PMDS: Permission-Based Malware Detection System

  • Paolo Rovelli
  • Ýmir Vigfússon
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8880)


The meteoric growth of the Android mobile platform has made it a main target of cyber-criminals. Mobile malware specifically targeting Android has surged and grown in tandem with the rising popularity of the platform [3, 5, 4, 6]. In response, the honus is on defenders to increase the difficulty of malware development to curb its rampant growth, and to devise effective detection mechanisms specifically targeting Android malware in order to better protect the end-users.

In this paper, we address the following question: do malicious applications on Android request predictably different permissions than legitimate applications? Based on analysis of 2950 samples of benign and malicious Android applications, we propose a novel Android malware detection technique called Permission-based Malware Detection Systems (PMDS). In PMDS, we view requested permissions as behavioral markers and build a machine learning classifier on those markers to automatically identify for unseen applications potentially harmful behavior based on the combination of permissions they require. By design, PMDS has the potential to detect previously unknown, and zero-day or next-generation malware. If attackers adapt and request for fewer permissions, PMDS will have impeded the simple strategies by which malware developers currently abuse their victims.

Experimental results show that PMDS detects more than 92–94% of previously unseen malware with a false positives rate of 1.52–3.93%.


Android Permissions Malware Detection System Machine Learning Data Mining Heuristics 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    The International Telecommunication Union. The World in 2014: ICT Facts and Figures (2014),
  2. 2.
    Gartner Forecast: PCs, Ultramobiles, and Mobile Phones, Worldwide, 2011-2018, 2Q 2014 (2014),
  3. 3.
    Svajcer, V.: Sophos Mobile Security Threat Report (2014)Google Scholar
  4. 4.
  5. 5.
  6. 6.
    G Data SecurityLabs: G Data Mobile Malware Report H2 2013 (2013),
  7. 7.
    Strategy Analytics: Global Smartphone Installed Base by Operating System for 88 Countries: 2007 to 2017 (2012),
  8. 8.
    IDC: More Smartphones Were Shipped in Q1 2013 Than Feature Phones, An Industry First According to IDC (2013),
  9. 9.
    Leavitt, N.: Malicious code moves to mobile devices. IEEE Computer 33(12), 16–19 (2000)CrossRefGoogle Scholar
  10. 10.
    Foley, S.N., Dumigan, R.: Are handheld viruses a significant threat? Communications of the ACM 44(1), 105–107 (2001)CrossRefGoogle Scholar
  11. 11.
    Dagon, D., Martin, T., Starner, T.: Mobile Phones as Computing Devices: The Viruses are Coming! IEEE Pervasive Computing 3(4), 11–15 (2004)CrossRefGoogle Scholar
  12. 12.
    Hypponen, M.: State of cell phone malware in 2007. USENIX (2007),
  13. 13.
    Lawton, G.: Is it finally time to worry about mobile malware? Computer 41(5), 12–14 (2008)CrossRefGoogle Scholar
  14. 14.
    Zhou, Y., Jiang, X.: Dissecting Android Malware: Characterization and Evolution. In: IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE (2012),
  15. 15.
    Spreitzenbarth, M., Freiling, F.: Android Malware on the Rise. University of Erlangen, Germany, Tech. Rep. CS-2012-04 (2012)Google Scholar
  16. 16.
    Huang, C.-Y., Tsai, Y.-T., Hsu, C.-H.: Performance evaluation on permission-based detection for android malware. In: Pan, J.-S., Yang, C.-N., Lin, C.-C. (eds.) Advances in Intelligent Systems & Applications. SIST, vol. 21, pp. 111–120. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. 17.
    Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In: Proceedings of the 19th Annual Network and Distributed System Security Symposium (2012)Google Scholar
  18. 18.
    Chen, K., Liu, P., Zhang, Y.: Achieving accuracy and scalability simultaneously in detecting application clones on Android markets. In: Proceedings of the 36th International Conference on Software Engineering, ICSE 2014, pp. 175–186. ACM, New York (2014)CrossRefGoogle Scholar
  19. 19.
    Crussell, J., Gibler, C., Chen, H.: Attack of the clones: Detecting cloned applications on android markets. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 37–54. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. 20.
    Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party Android marketplaces. In: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, CODASPY 2012, pp. 317–326. ACM, New York (2012)Google Scholar
  21. 21.
    Sarma, B.P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Android permissions: a perspective combining risks and benefits. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, pp. 13–22. ACM (2012)Google Scholar
  22. 22.
    Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X.S., Zang, B.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. ACM (2013)Google Scholar
  23. 23.
    Siddiqui, M., Wang, M.C., Lee, J.: A Survey of Data Mining Techniques for Malware Detection using File Features. In: Proceedings of the 46th Annual Southeast Regional Conference on XX, pp. 509–510. ACM (2008)Google Scholar
  24. 24.
    Ye, Y., Wang, D., Li, T., Ye, D.: IMDS: Intelligent Malware Detection System. In: Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1043–1047. ACM (2007)Google Scholar
  25. 25.
    Schultz, M.G., Eskin, E., Zadok, F., Stolfo, S.J.: Data Mining Methods for Detection of New Malicious Executables. In: IEEE Symposium on Security and Privacy (SP), pp. 38–49. IEEE (2001)Google Scholar
  26. 26.
    Kolter, J.Z., Maloof, M.A.: Learning to Detect and Classify Malicious Executables in the Wild. The Journal of Machine Learning Research 7, 2721–2744 (2006),
  27. 27.
    Tabish, S.M., Shafiq, M.Z., Farooq, M.: Malware Detection using Statical Analysis of Byte-Level File Content. Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics, pp. 23–31. ACM (2009)Google Scholar
  28. 28.
    Kiem, H., Thuy, N.T., Quang, T.M.N.: A Machine Learning Approach to Anti-virus System. In: Proceedings of Joint Workshop of Vietnamese Society of AI, SIGKBS-JSAI, ICS-IPSJ and IEICE-SIGAI on Active Mining, Hanoi-Vietnam, pp. 61–65 (2004)Google Scholar
  29. 29.
    Firdausi, I., Lim, C., Erwin, A., Nugroho, A.S.: Analysis of machine learning techniques used in behavior-based malware detection. In: Second International Conference on Advances in Computing, Control and Telecommunication Technologies (ACT), pp. 201–203. IEEE (2010)Google Scholar
  30. 30.
    Dua, S., Du, X.: Data mining and machine learning in cybersecurity. Taylor & Francis (2011)Google Scholar
  31. 31.
    Cohen, W.W.: Fast effective rule induction. In: ICML, vol. 95, pp. 115–123 (1995)Google Scholar
  32. 32.
    Quinlan, J.R.: C4.5: programs for machine learning, vol. 1. Morgan Kaufmann (1993)Google Scholar
  33. 33.
    Holmes, G., Donkin, A., Witten, I.H.: Weka: A machine learning workbench.iN: Proceedings of the Second Australian and New Zealand Conference on Intelligent Information Systems, pp. 357–361. IEEE (1994)Google Scholar
  34. 34.
    Witten, I.H., Frank, E.: Data Mining: Practical machine learning tools and techniques. Morgan Kaufmann (2005)Google Scholar
  35. 35.
    Cleary, J.G., Trigg, L.E.: K*: An Instance-based Learner Using an Entropic Distance Measure. In: ICML, pp. 108–114 (1995)Google Scholar
  36. 36.
    John, G.H., Langley, P.: Estimating continuous distributions in Bayesian classifiers. In: Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence, pp. 338–345. Morgan Kaufmann (1995)Google Scholar
  37. 37.
    Freund, Y., Schapire, R.E.: A desicion-theoretic generalization of on-line learning and an application to boosting. In: Vitányi, P.M.B. (ed.) EuroCOLT 1995. LNCS, vol. 904, pp. 23–37. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  38. 38.
    The Android Open Source Project: Application Fundamentals,
  39. 39.
    The Android Open Source Project: System Permissions,
  40. 40.
    The Android Open Source Project: App Manifest,
  41. 41.
    The Android Open Source Project: Android Permissions,
  42. 42.
  43. 43.
    The University of Waikato: Attribute-Relation File Format (ARFF),
  44. 44.
    The University of Waikato: ARFF,
  45. 45.
    Mila: Contagio Mobile,
  46. 46.
    Google: Google Play Store,

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Paolo Rovelli
    • 1
  • Ýmir Vigfússon
    • 1
    • 2
  1. 1.School of Computer ScienceReykjavik UniversityReykjavikIceland
  2. 2.Department of Mathematics and Computer ScienceEmory UniversityAtlantaUSA

Personalised recommendations