Skip to main content
Log in

Deep learning for image-based mobile malware detection

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Current anti-malware technologies in last years demonstrated their evident weaknesses due to the signature-based approach adoption. Many alternative solutions were provided by the current state of art literature, but in general they suffer of a high false positive ratio and are usually ineffective when obfuscation techniques are applied. In this paper we propose a method aimed to discriminate between malicious and legitimate samples in mobile environment and to identify the belonging malware family and the variant inside the family. We obtain gray-scale images directly from executable samples and we gather a set of features from each image to build several classifiers. We experiment the proposed solution on a data-set of 50,000 Android (24,553 malicious among 71 families and 25,447 legitimate) and 230 Apple (115 samples belonging to 10 families) real-world samples, obtaining promising results.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/

  2. https://www.statista.com/topics/870/iphone/.

  3. https://www.statista.com/statistics/263794/number-of-downloads-from-the-apple-app-store/.

  4. http://www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2016.pdf.

  5. http://amd.arguslab.org/.

  6. https://play.google.com/.

  7. https://www.virustotal.com.

  8. http://www.apple.com/iphone/appstore.

  9. http://contagiominidump.blogspot.it/.

  10. https://github.com/appknox/AFE.

References

  1. Ah: Myth. https://github.com/AhMyth/AhMyth-Android-RAT (2018)

  2. Apk: Tool. https://ibotpeaches.github.io/Apktool/ (2018)

  3. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Not. 49(6), 259–269 (2014)

    Article  Google Scholar 

  4. Barbuti, R., De Francesco, N., Santone, A., Vaglini, G.: Reduced models for efficient CCS verification. Form. Methods Syst. Des. 26(3), 319–350 (2005)

    Article  Google Scholar 

  5. Bhodia, N., Prajapati, P., Di Troia, F., Stamp, M.: Transfer learning for image-based malware classification. arXiv preprint arXiv:1903.11551 (2019)

  6. Blasing, T., Schmidt, A.D., Batyuk, L., Camtepe, S.A., Albayrak, S.: An android application sandbox system for suspicious software detection. In: Proceedings of 5th International Conference on Malicious and Unwanted Software (2010)

  7. Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: Formal methods for prostate cancer gleason score and treatment prediction using radiomic biomarkers. Magn. Reson. Imaging (2019). https://doi.org/10.1016/j.mri.2019.08.030

  8. Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: Neural networks for lung cancer detection through radiomic features. In: 2019 International Joint Conference on Neural Networks (IJCNN), pp. 1–10. IEEE (2019)

  9. Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: An ensemble learning approach for brain cancer detection exploiting radiomic features. Comput. Methods Programs Biomed. 185, 105134 (2020)

    Article  Google Scholar 

  10. Canfora, G., Di Sorbo, A., Mercaldo, F., Visaggio, C.A.: Obfuscation techniques against signature-based detection: a case study. In: 2015 Mobile Systems Technologies Workshop (MST), pp. 21–26. IEEE (2015)

  11. Canfora, G., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Leila: formal tool for identifying mobile malicious behaviour. IEEE Trans. Softw. Eng. 45(12), 1230–1252 (2018)

    Article  Google Scholar 

  12. Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C.A.: Composition-malware: building android malware at run time. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 318–326. IEEE (2015)

  13. Canfora, G., Mercaldo, F., Visaggio, C.A.: A classifier of malicious android applications. In: Proceedings of the 2nd International Workshop on Security of Mobile Applications, in conjunction with the International Conference on Availability, Reliability and Security (2013)

  14. Ceccarelli, M., Cerulo, L., Santone, A.: De novo reconstruction of gene regulatory networks from time series data, an approach based on formal methods. Methods 69(3), 298–305 (2014). https://doi.org/10.1016/j.ymeth.2014.06.005

    Article  Google Scholar 

  15. Cimitile, A., Martinelli, F., Mercaldo, F.: Machine Learning Meets iOS Malware: Identifying Malicious Applications on Apple Environment. In: ICISSP, pp. 487–492 (2017)

  16. Cimitile, A., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A.: Formal methods meet mobile code obfuscation identification of code reordering technique. In: 2017 IEEE 26th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 263–268. IEEE (2017)

  17. Cimitile, A., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Talos: no more ransomware victims with formal methods. Int. J. Inf. Secur. 17, 1–20 (2017)

    Google Scholar 

  18. Ciobanu, M.G., Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: A data life cycle modeling proposal by means of formal methods. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 670–672. ACM (2019)

