR SPACE Malicious applications invoke specific system calls more
The extracted features, both static and dynamic, are mapped frequently than legitimate applications. Thus, system call
into vector space. frequency representation is used in order to capture such
behavior of malware applications.
a: STATIC FEATURE VECTORS Let M = {m1 , m2 , . . . , mn } represent the set of system
For static feature vectors, we define a joint set S that com- calls, related to Android operating system, that are used as
prises all observable strings contained in the 6 feature sets. dynamic features such as:
S := S1 ∪ S2 ∪ . . . ∪ S6 m1 = open
It is ensured that elements of different sets do not collide m2 = ioctl
by adding a unique prefix to all strings in each feature set. m3 = brk
In our evaluation, the set S contains roughly 44,000 different m4 = read
features. Using the set S, an |S|-dimensional vector space is
m5 = write
defined, where each dimension is either 0 or 1. An application
x is mapped to this space by constructing a vector ϕ (x), m6 = close
such that for each feature s extracted from x the respective m7 = sendto
dimension is set to 1 and all other dimensions are 0. Formally, m8 = sendmsg
this map ϕ can be defined for a set of applications X as
m9 = recvfrom
follows:
m10 = recvmsg
ϕ : X → {0, 1}|S|
The set M contains 10 different system calls, related to file
For example, a malicious application sends user’s personal operations and network access, as dynamic features. Using
data such as pictures and contacts information to remote the set M , an |M |-dimensional vector space is defined, where

VOLUME 6, 2018 4331


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

each dimension is either 0 or 1. An application x is mapped 4) APPLICATION BEHAVIOR EXPLANATION


to this space by constructing a vector σ (x), such that for each Once the classification results are produced at server, they
feature m extracted from x the respective dimension is set are communicated to the client application, running at real
to 1 and all other dimensions are 0. Formally, this map σ can Android device. SAMADroid notifies the users about appli-
be defined for a set of applications X as follows: cation’s behavior, under examination, without interrupting
other activities of user. Also, it provides the explanation to the
σ : X → {0, 1}|M | user about application, for the awareness of users about appli-
cations behavior. In other words, this application not only
Following is an example of the system calls frequency
detects the legitimate and malicious behavior of application
values extracted from application x and embedded into vector
but also provides sufficient information to the Android users
space.
about application’s behavior. The application information
Let x = com.kiloo.subwaysurf
includes the application name, package name, permissions,
σ (x) = 0, 6219, 0, 3391, 4531, 9, 334, 0 4913, 0
services and hardware features used by the application, ver-
sion number, install date of application and also the date when
c: MACHINE LEARNING INTELLIGENCE
it was last updated.
BASED DETECTION
Users can view the details of applications in order to make
Once the feature vectors are generated, both static fea- decision of whether to continue using application or uninstall
ture vector and dynamic feature vector, they are given the application
as input to the machine learning tool for classification.
Machine learning Intelligence is used for automatically learn- IV. EXPERIMENTATION & RESULTS
ing a separation between malicious and benign applica- In this section, series of experiments are discussed that were
tions. The application of machine learning spares us from carried out during the development of SAMADroid and the
manually constructing detection rules for the extracted fea- results obtained from these experiments. Different machine
tures. Weka tool, v.3.6, [66] is used for machine learning learning classifiers are used in order to obtain high detection
classification. accuracy and also their results are evaluated. There are many
SAMADroid uses Linear Support Vector Machine (SVM) evaluation parameters for machine learning classifiers on the
machine learning classifier for detection of malicious appli- basis of which performance of classifiers can be evaluated.
cations. SVM, trained on the Drebin’s dataset of malicious In this research, true positive rate, false positive rate and
applications and legitimate applications, is applied on both accuracy are used as evaluation metrics for accurate detection
the vectors for a particular application, static feature vector of malwares.
and dynamic feature vector. SVM classifies the application 1) True positive rate or recall: It is defined as the ratio of
as legitimate or malware. positive instances correctly classified among all avail-
As SVM is applied on static and dynamic feature vectors able positive instances.
separately, there may be three possibilities:
True Positive
1) Application is classified as legitimate for both static True Positive Rate =
and dynamic feature vectors. Total Positives
2) Application is classified as malicious for both static and In this research, malicious applications in dataset are
dynamic feature vectors. termed as positive instances because we are interested
3) There exists contradiction in the classification results in the detection of malicious applications. Thus, true
for the two analyses, e.g. Application is classified as positive rate is the ratio between the number of mali-
legitimate for static feature vector and malware for cious applications correctly classified as malicious and
dynamic feature vectors and vice versa. total number of malicious applications.
Thus, the final classification decision is taken as 2) False positive rate: It is defined as the ratio of negative
follows: instances incorrectly classified as positive instances
1) Application is classified as ‘legitimate’ if both the static over total number of negative instances.
analysis and dynamic analysis results shows that appli- FalsePositive
cation is legitimate. FalsePositiverate =
TotalNegatives
2) Application is classified as ‘malware’ if classification
Here, false positive rate is the ratio between number
results for both analysis declares the application as
of legitimate applications incorrectly classified as mali-
malicious.
cious and total number of legitimate applications.
3) Application is classified as ‘risky’ if one of the two
3) Accuracy: Accuracy is defined as the total number of
analyses declares application as malicious and the other
instances correctly classified, both positive and nega-
declares the application as legitimate.
tive, among all the available instances.
These classification results are forwarded to the client
application where the notification is generated for the user TruePositives + TrueNegatives
Accuracy =
if application is malicious or risky. TotalInstances

4332 VOLUME 6, 2018


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

Where, TABLE 2. Detection performance comparison with Drebin.


