Two-Phases Detection Scheme: Detecting Android Malware in Android Markets

Recently, Android application becomes popular and important in human’s daily work, life, entertainment. However, because of open source of Android application, more and more malware aim to this platform and launch various malicious attacks to threaten Android users’ security. Previous research works focus on using static behavioral analysis to detect Android malware, which cannot capture dynamic behaviors and in-efficiency to detect Android malware. In this paper, we present a Android application two-stage detection scheme that using two kinds of dynamic behavioral characteristics to detect Android malware. This framework first uses system call statistics to identify potential malicious apps. After verification, if the software is clean, the application will then be released to the relevant markets. To mitigate against false negative cases, users who run new apps can invoke our network traffic monitoring (NTM) tool which triggers network traffic capture upon detecting some suspicious behaviors e.g. detecting sensitive data being sent to output stream of an open socket. The network traffic will be analyzed to see if it matches network characteristics observed from malware apps. If suspicious network traffic is observed, the relevant Android markets will be notified to remove the application from the repository. We trained our system call and network traffic classifiers using 32 families of known Android malware families and some typical normal apps. Later, we evaluated our framework using other malware and normal apps that used in the training set. Our experimental results using 120 test apps (which consist of 50 malware and 70 normal apps) indicate that we can achieve a 94.2% and 99.2% accuracy with J.48 and Random forest classifier respectively using our framework.