  19. Ciobanu, M.G., Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: Model checking for data anomaly detection. Procedia Comput. Sci. 159, 1277–1286 (2019)

    Article  Google Scholar 

  20. Damopoulos, D., Kambourakis, G., Gritzalis, S.: iSAM: an iPhone stealth airborne malware. In: IFIP International Information Security Conference, pp. 17–28. Springer (2011)

  21. Digital: Trends. https://www.digitaltrends.com/android/smartphone-sales-exceed-those-of-pcs-for-first-time-apple-smashes-record/ (2011)

  22. Dixon, B., Jiang, Y., Jaiantilal, A., Mishra, S.: Location based power analysis to detect malicious code in smartphones. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)

  23. Droid: Jack. http://droidjack.net/ (2018)

  24. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    Article  Google Scholar 

  25. Martinelli, F., Mercaldo, F., Orlando, A., Nardone, V., Santone, A., Sangaiah, A.K.: Human behavior characterization for driving style recognition in vehicle system. Comput. Elec. Eng. (2018). https://doi.org/10.1016/j.compeleceng.2017.12.050

    Article  Google Scholar 

  26. Faiella, M., La Marra, A., Martinelli, F., Mercaldo, F., Saracino, A., Sheikhalishahi, M.: A distributed framework for collaborative and dynamic analysis of android malware. In: 2017 25th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pp. 321–328. IEEE (2017)

  27. Farrokhmanesh, M., Hamzeh, A.: Music classification as a new approach for malware detection. J. Comput. Virol. Hacking Tech. 15(2), 77–96 (2019)

    Article  Google Scholar 

  28. Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: Measuring mobile applications quality and security in higher education. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 5319–5321. IEEE (2018)

  29. Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: Energy consumption metrics for mobile device dynamic malware detection. Procedia Comput. Sci. 159, 1045–1052 (2019)

    Article  Google Scholar 

  30. Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: Investigating mobile applications quality in official and third-party marketplaces. In: Proceedings of the 14th International Conference on Evaluation of Novel Approaches to Software Engineering, pp. 169–178. SCITEPRESS-Science and Technology Publications, Lda (2019)

  31. Feizollah, A., Anuar, N.B., Salleh, R., Suarez-Tangil, G., Furnell, S.: Androdialysis: analysis of android intent effectiveness in malware detection. Comput. Secur. 65, 121–134 (2017)

    Article  Google Scholar 

  32. Ferrante, A., Medvet, E., Mercaldo, F., Milosevic, J., Visaggio, C.A.: Spotting the malicious moment: Characterizing malware behavior using dynamic features. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 372–381. IEEE (2016)

  33. Francesco, Nd, Lettieri, G., Santone, A., Vaglini, G.: Grease: a tool for efficient “nonequivalence” checking. ACM Trans. Softw. Eng. Methodol. (TOSEM) 23(3), 24 (2014)

    Article  Google Scholar 

  34. Gandotra, E., Bansal, D., Sofat, S.: Malware analysis and classification: a survey. J. Inf. Secur. 5(02), 56 (2014)

    Google Scholar 

  35. Garcıa, L., Rodrıguez, R.J.: A peek under the hood of iOS malware. In: 2016 10th International Conference on Availability, Reliability and Security (ARES) (2016)

  36. Goodfellow, I., Bengio, Y., Courville, A.: Deep Learning. MIT press, Cambridge (2016)

    MATH  Google Scholar 

  37. Google: Play. https://play.google.com/store (2015)

  38. Hashemi, H., Hamzeh, A.: Visual malware detection using local malicious pattern. J. Comput. Virol. Hacking Tech. 15(1), 1–14 (2019)

    Article  Google Scholar 

  39. Ioffe, S., Szegedy, C.: Batch normalization: accelerating deep network training by reducing internal covariate shift. In: Proceedings of the 32nd International Conference on International Conference on Machine Learning—Volume 37, ICML’15, pp. 448–456. JMLR.org (2015). http://dl.acm.org/citation.cfm?id=3045118.3045167

  40. Jiang, X., Zhou, Y.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy, pp. 95–109. IEEE (2012)

  41. Kim, H., Smith, J., Shin, K.G.: Detecting energy-greedy anomalies and mobile malware variants. In: Proceedings of the 6th International Conference on Mobile Systems, Applications, and Services (2008)

  42. Lindorfer, M., Miller, B., Neugschwandtner, M., Platzer, C.: Take a bite-finding the worm in the apple. In: 2013 9th International Conference on Information, Communications and Signal Processing (ICICS), pp. 1–5. IEEE (2013)