True Positives = number of malware applications classi-
fied as malware
False Positives = number of legitimate applications classi-
fied as legitimate
Thus, Accuracy is the ratio between sum of correctly clas-
sified legitimate and malicious applications and total legiti-
mate and malware applications.
Besides malware detection accuracy, efficiency is also
measured in terms of performance overhead, caused by
SAMADroid application on Android device, memory con-
sumption in terms of space required by the application on the
device and power consumption.

A. DATASET
For evaluation of detection performance of proposed system,
Drebin’s dataset [3] is used. It is claimed to be the largest
dataset of real malware applications collected from Google
Play Store, Chinese App stores, Russian App markets and FIGURE 5. Performance comparison with Drebin.

other app sources such as forums, blogs and websites. Also,


the dataset contains the applications from Malware Genome An experiment is performed to check that whether the
Project [49]. Another reason for using this dataset in eval- selected six feature sets can generate high accuracy than the
uation is that in training and testing partitions of dataset, eight feature sets. Thus, all the six sets of static features are
malware and legitimate applications are distributed in such a extracted from malicious and non-malicious applications and
way that it avoids the overfitting of classifier. This feature of embedded into vector space.
Drebin’s dataset helps the classifiers to achieve high detection In the first experiment, Linear SVM machine learning clas-
rate on test set. sifier is applied on the dataset. The dataset is randomly split
into known partition (66%) and unknown partition (34%).
B. STATIC ANALYSIS EXPEIRMENTS The known partition is used for the training of classifica-
For the sake of effectiveness of static analysis module, in tion model and unknown partition is used for testing. Same
SAMADroid, against malicious apps, an experiment is per- process is repeated 10 times and computed the average of
formed to identify the most useful features. In Drebin, authors the obtained results for each run. The average accuracy
have used maximum of the static features which they have achieved is 98.97% at a false positive rate of 0.005 or 0.5%.
grouped into eight sets. Table 2 reports the comparison of average true positive rate
S1 : Hardware components and false positive rate achieved by dataset of eight feature
S2 : Requested permissions sets, used by Drebin, and dataset of six feature sets, used by
S3 : App components SAMADroid.
S4 : Filtered intents Figure 5 depicts the comparison of average malware detec-
S5 : Restricted API calls tion accuracy achieved by SAMADroid and Drebin, which
S6 : Used permissions used the same dataset but different number of feature sets.
S7 : Suspicious API call It can be observed that classifier learned on dataset of selected
S8 : Network Addresses six feature sets, extracted from applications, can detect mali-
During feature selection phase, it is observed that used cious applications more accurately than the dataset of eight
permissions, in maximum of the applications, are the subset feature sets. Also, the false alarm rate of SAMADroid is low
of ones that are requested by the applications. As requested i.e. 0.5%, in comparison to that of Drebin.
permissions feature set is already selected so the used per- In order to test the performance of other classifiers on the
missions feature set is dropped. Also, the network addresses dataset of six feature sets, second experiment is performed.
used in application are either the addresses of that specific In this experiment, different machine learning algorithms
application location at google play store or the address of such as Random Forest, Decision tree and Naive Bayes are
remote server which hosts the application. Thus, network applied on dataset. These classifiers are applied on the dataset
addresses found, in any application, are different for each with random percentage split where 66% data is used as
application developed by different developers and there is no training set and 34% data is used for testing. Same process
any standardized way of identifying the remote host network is applied 10 times for each classifier. Table 3 reports the
addresses to be malware or legitimate. On the basis of this average true positive rate, false positive rate and accuracy
fact, the network addresses feature set is also dropped. The values achieved by Random Forest, Decision Tree and Naive
remaining six feature sets are used and for static analysis. Bayes classifiers.

VOLUME 6, 2018 4333


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

TABLE 3. Comparison between different machine learning classifiers on


static features.

FIGURE 7. Comparison between different machine learning classifiers on


dynamic features.

TABLE 5. Performance overhead caused by SAMADroid.

FIGURE 6. Performance comparison of different classifiers on static


features.
TABLE 4. Comparison between different machine learning classifiers on
dynamic features.

