Research Tools

September 21, 2015

Mobile Malware detection through features Extraction: a quick introduction.

The increasing diffusion of so-called “smart” devices, along with the dynamism of the mobile applications ecosystem, are boosting the production of malware for the Android platform. Countermeasures are limited to signature-based techniques, which are able to recognize known malware, but present serious problems in identifying malware without know the signature and in general zero-day malware.

The main problem of signature-based detection techniques is the widespread introduction of malware before its inclusion in the database of malware signatures. This scenario creates a window of opportunity for attackers. In recent years, research community developed several methods in order to tackle the problem, based on both static analysis, including an analysis of the application without running it, and on dynamic analysis, which includes the execution of the application in order to analyze the behavior . The main limitations of existing methods include: low accuracy, proneness to evasion techniques, and weak validation, often limited to emulators or modified kernels.

The aim of our research is to define novel and effective techniques to address to plague of mobile malware and to characterize the different families of belonging. In next section we present the tools we developed to detect mobile malware using feature-based classification. Our results are promising and competitive with the state-of-the-art results obtained from community researchers in malware analysis.



DoctorDroid tool extracts three features from the application under analysis.

The first metric computes the occurrences of a set of system calls invoked by the application under analysis. The assumption is that different malicious applications can share common patterns of system calls that are not present in trusted applications, as these common patterns are recurrently used to implement malicious actions. The second metric computes a weighted sum of all the permissions requested by the application under analysis, where the weight is assigned according to the potential threat that the permission could cause if the application has evil goals. For instance, SEND_SMS permission could be more dangerous than RECEIVE_SMS permission. The third metric is a weighted sum of selected combinations of permissions. The underlying idea is that specific combinations of permissions can be more effective to detect malware applications rather than a weighted sum of all the permissions. Relevant permission combinations were obtained from a literature analysis about smartphone malware.

In figure 1 the results obtained in terms of accuracy by classifying the three metrics extracted by DoctorDroid.



Figure 1: DoctorDroid classification results: the second group of metrics (sumperm and risklevel) obtained the best accuracy value.


The algorithms seem to classify better the trusted applications than the malicious ones, even if the difference is small; the risklevel metric seems to decrease the precision, so it allows the proliferation of misclassified instances.





The second tool we developed computes eight different features from smali code, i.e. the Android machine-level language. The first six features aim at characterizing the fragmentation of the control flow, and compute, respectively, the number of the move, the jump, the packed-switch, the sparse- switch, the invoke and the if op-codes, singly taken, divided by the overall sum of the occurrences of all these six Dalvik op-codes. The last two features are based on another assumption. The classes of a trusted application tend to exhibit an intrinsic variability, because each class is designed to implement a specific part of the business logic of the overall application. Such a variability should be reflected in the distribution of the op-codes, so the same op-code should occur with different frequencies in different classes. Conversely, as the malware has not an articulated business logic except for the malicious payload, this difference among its classes tend to be less evident than in trusted applications. For evaluating such a difference in op-codes distribution among the different classes forming the final application we use two features, which are two variants of the Minkowski distance : the first one is represented by the Manhattan distance, the second one by the Euclidean distance.

Figure 2 explain the results we obtained with the single feature classification.



Figure 2: CaveDroid classification results in terms of accuracy

All the algorithms are able to effectively classify both trusted applications and malicious applications (with the exception of the “packed-switch” feature that exhibits a value of accuracy in the trusted classification lower than 0.5 with the NBTree classification algorithm):

  • The features move and jump return the best results for the classification of malware applications (in particular, the precision of the “move” is equal to 0.916 with RandomForest classification algorithm), the features Manhattan distance and Euclidean distance appear to be the best to classify trusted applications (in particular precision of the Euclidean distance for the trusted applications amounted to 0.938 with J48 and NBTree classification algorithms).
  • The Invoke, Packed, Switch and If features are characterized by accuracy values smaller than the other features analyzed, but exhibit much better results with regard to the classification of malware, if compared to trusted applications. However, in any case, these values are lower than the features move and jump for detecting malware and Manhattan and Euclidean distance, for classifying the trusted applications.




With MilitumDroid, we investigate whether short sequences of opcodes (i.e., opcode ngrams) are informative for detecting Android malware. In particular, we focus on the current scenario in which partitions of the malware exist within which the applications share common parts of code.

The experimentation revealed that the sequences of opcodes are a very effective method for detecting Android malware, as this technique produced an accuracy of 96.88%.

Figure 3 shows obtained results.



Figure 3: classification results with frequency op-code features extracted by BehaveYourself!

Moreover, we found that the best accuracy of classification can be obtained by considering just bigrams (i.e., n=2): in that condition, our method needs to take into account 1000 opcodes which, depending on the specific scenario considered, may make feasible the implementation of our method. Metamorphic malware could escape the proposed technique, but at the moment there are no samples of metamorphic malware in the wild for the Android platform. However polymorphic malware, able to change shape over time so to evade detection by antivirus, is represented in our dataset by Opfake family (613 samples) with a high detection rate: 94% using the Random Forest algorithm.




