Unified Dynamic Detection of Malicious Android Apps

Android malware detection has been extensively addressed yet mainly in a binary setting. That is, the detection approach results in a dichotomous decision reporting the given app as either benign or malicious without telling what kind of malware the app is if it is detected as malicious. More often than not, such a binary decision can be far from being sufficient as it leaves users wondering how to understand the decision and what to do with the app. As a complementary means, Android malware classification techniques arise to categorize an Android app if the app has already been confirmed as malware. Thus, users who want to detect and understand malware would have to use two sorts of tools in separate steps, potentially incurring excessive overheads and efforts in setting up and running the tools (tool chain). More importantly, existing Android malware detection approaches and malware classification approaches largely rely on app characteristics (e.g., use of system calls) that are vulnerable to detection-evasion attacks (e.g., system-call obfuscation). In addition, the app characteristics used are usually homogeneous, making them susceptible to certain particular attacks.

These drawbacks of current techniques motivate the development of DroidCat, our novel approach to Android malware detection. DroidCat identifies characteristics in three orthogonal dimensions that represent run-time behavioral traits of Android apps and uses such these characteristics to build a diverse behavioral profile for each app. Then, with the profiles of a small set of sample apps covering benign and malicious apps, DroidCat trains a supervised learning model and employes the resulting multi-class classifier to predict a given unknown app to be not only just benign or malicious but giving specific malware family at the same time if the app is regarded as malicious. In other words, DroidCat unifies the conventional, binary malware detection approach and the existing malware classification approach that takes an app that has been known as malware. An important strength of DroidCat is that, thanks to the diversity of the underlying heterogeneous features that constitute the behavioral profile, it is more robust to evarious known evasion attacks that exploits the reliance of existing approaches on the use of, among others, system calls and/or installation-time app permissions.

The app features underlying the DroidCat classifer are not proposed hypothetically or on the basis of heuristics. Rather, these features are discovered through a characterization study that reveals the behavioral differences between malware and benign apps. By default, DroidCat uses 70 such features for training and testing using the Random Forest learning algorithm. Given an app under detection, DroidCat profiles it to compute the behavioral profile (i.e., the 70 features) in 10 minutes, and then finishes the prediction in a couple of minutes. Since asymptotically the total cost of DroidCat is the profiling time which is constant across different apps, DroidCat is readily scalable to any real-world Android apps.

This is the project homepage for DroidCat, where you can find the usage information and downloads of source code and evaluation dataset. Similar to our Android App Dynamic Characterization Toolkit DroidFax, the feature-computation part of DroidCat is implemented on top of our Android data-flow analysis and instrumentation library duafdroid, which is based on the Soot byte-code analysis and optimization framework. The core of DroidCat however is the multi-class classifier implemented on top of the Python Machine Learning Toolkit scikit-learn. Beyond the default configuration, our package also includes the implementation of DroidCat using other feature sets and popular learning algorithms like SVM with both linear and radial kernels, decision tree, nearest neighbours, and Naive Bayes with various probability distribution functions. All these components including duafdroid and Soot on which DroidCat depends can be downloaded on this page as well, using the following links.

How to use DroidCat

Release Downloads

Source Code

You can obtain the source code on droidcat source repository, where all necessary inputs to droidcat are hosted too (e.g., our manual callback categorization and our manually improved source and sink categorization).

Study Results

Benchmark apps

The benchmark suite used for discovering the features used by Droidcat includes 136 benign apps and 135 malicious apps covering various malware families. Meanwhile, these apps can be used as benchmarks for dynamic Android app analysis as well since they can be readily exercised by randomly-generated inputs (e.g., those from the Monkey tool) with high coverage (no less than 50% of user code) as confirmed in our characterization study.

The evaluation benchmark suite can be found here, including 34,343 samples. You may use this suite as the training samples and testing apps to reproduce our evaluation results. These apps themselves are too large combined to be hosted here. The APKs can be downloaded from the AndroZoo database.

More details and preliminary results can be found in a technical report for this project.