D. PERFORMANCE OVERHEAD
This section explains two experiments that are performed to
determine the performance overhead caused by SAMADroid
on real Android device. Firstly, the performance of Android
device is observed through Benchmark tool before and after
running SAMADroid. This experiment provides the overhead
caused by the SAMADroid client application while running
on the real Android device. Secondly, it provides the perfor-
mance overhead of SAMADroid with MADAM [47]. Results
It is observed that Random Forest achieves highest accu- shows that performance overhead caused by MADAM is high
racy 99.07% at very negligible false positive rate of 0.03%. in comparison to SAMADroid.
Although Random Forest provides highest accuracy in com-
parison to SVM but at the cost of low true positive rate. 1) PERFORMANCE OVERHEAD BY CAUSED BY SAMADROID
SVM provides the highest true positive rate which shows the In this experiment, performance overhead of SAMADroid
potential of a classifier to detect the malicious application is measured through a standard benchmark tool, i.e. the
accurately. Figure 6 illustrates the visual representation of Quadrant Standard Edition Application [67], which is dis-
comparison between different machine learning classifiers. tributed through Google Play [68]. It performs bench-
mark tests which cover the CPU, Memory, I/O operations,
C. DYNAMIC ANALYSIS EXPERIMENT 2D graphics and 3D graphics in order to measure the per-
In this experiment, SAMADroid is evaluated on the basis of formance of the device. Total score is the average of all
system calls. Feature vectors of system call frequency are the performance scores obtained from the tests performed
given as input to the machine learning tool, Weka. Different on processor, memory, I/O, 2D and 3D. Benchmark tests
machine learning classifiers such as Random Forest, Decision have been performed on Samsung Galaxy Grand Prime (CPU
tree and Naive Bayes are applied on the system calls dataset. Quad-core 1.2 GHz Cortex-A53, RAM 1GB). The device
5-fold cross validation is applied on the dataset for each clas- runs Android 5.1 Lollipop. Table 5 and Figure 8 shows the
sifier and compared the results. Table 4 and Figure 7 reports average results obtained from the five experiments performed
the true positive rate, false positive rate and accuracy obtained when the SAMADroid was running on the device and when it
from these classifiers. SVM and Random Forest gives highest was not. It is observed that the benchmark values decreased
accuracy with lowest false positive rate. after running SAMADroid on the device which reflects the

4334 VOLUME 6, 2018


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

TABLE 7. Comparison of device memory required for different security


applications.

FIGURE 8. Performance degradation caused by SAMADroid.

TABLE 6. Comparison of overhead caused by SAMADroid with other


related frameworks.

FIGURE 10. Memory required for security applications.

is because in MADAM, classifier requires training set in


the memory which causes 9.4% memory overhead while
SAMADroid performs classification at remote host which
reduces the memory overhead at Android device. I/O over-
head caused by SAMADroid is also low in comparison
to MADAM.

E. RESOURCE CONSUMPTION
This section discusses about the experiments performed to
evaluate the SAMADroid on the basis of resource consump-
tion. These experiments are aimed to determine the efficiency
of SAMADroid in comparison to the other existing anti-
malware applications for Android operating system. Results
FIGURE 9. Comparison of SAMADroid performance overhead with obtained from these experiments shows that SAMADroid
MADAM. consumes low resources, i.e. memory and power, in com-
parison to other detection systems and is more suitable for
decrease in performance of the device. This performance resource constrained Android devices.
degradation is computed as percentage overhead between
the performance before and after running SAMADroid. The 1) MEMORY CONSUMPTION
overall performance impact of SAMADroid on the system In this experiment, SAMADroid is evaluated on the basis of
is 0.6%. device memory consumed by the client application. Mem-
ory consumption of SAMADroid client application is com-
2) PERFORMANCE OVERHEAD COMPARISON WITH MADAM pared with some famous antivirus applications provided
In this experiment, the performance overhead caused for the mobile apps such as Avast Mobile Security [69],
by SAMADroid and MADAM are compared. Table 6 and AVG AntiVirus [70], Avira [71], Kaspersky Internet Secu-
Figure 9 explains the comparison of performance over- rity [72], McAfee Security [73] and 360 Security [74], [75].
head between SAMADroid and MADAM. It is observed Table 7 and Figure 10 shows the memory required for each
that overall performance overhead in SAMADroid is low application on the Android device before any scanning and
in comparison to MADAM i.e. 0.6% which is acceptable detection process. It can be observed that SAMADroid is
for smartphone users. Also, in SAMADroid, memory over- the light weight malware detection application for resource
head is reduced to 1.8% in comparison to MADAM. This constrained Android devices. It consumes very low mem-

VOLUME 6, 2018 4335


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

TABLE 8. Power consumption by different antimalwares on android V. DISCUSSION & FUTURE WORK
device.
Although SAMADroid provides high detection accuracy at
low resource consumption but it has some limitations too.
First of all, the whole system is dependent on server commu-
nication. Classification of applications is performed at server
and the results of which are delivered to the Android device
for the sake of security provision. No malicious behavior
detection is performed at local host i.e. Android device.
Thus, if the network link gets down or congestion occurs at
channel due to which Android device cannot communicate
with the server then the performance of SAMADroid will be
reduced. Secondly, Drebin’s dataset of malicious applications
was used for training the classification model which does not
contain the most recent variants of malware types. In future,
we aim to enhance the malware dataset for SAMADroid,
including the recent malwares so that SAMADroid effec-
tively secures the Android applications against recent mal-
ware applications.