With SmartEntropize, we investigate whether HMM chains and Structural Entropy techniques can be similarly effective in recognizing Android malware and the malware families. Recognizing the family a malware belongs to is important as it can allow a malware analyst to faster classify it, its payload and to find an effective countermeasure.

The experimentation will demonstrate that HMM is effective to recognize malware (with an accuracy of 0.96), while the Structural Entropy for identifying the family a malware belongs to, with an accuracy of 0.98. HMM is not effective for detecting malware families, even if the values of accuracy and recall in some cases are close to 0.8, which represents not a totally bad performance. It is worth noticing that in this case the rocarea is close to 0.9 for many tests which use HMM. This implies that for recognizing malware families, the tests with HMM have a good accuracy. The structural entropy performs better in recognizing the malware families with polymorphic malware. As a matter of fact the best outcomes are obtained with Opfake, that is polimorphic. This is consistent with the results of similar studies on PC’c viruses.

Basically SmartEntropize extracts three features (3-HMM, 4-HMM and 5-HMM) with the method of HMM, and one feature (entropy) with the structural entropy one.

Figure 4 shows the performance in terms of accuracy:



Figure 4: classification results with the features 3-HMM, 4-HMM, 5-HMM and entropy.

SmartEntropize also is able to classify the malware family using the structural entropy feature, figure 5 explain these results for the top-10 populous families in our malware dataset:



Figure 5: family classification results using the structural entropy feature


The BehaveYourself! approach is based on sequences of system calls. The assumption is that malicious behaviors (e.g., sending high premium rate SMS, cyphering data for ransom, botnet capabilities, and so on) are implemented by specific system calls sequences: yet, no apriori knowledge is available about which sequences are associated with which malicious behaviors, in particular in the mobile applications ecosystem where new malware and non-malware applications continuously arise.

Experimentation on 20000 execution traces of 2000 applications of them being malware belonging to different malware families), performed on a real device, shows promising results: we obtain a detection accuracy of 97%. Moreover, we show that the proposed method can cope with the dynamism of the mobile apps ecosystem, since it can detect unknown malware. It is important to notice that FNR is low for the highest values of n and k, and that such a value is balanced with FPR. On the other hand, we note that 91% is a pretty high accuracy: this figure suggests that permissions indeed play an important role in Android malware detection.


Figure 6: MilitumDroid results in terms of accuracy

We obtained a best-in-class accuracy of 97% .



Android platform starts became the universal front-end in the IoE and IoT, mobile attacks will continue to grow rapidly as new technologies expand the attack surface. Vendors, manufacturer, providers should extend vulnerability shielding and exploit prevention technologies and Anti-Malware vendors have to enhance their actual solutions, because new type of malware have a leless payload that only runs in memory and to circumvent detection as well it adopt more complex obfuscation techniques. The idea behind this work, arises from the awareness that a more e ective and holistic anti malware approach have to rst outline the phylogenesis, understand its evolution and sophistication, their belonging semantics. This methodology move toward this direction, implementing a clone-detection heuristic for outline common payload components in order to identify malware variants. Our Heuristic, is a contribution in the Malware Analysis phase, not in the Detection phase, to well-understand Android Malware and their evolution, to trace back a possible Malware descent.
To achieve these goals, we start from the analysis of the Opcodes Frequency Distribution, obtaining by similarities, the 10 nearest vectors from the Data-set (build from the Android Drebin Project), then, an n-grams heuristic on the Adjacency Lists, detect isomorphism features in the Call Graphs to identify payloads components as common sub-graphs. Then we a re able to outline a possible genome for each malware family and are able to de ne a possible descent for each malware variant, also multiple-descents, proving the e ectiveness of this methodology.
This work aims to lay the foundation of a new types of methodologies based on the study of the payload philogenesy.


Screenhosts from the tool:

subgraph           sc1

sc2                sc3


  •  [1] Gerardo Canfora, Francesco Mercaldo, Corrado Aaron Visaggio (2013) “A classifier of Malicious Android Applications”, in proceedings of International Conference on Availability, Reliability and Security, pp. 607-614, IEEE.
  • [2] Gerardo Canfora, Francesco Mercaldo, Corrado Aaron Visaggio (2015) “Mobile Malware Detection using Op-code Frequency Histograms”, in proceedings of International Conference on Security and Cryptography, SECRYPT 2015, to appear.
  • [3] Gerardo Canfora, Andrea De Lorenzo, Eric Medvet, Francesco Mercaldo, Corrado Aaron Visaggio (2015) “Effectiveness of Opcode ngrams for Detection of Multi Family Android Malware”, in proceedings of International Conference on Availability, Reliability and Security, to appear.
  • [4] Gerardo Canfora, Eric Medvet, Francesco Mercaldo, Corrado Aaron Visaggio (2015) “Detecting Android Malware using Sequences of System Calls”, in proceedings of The Third International Workshop on Software Development Lifecycle for Mobile, in conjunction with ESEC/FSE, to appear.