A Machine Learning Approach for Detecting and Categorizing Sensitive Methods in Android Malware

Hasan, Hayyan Salman; Deeb, Hasan Muhammad; Tork Ladani, Behrouz

doi:10.22042/isecure.2022.321436.741

A Machine Learning Approach for Detecting and Categorizing Sensitive Methods in Android Malware

Document Type : Research Article

Authors

Hayyan Salman Hasan ¹^{, 2}

Hasan Muhammad Deeb ³

Behrouz Tork Ladani ²

¹ Albaath University, Faculty of Mechanical and Electrical Engineering, Homs, Syria.

² University of Isfahan, Faculty of Computer Engineering, MDSE Research Group, Isfahan, Iran.

³ Albaath University, Faculty of Informatics Engineering, Homs, Syria.

https://doi.org/10.22042/isecure.2022.321436.741

Abstract

Sensitive methods are those that are commonly used by Android malware to perform malicious behavior. These methods may be either evasion or malicious payload methods. Although there are several approaches to handle these methods for performing effective dynamic malware analysis, but generally most of them are based on a manually created list. However, the performance shown by the selected approaches is dependent on completeness of the manually created list that is not almost a complete and up-to-date one. Missing some sensitive methods causes to degrade the overall performance and affects the effectiveness of analyzing Android malware.
In this paper, we propose a machine learning approach to predict new sensitive methods that might be used in Android malware. We use a manually collected training dataset to train two classifiers: a classifier for detecting the sensitivity nature of the Android methods, and another classifier to categorize the detected sensitive methods into predefined categories. We applied the proposed approach to a large number of methods extracted from Android API 27. The proposed approach is able to predict hundreds of sensitive methods with accuracy of 90.5% for the first classifier and 87.4% for the second classifier. To evaluate the proposed approach, we built a new list of the detected sensitive methods and used it in a number of tools to perform dynamic malware analysis. The proposed model found various sensitive methods that were not considered before by any other tools. Hence, the effectiveness of these tools in performing dynamic analysis are increased.

Keywords

Sensitive Methods

Evasion Methods

Payload Methods

Dynamic Analysis

Machine Learning

20.1001.1.20082045.2023.15.1.1.8

[1] Android Dominating Mobile Market, 2021 (accessed June 4, 2021).
[2] Hamid Bagheri, Alireza Sadeghi, Joshua Garcia, and Sam Malek. Covert: Compositional analysis of android inter-app permission leakage. IEEE transactions on Software Engineering, 41(9):866–886, 2015.
[3] Michael I Gordon, Deokhwan Kim, Jeff H Perkins, Limei Gilham, Nguyen Nguyen, and Martin C Rinard. Information flow analysis of android applications in droidsafe. In NDSS, volume 15, page 110, 2015.
[4] Chani Jindal, Christopher Salls, Hojjat Aghakhani, Keith Long, Christopher Kruegel, and Giovanni Vigna. Neurlux: dynamic malware analysis without feature engineering. In Proceedings of the 35th Annual Computer Security Applications Conference, pages 444–455, 2019.
[5] Mario Faiella, Antonio La Marra, Fabio Martinelli, Francesco Mercaldo, Andrea Saracino, and Mina Sheikhalishahi. A distributed framework for collaborative and dynamic analysis of android malware. In 2017 25th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pages 321–328. IEEE, 2017.
[6] Hayyan Hasan, Behrouz Tork-Ladani, and Bahman Zamani. Megdroid: A model-driven event generation framework for dynamic android malware analysis. Information and Software Technology, 135:106569, 2021.