VI. CONCLUSION
This research work is based on the development of a mal-
ware detection system that can detect the malwares on the
Android devices while ensuring the low resource consump-
tion. In this research, we thoroughly investigated many of the
existing malware detection and prevention techniques, devel-
oped during the period of 7 years, 2010 to 2016. Based on the
FIGURE 11. Illustration of power consumed by different antimalwares. benefits and limitations of existing antimalware techniques,
ory space in comparison to the other malware detection we formulated the problem that existing research lags in
applications. detection of Android malwares accurately while ensuring the
low consumption of hardware resources of Android devices.
2) POWER CONSUMPTION Thus, we proposed 3-level hybrid malware detection model
Another evaluation parameter used is power consumption. for Android operating system. To the best of our knowledge,
This experiment is performed to measure the power con- there does not exist any 3-level hybrid malware detection sys-
sumption of SAMADroid on real Android device through tem. Thus, SAMADroid is a novel malware detection model
App Tuneup Kit [75] and compare it with other related real which combines the benefits of static analysis, dynamic
applications such as Avast Mobile Security, AVG AntiVirus, analysis and machine learning Intelligence. Also, it operates
Avira, Kaspersky Internet Security, McAfee Security and both on local host and remote host to achieve the resource
360 Security. Table 8 and Figure 11 describes the power efficiency. SAMADroid client application is developed for
consumed by different antimalware applications for the inter- Android devices. It performs dynamic analysis on the device
val of 5 minutes. Results shows that power consumed by and communicates with the server for static analysis and
SAMADroid is moderate in comparison to the other Antimal- detection results. Remote server performs the static analysis
wares. This happens because SAMADroid monitors only run- and machine learning based detection. Through extensive
ning applications. While the other anti-malwares scan all the experimentation, we have shown that SAMADroid performs
applications either they are running in the background or not. better than Drebin for static analysis. It is also observed that
Another reason for the low power consumed by our security SAMADroid causes very negligible performance overhead
system is its distinguishing feature that it only analyzes the on the Android device. SAMADroid is also efficient in terms
user applications and does not scan the system applications. of hardware resource usage.
As system applications are added in the device by the device
REFERENCES
manufacturers and are not malicious, due to this reason
[1] (2017). Gartner Says Worldwide Sales of Smartphones Grew 7 Percent in
SAMADroid does not scan system applications. On the other
the Fourth Quarter of 2016. Accessed: Apr. 28, 2017. [Online]. Available:
hand, other anti-malwares scan all the user and system appli- http://www.gartner.com/newsroom/id/3609817
cations because of which they consume more battery power. [2] Trend Micro Q2 Security Roundup Report | Androidheadlines.Com.
Also, SAMADroid performs static analysis at server and Accessed: Dec. 8, 2015. [Online]. Available: http://www.androidheadlines.
com/2015/08/trend-micro-q2-security-roundup-report.html
dynamic analysis on the device while the other anti-malwares
[3] D. Arp, M. Spreitzenbarth, H. Malte, H. Gascon, and K. Rieck, ‘‘DREBIN:
listed in the Table 8 perform only static analysis and do not Effective and explainable detection of Android malware in your pocket,’’
analyze the runtime behavior of user applications. in Proc. Symp. Netw. Distrib. Syst. Secur. (NDSS), 2014, pp. 23–26.

