Android Malware Detection Methods Based on the Combination of Clustering and Classification

  • Zhi XiongEmail author
  • Ting Guo
  • Qinkun Zhang
  • Yu Cheng
  • Kai Xu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11058)


With the popularity of Android platform, Android malware detection is a challenging practical problem that needs to be resolved urgently. In this paper, we propose two static analysis methods for Android malware detection based on the combination of clustering and classification. First, we obtain original feature set from the manifest file and disassembled code of Android applications. Then, through the analysis of the category and appearance frequency of each feature, we extract some key features for malware detection so as to reduce the dimensionality of feature vector. Finally, we propose two methods based on the combination of clustering and classification to distinguish malicious and benign applications. One is mixed clustering, which clusters the malicious and benign samples together; the other is separate clustering, which clusters the malicious and benign samples separately. We choose to use the K-mean clustering algorithm and the K-Nearest Neighbor (KNN) classification algorithm. Evaluation results show that our methods outperform the common SVM-based method in detection accuracy, and outperform the KNN-based method in prediction time. In addition, the detection ability for unknown malware families of our methods is also better than that of the SVM-based method.


Android Malware detection Clustering Classification Dimensionality reduction Static analysis 



This work is supported by the Special Funds for Discipline and Specialty Construction of Guangdong Higher Education Institutions (2016KTSCX040).


  1. 1.
  2. 2.
    China Mobile Security Risk Report 2017. Accessed 30 Apr 2018
  3. 3.
    Chen, Z., et al.: Machine learning based mobile malware detection using highly imbalanced network traffic. Inf. Sci. 433–434, 346–364 (2018)CrossRefGoogle Scholar
  4. 4.
    Singh, L., Hofmann, M.: Dynamic behavior analysis of Android applications for malware detection. In: International Conference on Intelligent Communication and Computational Techniques, pp. 1-7. IEEE, Jaipur (2017)Google Scholar
  5. 5.
    Xiao, X., Xiao, X., Jiang, Y., Liu, X., Ye, R.: Identifying Android malware with system call co-occurrence matrices. Trans. Emerg. Telecommun. Technol. 27(5), 675–684 (2016)CrossRefGoogle Scholar
  6. 6.
    Arp, D., Spreitzenbarth, M., Huebner, M., Gascon, H., Rieck, K.: Drebin: Efficient and explainable detection of Android malware in your pocket. In: 21st Annual Network and Distributed System Security Symposium, pp. 1–15. Internet Society, San Diego (2014)Google Scholar
  7. 7.
    Fan, M., et al.: Android malware familial classification and representative sample selection via frequent subgraph analysis. IEEE Trans. Inf. Forensics Secur. 13(8), 1890–1905 (2018)CrossRefGoogle Scholar
  8. 8.
    Deypir, M., Horri, A.: Instance based security risk value estimation for Android applications. J. Inf. Secur. Appl. 40, 20–30 (2018)Google Scholar
  9. 9.
    Morales-Ortega, S., Escamilla-Ambrosio, P.J., Rodriguez-Mota, A., Coronado-De-Alba, L.D.: Native malware detection in smartphones with Android OS using static analysis, feature selection and ensemble classifiers. In: 11th International Conference on Malicious and Unwanted Software, pp. 67–74. IEEE, Fajardo (2017)Google Scholar
  10. 10.
    Chen, T., Yang, Y., Chen, B.: Maldetect: An Android malware detection system based on abstraction of dalvik instructions. J. Comput. Res. Dev. 53(10), 2299–2306 (2016)MathSciNetGoogle Scholar
  11. 11.
    Miao, X.C., Wang, R., Xu, L., Zhang, W.F., Xu, B.W.: Security analysis for Android applications using sensitive path identification. J. Softw. 28(9), 2248–2263 (2017)Google Scholar
  12. 12.
    Kumar, A., Kuppusamy, K.S., Aghila, G.: FAMOUS: Forensic analysis of mobile devices using scoring of application permissions. Future Gener. Comput. Syst. 83, 158–172 (2018)CrossRefGoogle Scholar
  13. 13.
    Varsha, M.V., Vinod, P., Dhanya, K.A.: Identification of malicious Android app using manifest and opcode features. J. Comput. Virol. Hacking Tech. 13(2), 125–138 (2017)CrossRefGoogle Scholar
  14. 14.
    The Drebin Dataset. Accessed 30 Apr 2018
  15. 15.
    Scikit-learn. Accessed 30 Apr 2018

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Zhi Xiong
    • 1
    Email author
  • Ting Guo
    • 1
  • Qinkun Zhang
    • 1
  • Yu Cheng
    • 1
  • Kai Xu
    • 1
  1. 1.Department of Computer Science and TechnologyShantou UniversityShantouChina

Personalised recommendations