[7] Hayyan Hasan, Behrouz Tork-Ladani, and Bahman Zamani. Enhancing monkey to trigger malicious payloads in android malware. In 17th International ISC Conference on Information Security and Cryptology (ISCISC), pages 65–72. IEEE, 2020.
[8] Raden Budiarto Hadiprakoso, Herman Kabetta, and I Komang Setia Buana. Hybrid-based malware analysis for effective and efficiency android malware detection. In 2020 International Conference on Informatics, Multimedia, Cyber and Information System (ICIMCIS), pages 8–12. IEEE, 2020.
[9] Yung-Ching Shyong, Tzung-Han Jeng, and YiMing Chen. Combining static permissions and dynamic packet analysis to improve android malware detection. In 2020 2nd International Conference on Computer Communication and the Internet (ICCCI), pages 75–81. IEEE, 2020.
[10] Siegfried Rasthofer, Steven Arzt, Stefan Triller, and Michael Pradel. Making malory behave maliciously: Targeted fuzzing of android execution environments. In 2017 IEEE/ACM 39th International Conference on Software Engineering(ICSE), pages 300–311. IEEE, 2017.
[11] Xiaolei Wang, Yuexiang Yang, and Sencun Zhu.Automated hybrid analysis of android malware through augmenting fuzzing with forced execution. IEEE Transactions on Mobile Computing, 18(12):2768–2782, 2018.
[12] Luciano Bello and Marco Pistoia. Ares: triggering payload of evasive android malware. In 2018 IEEE/ACM 5th International Conference on Mobile Software Engineering and Systems(MOBILESoft), pages 2–12. IEEE, 2018.
[13] Michelle Y Wong and David Lie. Intellidroid: A targeted input generator for the dynamic analysis of android malware. In NDSS, volume 16, pages 21–24, 2016.
[14] Droidmon, 2021 (accessed April 18, 2021).
[15] Yuping Li, Jiyong Jang, Xin Hu, and Xinming Ou. Android malware clustering through malicious payload mining. In International symposium on research in attacks, intrusions, and defenses, pages 192–214. Springer, 2017.
[16] Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, and Wu Zhou. Deep ground truth analysis of current android malware. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages
252–276. Springer, 2017.
[17] Contagio Mobile Malware, 2021 (accessed January 11, 2021).
[18] Hayyan Hasan, Behrouz Tork Ladani, and Bahman Zamani. Curious-monkey: Evolved monkey for triggering malicious payloads in android malware. ISeCure, 13(2), 2021.
[19] android-sensitive-methods-detection, 2022 (accessed March 5, 2022).
[20] Siegfried Rasthofer, Steven Arzt, and Eric Bodden. A machine-learning approach for classifying and categorizing android sources and sinks. In NDSS, volume 14, page 1125, 2014.
[21] Benjamin Livshits, Aditya V Nori, Sriram K Rajamani, and Anindya Banerjee. Merlin: Specification inference for explicit information flow problems. ACM Sigplan Notices, 44(6):75–86, 2009.
[22] Alejandro Mart´ın, V´ıctor Rodr´ıguez-Fern´andez, and David Camacho. Candyman: Classifying android malware families by modelling dynamic traces with markov chains. Engineering Applications of Artificial Intelligence, 74:121–133, 2018.
[23] Akshay Mathur, Laxmi Mounika Podila, Keyur Kulkarni, Quamar Niyaz, and Ahmad Y Javaid. Naticusdroid: A malware detection framework for android using native and custom permissions. Journal of Information Security and Applications, 58:102696, 2021.
[24] Deqing Zou, Yueming Wu, Siru Yang, Anki Chauhan, Wei Yang, Jiangying Zhong, Shihan Dou, and Hai Jin. Intdroid: Android malware detection based on api intimacy analysis. ACM Transactions on Software Engineering and Methodology (TOSEM), 30(3):1–32, 2021.
[25] Shifu Hou, Yanfang Ye, Yangqiu Song, and Melih Abdulhayoglu. Hindroid: An intelligent android malware detection system based on structured heterogeneous information network. In Proceedings of the 23rd ACM SIGKDD International
conference on knowledge discovery and data mining, pages 1507–1515, 2017.
[26] Haipeng Cai, Na Meng, Barbara Ryder, and Daphne Yao. Droidcat: Effective android malware detection and categorization via app-level profiling. IEEE Transactions on Information Forensics and Security, 14(6):1455–1470, 2018.
[27] Madan Somvanshi, Pranjali Chavan, Shital Tambade, and SV Shinde. A review of machine learning techniques using decision tree and support vector machine. In 2016 International Conference on Computing Communication Control and
automation (ICCUBEA), pages 1–7. IEEE, 2016.
[28] Zhiyuan He, Danchen Lin, Thomas Lau, and Mike Wu. Gradient boosting machine: a survey.arXiv preprint arXiv:1908.06951, 2019.
[29] Hayyan Hasan, Hasan Deeb, Behrouz TorkLadani, and Bahman Zamani. Android malware dynamic evasions, 2021.
[30] Android Developers, 2021 (accessed April 18, 2021).