4336 VOLUME 6, 2018


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

[4] T. Bläsing, L. Batyuk, A.-D. Schmidt, S. A. Camtepe, and S. Albayrak, [29] P. V. Shijo and A. Salim, ‘‘Integrated static and dynamic analysis for mal-
‘‘An Android Application Sandbox system for suspicious software detec- ware detection,’’ Procedia Comput. Sci., vol. 46, pp. 804–811, Jan. 2015.
tion,’’ in Proc. 5th IEEE Int. Conf. Malicious Unwanted Softw., Malware, [30] Weka 3—Data Mining With Open Source Machine Learning
Oct. 2010, pp. 55–62. Software in Java. Accessed: Dec. 16, 2015. [Online]. Available:
[5] [Utility][Tool][Windows] Baksmali/Smali Ma. . . | Android Develop- http://www.cs.waikato.ac.nz/ml/weka/
ment and Hacking. Accessed: Dec. 22, 2015. [Online]. Available: [31] A. Andrew, N. Cristianini, and J. Shawe-Taylor, An Introduction to Support
http://forum.xda-developers.com/showthread.php?t=2311766 Vector Machines and Other Kernel-Based Learning Methods. Cambridge,
[6] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, ‘‘Hey, you, get off of my market: U.K.: Cambridge Univ. Press, 2000.
Detecting malicious apps in official and alternative Android markets,’’ in [32] A. Andrew, ‘‘An introduction to support vector machines and other kernel-
Proc. 19th Annu. Netw. Distrib. Syst. Secur. Symp., 2012, no. 2, pp. 5–8. based learning methods,’’ in Kybernetes. Cambridge, U.K.: Cambridge
[7] Android Apps on Google Play. Accessed: Aug. 30, 2016. [Online]. Avail- Univ. Press, 2013.
able: https://play.google.com/store?hl=en [33] D. Dittman, T. M. Khoshgoftaar, R. Wald, and A. Napolitano, ‘‘Random
[8] Android Games Android Application Android Phones__Excellent Soft- forest: A reliable tool for patient response prediction,’’ in Proc. BIBMW,
ware Download Center Official Website-Billion Market. Accessed: Nov. 2011, pp. 289–296.
Aug. 30, 2016. [Online]. Available: http://www.eoemarket.com/ [34] Z. Yuan, Y. Lu, and Y. Xue, ‘‘Droiddetector: Android malware characteri-
[9] Machine Front Network—Technology News, all in the Machine Front. zation and detection using deep learning,’’ Tsinghua Sci. Technol., vol. 21,
Accessed: Aug. 30, 2016. [Online]. Available: http://www.gfan.com/ no. 1, pp. 114–123, Feb. 2016.
[10] DexClassLoader | Android Developers. Accessed: Aug. 30, 2016. [35] 7-Zip. Accessed: Jun. 10, 2017. [Online]. Available: http://www.7-zip.org/
[Online]. Available: https://developer.android.com/reference/dalvik/ [36] AXMLPrinter2 | Android Tales. Accessed: Jun. 10, 2017. [Online]. Avail-
system/DexClassLoader.html able: http://android.amberfog.com/?tag=axmlprinter2
[11] Update: Security Alert: DroidDreamLight, New Malware From the [37] TinyXML Download | SourceForge.Net. Accessed: Jun. 10, 2017. [Online].
Developers of DroidDream | Lookout Blog. Accessed: Aug. 30, 2016. Available: https://sourceforge.net/projects/tinyxml/
[Online]. Available: https://blog.lookout.com/blog/2011/05/30/security- [38] Y. Liu, Y. Zhang, H. Li, and X. Chen, ‘‘A hybrid malware detecting scheme
alert-droiddreamlight-new-malware-from-the-developers-of-droiddream/ for mobile Android applications,’’ in Proc. IEEE Int. Conf. Consum. Elec-
[12] W.-C. Wu and S.-H. Hung, ‘‘DroidDolphin: A dynamic Android malware tron. (ICCE), Jan. 2016, pp. 155–156.
detection framework using big data and machine learning,’’ in Proc. Conf. [39] Apktool—A Tool for Reverse Engineering Android Apk Files. Accessed:
Res. Adapt. Convergent Syst., Oct. 2014, pp. 247–252. Aug. 13, 2016. [Online]. Available: https://ibotpeaches.github.io/Apktool/
[13] API Monitor: Spy on API Calls and COM Interfaces (Freeware 32-Bit [40] App Manifest | Android Developers. Accessed: Aug. 13, 2016. [Online].
and 64-Bit Versions!) | Rohitab.Com. Accessed: Aug. 22, 2016. [Online]. Available: https://developer.android.com/guide/topics/manifest/manifest-
Available: http://www.rohitab.com/apimonitor intro.html
[14] DroidBox. Accessed: Aug. 22, 2016. [Online]. Available:
[41] V. Rastogi, Y. Chen, and X. Jiang, ‘‘DroidChameleon: Evaluating Android
https://github.com/pjlantz/droidbox
anti-malware against transformation attacks,’’ in Proc. 8th ACM SIGSAC
[15] S. Chang, ‘‘APE: A smart automatic testing environment for Android Symp. Inf., Comput. Commun. Secur. (ASIA CCS), 2013, pp. 329–334.
malware,’’ Dept. Comput. Sci. Inf. Eng., Nat. Taiwan Univ., Taipei, Taiwan,
[42] Strace Download | SourceForge.Net. Accessed: Dec. 22, 2015. [Online].
Tech. Rep., 2013.
Available: http://sourceforge.net/projects/strace/
[16] A. Ng, Support Vector Machines for Machine Learning. Stanford, CA,