  43. Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: Efficient and comprehensive mobile app classification through static and dynamic analysis. In: 2015 IEEE 39th Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 422–433. IEEE (2015)

  44. Mannor, S., Peleg, D., Rubinstein, R.: The cross entropy method for classification. In: Proceedings of the 22nd International Conference on Machine Learning, ICML ’05, pp. 561–568. ACM, New York (2005). https://doi.org/10.1145/1102351.1102422

  45. Martinelli, F., Mercaldo, F., Nardone, V., Santone, A.: Car hacking identification through fuzzy logic algorithms. In: 2017 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), pp. 1–7. IEEE (2017)

  46. Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Sangaiah, A.K., Cimitile, A.: Evaluating model checking for cyber threats code obfuscation identification. J. Parallel Distrib. Comput. 119, 203–218 (2018)

    Article  Google Scholar 

  47. Martinelli, F., Mercaldo, F., Santone, A.: Social network polluting contents detection through deep learning techniques. In: 2019 International Joint Conference on Neural Networks (IJCNN), pp. 1–10. IEEE (2019)

  48. Martinelli, F., Mercaldo, F., Saracino, A.: Bridemaid: An hybrid tool for accurate detection of android malware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 899–901. ACM (2017)

  49. Mercaldo, F., Nardone, V., Santone, A.: Ransomware inside out. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 628–637. IEEE (2016)

  50. Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Hey malware, i can find you! In: 2016 IEEE 25th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 261–262. IEEE (2016)

  51. Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Ransomware steals your phone. formal methods rescue it. In: International Conference on Formal Techniques for Distributed Objects, Components, and Systems, pp. 212–221. Springer (2016)

  52. Nataraj, L., Karthikeyan, S., Jacob, G., Manjunath, B.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, p. 4. ACM (2011)

  53. Oberheide, J., Mille, C.: Dissecting the android bouncer. In: SummerCon (2012)

  54. Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android: an essential step towards holistic security analysis. In: Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 543–558 (2013)

  55. Parnas, D.L.: The real risks of artificial intelligence. Commun. ACM 60(10), 27–31 (2017)

    Article  Google Scholar 

  56. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the Seventh European Workshop on System Security, p. 5. ACM (2014)

  57. Polino, M., Scorti, A., Maggi, F., Zanero, S.: Jackdaw: Towards automatic reverse engineering of large datasets of binaries. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 121–143. Springer (2015)

  58. Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 329–334. ACM (2013)

  59. Rastogi, V., Chen, Y., Jiang, X.: Catch me if you can: evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99–108 (2014)

    Article  Google Scholar 

  60. Santone, A.: Automatic verification of concurrent systems using a formula-based compositional approach. Acta Inform. 38(8), 531–564 (2002)

    Article  MathSciNet  Google Scholar 

  61. Santone, A.: Clone detection through process algebras and java bytecode. In: IWSC, pp. 73–74. Citeseer (2011)

  62. Scalas, M., Maiorca, D., Mercaldo, F., Visaggio, C.A., Martinelli, F., Giacinto, G.: On the effectiveness of system API-related information for android ransomware detection. Comput. Secur. 86, 168–182 (2019). https://doi.org/10.1016/j.cose.2019.06.004

    Article  Google Scholar 

  63. Shabtai, A., Kanonov, U., Elovici, Y.: Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method. J. Syst. Softw. 83(8), 1524–1537 (2010)

    Article  Google Scholar 

  64. Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly” : a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)

    Article  Google Scholar 

  65. Szydlowski, M., Egele, M., Kruegel, C., Vigna, G.: Challenges for dynamic analysis of iOS applications. In: Open Problems in Network Security, pp. 65–77. Springer (2012)

  66. Wei, F., Li, Y., Roy, S., Ou, X., Zhou, W.: Deep ground truth analysis of current android malware. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’17), pp. 252–276. Springer, Bonn (2017)

  67. Wei, F., Roy, S., Ou, X., et al.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341. ACM (2014)

  68. Xiao, X., Zhang, S., Mercaldo, F., Hu, G., Sangaiah, A.K.: Android malware detection based on system call sequences and LSTM. Multimed. Tools Appl. 78(4), 3979–3999 (2019)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Francesco Mercaldo.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix

Appendix

See Table 7.

Table 7 Android malware families with relative variants involved in the study

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Mercaldo, F., Santone, A. Deep learning for image-based mobile malware detection. J Comput Virol Hack Tech 16, 157–171 (2020). https://doi.org/10.1007/s11416-019-00346-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-019-00346-7

Keywords

Navigation