Keep Calm and Know Where to Focus: Measuring and Predicting the Impact of Android Malware

  • Junyang QiuEmail author
  • Wei Luo
  • Surya Nepal
  • Jun Zhang
  • Yang Xiang
  • Lei Pan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11323)


Android malware can pose serious security threat to the mobile users. With the rapid growth in malware programs, categorical isolation of malware is no longer satisfactory for security risk management. It is more pragmatic to focus the limited resources on identifying the small fraction of malware programs of high security impact. In this paper, we define a new research issue of measuring and predicting the impact of the detected Android malware. To address this issue, we first propose two metrics to isolate the high impact Android malware programs from the low impact ones. With the proposed metrics, we created a new research dataset including high impact and low impact Android malware samples. The dataset allows us to empirically discover the driving factors for the high malware impact. To characterize the differences between high impact and low impact Android malware, we leverage features from two sources available in every Android application. (1) the readily available AndroidManifest.xml file and (2) the disassembled code from the compiled binary. From these characteristics, we trained a highly accurate classifier to identify high impact Android malware. The experimental results show that our proposed method is feasible and has great potential in predicting the impact of Android malware in general.


Android malware Research malware dataset High impact malware Low impact malware Machine learning Static analysis 


  1. 1.
    Global market share held by the leading smartphone operating systems in sales to end users from 1st quarter 2009 to 1st quarter 2017. (2017). Accessed 28 June 2017
  2. 2.
    Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in Android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICST, vol. 127, pp. 86–103. Springer, Cham (2013). Scholar
  3. 3.
    Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C.: DREBIN: effective and explainable detection of android malware in your pocket. In: NDSS (2014)Google Scholar
  4. 4.
    Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Not. 49(6), 259–269 (2014)CrossRefGoogle Scholar
  5. 5.
    Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Dexpler: converting android Dalvik Bytecode to Jimple for static analysis with soot. In: Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis, pp. 27–38. ACM (2012)Google Scholar
  6. 6.
    Bläsing, T., Batyuk, L., Schmidt, A.D., Camtepe, S.A., Albayrak, S.: An android application sandbox system for suspicious software detection. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 55–62. IEEE (2010)Google Scholar
  7. 7.
    Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 15–26. ACM (2011)Google Scholar
  8. 8.
    Chakradeo, S., Reaves, B., Traynor, P., Enck, W.: MAST: triage for market-scale mobile malware analysis. In: Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks, pp. 13–24. ACM (2013)Google Scholar
  9. 9.
    Desnos, A.: Androguard (2011).
  10. 10.
    Desnos, A., Gueguen, G.: Android: from reversing to decompilation. In: Proceedings of Black Hat Abu Dhabi, pp. 77–101 (2011)Google Scholar
  11. 11.
    Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)CrossRefGoogle Scholar
  12. 12.
    Enck, W., Octeau, D., McDaniel, P.D., Chaudhuri, S.: A study of android application security. In: USENIX Security Symposium, vol. 2, p. 2 (2011)Google Scholar
  13. 13.
    Faruki, P., Ganmoor, V., Laxmi, V., Gaur, M.S., Bharmal, A.: AndroSimilar: robust statistical feature signature for Android malware detection. In: Proceedings of the 6th International Conference on Security of Information and Networks, pp. 152–159. ACM (2013)Google Scholar
  14. 14.
    Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 576–587. ACM (2014)Google Scholar
  15. 15.
    Feng, Y., Bastani, O., Martins, R., Dillig, I., Anand, S.: Automated synthesis of semantic malware signatures using maximum satisfiability. In: NDSS (2017)Google Scholar
  16. 16.
    Gascon, H., Yamaguchi, F., Arp, D., Rieck, K.: Structural detection of android malware using embedded call graphs. In: Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security, pp. 45–54. ACM (2013)Google Scholar
  17. 17.
    Hearst, M.A., Dumais, S.T., Osuna, E., Platt, J., Scholkopf, B.: Support vector machines. IEEE Intell. Syst. Their Appl. 13(4), 18–28 (1998)CrossRefGoogle Scholar
  18. 18.
    Hinton, G.E.: Visualizing high-dimensional data using t-SNE. Vigiliae Christianae 9(2), 2579–2605 (2008)zbMATHGoogle Scholar
  19. 19.
    Hou, S., Ye, Y., Song, Y., Abdulhayoglu, M.: HinDroid: an intelligent android malware detection system based on structured heterogeneous information network (2017)Google Scholar
  20. 20.
    Huang, C.Y., Tsai, Y.T., Hsu, C.H.: Performance evaluation on permission-based detection for Android malware. In: Pan, J.S., Yang, C.N., Lin, C.C. (eds.) Advances in Intelligent Systems and Applications, vol. 2, pp. 111–120. Springer, Heidelberg (2013). Scholar
  21. 21.
    Lueg, C.: 8,400 new Android malware samples every day, April 2017. Accessed 28 June 2017
  22. 22.
    Octeau, D., Jha, S., McDaniel, P.: Retargeting android applications to Java Bytecode. In: Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, p. 6. ACM (2012)Google Scholar
  23. 23.
    Rastogi, V., Chen, Y., Enck, W.: AppsPlayground: automatic security analysis of smartphone applications. In: Proceedings of the third ACM Conference on Data and Application Security and Privacy, pp. 209–220. ACM (2013)Google Scholar
  24. 24.
    Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G., Álvarez, G.: PUMA: permission usage to detect malware in android. In: Herrero, Á., et al. (eds.) International Joint Conference CISIS’12-ICEUTE\(^\prime \)12-SOCO\(^\prime \)12 Special Sessionspp, pp. 289–298. Springer, Heidelberg (2013). Scholar
  25. 25.
    Snell, B.: Mobile threat report: what’s on the horizon for 2016. Intel Security and McAfee, 1 March 2016Google Scholar
  26. 26.
    Wognsen, E.R., Karlsen, H.S., Olesen, M.C., Hansen, R.R.: Formalisation and analysis of Dalvik Bytecode. Sci. Comput. Program. 92, 25–55 (2014)CrossRefGoogle Scholar
  27. 27.
    Wu, C., Zhou, Y., Patel, K., Liang, Z., Jiang, X.: AirBag: boosting smartphone resistance to malware infection. In: NDSS (2014)Google Scholar
  28. 28.
    Wu, D.J., Mao, C.H., Wei, T.E., Lee, H.M., Wu, K.P.: DroidMat: android malware detection through manifest and API calls tracing. In: 2012 Seventh Asia Joint Conference on Information Security (Asia JCIS), pp. 62–69. IEEE (2012)Google Scholar
  29. 29.
    Yan, L.K., Yin, H.: DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)Google Scholar
  30. 30.
    Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., Enck, W.: AppContext: differentiating malicious and Benign mobile app behaviors using context. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE), vol. 1, pp. 303–313. IEEE (2015)Google Scholar
  31. 31.
    Zhang, Y., et al.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 611–622. ACM (2013)Google Scholar
  32. 32.
    Zheng, M., Sun, M., Lui, J.C.: Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware. In: 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 163–171. IEEE (2013)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Junyang Qiu
    • 1
    Email author
  • Wei Luo
    • 1
  • Surya Nepal
    • 2
  • Jun Zhang
    • 3
  • Yang Xiang
    • 3
  • Lei Pan
    • 1
  1. 1.School of Information TechnologyDeakin UniversityGeelongAustralia
  2. 2.Data61, CSIROMelbourneAustralia
  3. 3.Digital Research and Innovation Capability PlatformSwinburne University of TechnologyMelbourneAustralia

Personalised recommendations