[43] ‘Pea Pod’ Official Website. Accessed: Aug. 13, 2016. [Online]. Available:
USA: Stanford Univ., 2008
https://www.wandoujia.com/
[17] LIBSVM—A Library for Support Vector Machines. Accessed:
[44] Naive Bayesian. Accessed: Aug. 13, 2016. [Online]. Available:
Aug. 17, 2016. [Online]. Available: http://www.csie.ntu.
http://www.saedsayad.com/naive_bayesian.htm
edu.tw/~cjlin/libsvm/
[45] KNN Classification. Accessed: Aug. 13, 2016. [Online]. Available:
[18] B. Amos, H. Turner, and J. White, ‘‘Applying machine learning classifiers
http://www.saedsayad.com/k_nearest_neighbors.htm
to dynamic Android malware detection at scale,’’ in Proc. 9th Int. Wireless
Commun. Mobile Comput. Conf. (IWCMC), Jul. 2013, pp. 1666–1671. [46] L. Kozma, K Nearest Neighbors Algorithm (kNN). Espoo, Finland:
[19] X. Wang, Y. Yang, Y. Zeng, C. Tang, J. Shi, and K. Xu, ‘‘A novel hybrid Helsinki Univ. of Technol. Press, 2008.
mobile malware detection system integrating anomaly detection with mis- [47] A. Saracino, D. Sgandurra, G. Dini, and F. Martinelli, ‘‘MADAM: Effec-
use detection,’’ in Proc. 6th Int. Workshop Mobile Cloud Comput. Services, tive and efficient behavior-based android malware detection and preven-
Sep. 2015, pp. 15–22. tion,’’ IEEE Trans. Depend. Sec. Comput., vol. 15, no. 1, pp. 83–97,
[20] Android Aapt—eLinux.Org. Accessed: Aug. 13, 2016. [Online]. Available: Jan. 2016.
http://elinux.org/Android_aapt [48] P.-E. Danielsson, ‘‘Euclidean distance mapping,’’ Comput. Graph. Image
[21] CuckooDroid Book—CuckooDroid V1.0 Book. Accessed: Aug. 19, 2016. Process., vol. 14, no. 3, pp. 227–248, Nov. 1980.
[Online]. Available: http://cuckoo-droid.readthedocs.io/en/latest/ [49] Y. Zhou and X. Jiang, ‘‘Dissecting Android malware: Characterization and
[22] 10 Open Source Mobile Test Automation Tools. Accessed: Aug. 19, 2016. evolution,’’ in Proc. IEEE Symp. Secur. Privacy, May 2012, pp. 95–109.
[Online]. Available: http://www.testingexcellence.com/open-source- [50] Contagio Mobile. Accessed: May 17, 2017. [Online]. Available:
mobile-test-automation-tools/ http://contagiominidump.blogspot.com/
[23] S. R. Gunn. (1998). UNIVERSITY OF SOUTHAMPTON Support [51] VirusShare.Com. Accessed: May 17, 2017. [Online]. Available:
Vector Machines for Classification and Regression. Accessed: https://virusshare.com/
May 16, 2017. [Online]. Available: http://ce.sharif.ir/courses/85- [52] VirusTotal—Free Online Virus, Malware and URL Scanner. Accessed:
86/2/ce725/resources/root/LECTURES/SVM.pdf May 17, 2017. [Online]. Available: https://www.virustotal.com/
[24] K.-L. Li, H.-K. Huang, S.-F. Tian, and W. Xu, ‘‘Improving one-class SVM [53] H.-Y. Chuang and S.-D. Wang, ‘‘Machine learning based hybrid behavior
for anomaly detection,’’ in Proc. Int. Conf. Mach. Learn., Nov. 2003, models for Android malware analysis,’’ in Proc. IEEE Int. Conf. Softw.
pp. 3077–3081. Quality, Rel. Secur., Aug. 2015, pp. 201–206.
[25] K. Patel and B. Buddadev, ‘‘Detection and mitigation of Android malware [54] Google Code Archive—Long-Term Storage for Google Code
through hybrid approach,’’ in Security in Computing and Communications. Project Hosting. Accessed: Aug. 17, 2016. [Online]. Available:
Cham, Switzerland: Springer, 2015, pp. 455–463. https://code.google.com/archive/p/androguard/
[26] Control the Emulator from the Command Line | Android Studio. Accessed: [55] Contagio Mobile. Accessed: Aug. 17, 2016. [Online]. Available:
Aug. 13, 2016. [Online]. Available: https://developer.android.com/studio/ http://contagiominidump.blogspot.tw/
run/emulator-commandline.html [56] Downloading Free Apks From Google Play and Alternate Markets to
[27] H. Gonzalez, N. Stakhanova, and A. A. Ghorbani, ‘‘DroidKin: Lightweight Your Desktop. LID: Lost In Droid. Accessed: Aug. 17, 2016. [Online].
detection of Android apps similarity,’’ in Security and Privacy in Commu- Available: https://machiry.wordpress.com/2012/10/01/downloading-apks-
nication Systems (Lecture Notes of the Institute for Computer Sciences, from-google-play-to-your-desktop/
Social Informatics and Telecommunications Engineering), vol. 152. Cham, [57] A. Rodríguez-Mota, P. J. Escamilla-Ambrosio, S. Morales-Ortega,
Switzerland: Springer, 2015, pp. 436–453. M. Salinas-Rosales, and E. Aguirre-Anaya, ‘‘Towards a 2-hybrid Android
[28] M. Parkour. Contagio. Accessed: Aug. 13, 2016. [Online]. Available: malware detection test framework,’’ in Proc. Int. Conf. Electron., Commun.
http://contagiodump.blogspot.in/ Comput. (CONIELECOMP), Feb. 2016, pp. 54–61.

VOLUME 6, 2018 4337


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

[58] U. Pehlivan, N. Baltaci, C. Acartürk, and N. Baykal, ‘‘The analysis of fea- MUNAM A. SHAH received the B.Sc. and M.Sc.
ture selection methods and classification algorithms in permission based degrees in computer science from the University
Android malware detection,’’ in Proc. IEEE Symp. Comput. Intell. Cyber of Peshawar, Pakistan, in 2001 and 2003, respec-
Secur. (CICS), Dec. 2014, pp. 1–8. tively, the M.S. degree in security technologies and
[59] S. Sheen, R. Anitha, and V. Natarajan, ‘‘Android based malware detection applications from the University of Surrey, U.K.,
using a multifeature collaborative decision fusion approach,’’ Neurocom- in 2010, and the Ph.D. degree from the University
puting, vol. 151, pp. 905–912, Mar. 2015. of Bedfordshire, U.K., in 2013. Since 2004, he has
[60] J.-W. Jang, H. Kang, J. Woo, A. Mohaisen, and H. K. Kim, ‘‘Andro-
been a Lecturer with the Department of Computer
Dumpsys: Anti-malware system based on the similarity of malware creator
Science, COMSATS Institute of Information Tech-
and malware centric information,’’ Comput. Secur., vol. 58, pp. 125–138,
May 2016. nology, Islamabad, Pakistan. He has authored over
[61] K. A. Talha, D. I. Alper, and C. Aydin, ‘‘APK Auditor: Permission-based 50 research articles published in international conferences and journals. He is
Android malware detection system,’’ Digit. Invest., vol. 13, pp. 1–14, an HEC Approved Supervisor. His research interests include MAC protocol
Jun. 2015. design, QoS, and security issues in wireless communication systems.
[62] A. Agresti, ‘‘Building and applying logistic regression models,’’ in Cate-
gorical Data Analysis, 2nd ed. Hoboken, NJ, USA: Wiley, 2003.
[63] F. Pampel, Logistic Regression: A Primer, vol. 132. Newbury Park, CA,
USA: Sage, 2000.
[64] D. W. Hosmer, Jr., S. Lemeshow, and R. Sturdivant, Applied Logistic
Regression. Hoboken, NJ, USA: Wiley, 2013.
[65] M. Sun, X. Li, J. C. S. Lui, R. T. B. Ma, and Z. Liang, ‘‘Monet:
A user-oriented behavior-based malware variants detection system
for Android,’’ IEEE Trans. Inf. Forensics Security, vol. 12, no. 5,
pp. 1103–1112, May 2017.
[66] Weka 3—Data Mining With Open Source Machine Learning Software ABDUL WAHID received the Ph.D. degree from
in Java. Accessed: May 17, 2017. [Online]. Available: http://www.cs.
Kyung pook National University, South Korea. He
waikato.ac.nz/ml/weka/
[67] Quadrant Standard Edition—Android Apps on Google Play. Accessed:
is currently an Assistant Professor with the Depart-
May 16, 2017. [Online]. Available: https://play.google.com/store/apps/ ment of Computer Science, CIIT, Islamabad,
details?id=com.aurorasoftworks.quadrant.ui.standard Pakistan. He is also Reviewer and a TPC member
[68] Android Apps on Google Play. Accessed: May 16, 2017. [Online]. Avail- of many conferences and journals. His research
able: https://play.google.com/store interests include, but are not limited to, vehic-
[69] Mobile Security & Antivirus—Android Apps on Google Play. ular ad hoc network, wireless sensor network,
Accessed: May 16, 2017. [Online]. Available: https://play.google.com/ underwater wireless sensor network, cyber phys-
store/apps/details?id=com.avast.android.mobilesecurity ical systems, software defined networking, and
[70] AVG AntiVirus FREE for Android - Android Apps on Google Play. information-centric networking. He is currently an Associate Editor of the
Accessed: May 16, 2017. [Online]. Available: https://play.google. IEEE ACCESS.
com/store/apps/details?id=com.antivirus
[71] Avira Antivirus Security—Android Apps on Google Play.
Accessed: May 16, 2017. [Online]. Available: https://play.google.
com/store/apps/details?id=com.avira.android
[72] Kaspersky Antivirus & Security—Android Apps on Google Play.
Accessed: May 16, 2017. [Online]. Available: https://play.google.
com/store/apps/details?id=com.kms.free
[73] McAfee Mobile Security—Android Apps on Google Play.
Accessed: May 16, 2017. [Online]. Available: https://play.google.
com/store/apps/details?id=com.wsandroid.suite
[74] 360 Security—Antivirus Boost—Android Apps on Google Play. AMJAD MEHMOOD received the Ph.D. degree
Accessed: May 16, 2017. [Online]. Available: https://play.google. in wireless networks from the Kohat Univer-
com/store/apps/details?id=com.qihoo.security sity of Science and Technology, Kohat, Pakistan,
[75] A. Mehmood, A. Khanan, A. H. H. M. Mohamed, and H. in 2014. He held a virtual post-doctoral position
Song, ‘‘ANTSC: An intelligent Naïve Bayesian probabilistic at the University of Virginia, USA. He is cur-
estimation practice for traffic flow to form stable clustering in rently holding a post-doctoral position with the
VANET,’’ IEEE Access, to be published. [Online]. Available: http:// Guangdong Provincial Key Laboratory on Petro-
ieeexplore.ieee.org/abstract/document/7994591/, doi: 10.1109/ACCESS. chemical Equipment Fault Diagnosis, Guangdong
2017.2732727. University of Petrochemical Technology, Maom-
ing, China. In 2003, he joined the Kohat Univer-
sity of Science and Technology, where he is currently a Senior Faculty
Member and the Coordinator of M.S./Ph.D. program. He has authored over
42 academic articles in peer-reviewed international journals and conferences
around the world. His is research interest include cyber physical systems,
IoT, connected vehicles, wireless communications and networking, optical
communications and networking, smart grid communications and network-
SABA ARSHAD received the B.S. degree (Hons.) ing, security issues in wireless networks, big data, cloud computing, and fault
in computer science from Pir Mehr Ali Shah Arid diagnosis in WSNs. His research was supported by the Guangdong Univer-
Agriculture University, Rawalpindi, Pakistan, and sity of Petrochemical Technology, Maoming, China. He supervised many
the M.Sc. degree in computer science from the students of B.C.S., M.C.S., M.S., and Ph.D. in the above-mentioned interests.
COMSATS Institute of Information Technology, He has also been a part of reviewing and organizing different workshops,
Islamabad, Pakistan. Her research interest includes seminar, and training sessions on different technologies. Furthermore, he has
smart device security, malware analysis and detec- served as a TPC Reviewer and the Demo Chair for numerous international
tion, machine learning, intelligent traffic system, conferences, including CCNC, SCPA, WICOM, INFOCOM, and SCAN.
distributed computing, and social aware delay tol- Additionally, he is a reviewer or an Associate Editor for many peer-reviewed
erant networks. international journals.

4338 VOLUME 6, 2018


S. Arshad et al.: SAMADroid: Novel 3-Level Hybrid Malware Detection Model for Android Operating System

HOUBING SONG (M’12–SM’14) received the HONGNIAN YU has held academic positions with
Ph.D. degree in electrical engineering from the the Universities of Sussex, Liverpool John Moor,
University of Virginia, Charlottesville, VA, USA, Exeter, Bradford, Staffordshire, and Bournemouth
in 2012. In 2017, he joined the Department of in the U.K. He is currently a Professor in comput-
Electrical, Computer, Software, and Systems ing with Bournemouth University. He has authored
Engineering, Embry-Riddle Aeronautical Univer- over 200 journal and conference research papers.
sity, Daytona Beach, FL, USA, where he is cur- He has extensive research experience in mobile
rently an Assistant Professor and the Director computing, modeling, scheduling, planning, and
of the Security and Optimization for Networked simulations of large discrete event dynamic sys-
Globe Laboratory. He served as the Faculty Mem- tems with applications to manufacturing systems,
ber with West Virginia University from 2012 to 2017. In 2007, he was supply chains, transportation networks, computer networks and RFID appli-
an Engineering Research Associate with the Texas A&M Transportation cations, modeling and control of robots, mechatronics, and neural net-
Institute. He has authored over 100 articles. His research interests include works. He has graduated over 20 Ph.D./M.Phil. and MRes research students,
cyber-physical systems, cybersecurity and privacy, Internet of Things, edge is supervising eight Ph.D. students, and has examined over 20 Ph.D./M.Phil.
computing, big data analytics, connected vehicle, smart and connected students’ theses as both internal and external examiner. He has held several
health, and wireless communications and networking. He was the very research grants from the UK EPSRC, the Royal Society, EU, AWM, and from
first recipient of the Golden Bear Scholar Award, and received the Highest the industry. He was a recipient of the F. C. William Premium for his paper
Faculty Research Award from West Virginia University Institute of Tech- on adaptive and robust control of robot manipulators by the IEE Council.
nology in 2016. He serves as an Associate Technical Editor for the IEEE He is a member of EPSRC Peer Review College. He has strong research
Communications Magazine. He is the Editor of four books, including Smart collaboration with partners from China, France, Germany, Hungary, Italy,
Cities: Foundations, Principles, and Applications, (Wiley, Hoboken, NJ, Japan, and Thailand.
USA, 2017), Security and Privacy in Cyber-Physical Systems: Foundations,
Principles, and Applications, (Wiley-IEEE Press, Chichester, U.K., 2017),
Cyber-Physical Systems: Foundations, Principles, and Applications, (Aca-
demic Press, Boston, MA, USA, 2016), and Industrial Internet of Things:
Cyber manufacturing Systems, (Springer, Cham, Switzerland, 2016). He is a
Senior Member of the ACM.

VOLUME 6, 2018 4339

You might also like