Journal "Software Engineering"
a journal on theoretical and applied science and technology
ISSN 2220-3397
Issue N7-8 2019 year
In this article we consider a problem of automated detection of mobile malware applications and propose a method based on dynamic analysis of the application code. The proposed method is based on building dynamic model of the application represented by graph model of a special kind consisting of vertices representing the application states and edges representing transitions between states marked with "input"-"reaction" pairs. Input can be some user action or system event and reaction is execution of some API calls or actions sequence. Built models are compared with basic malware models which are preliminary obtained from malware collection using hierarchical clustering. The results of model comparison together with some other characteristics including API call related information form feature vectors which are then used in classification with machine learning algorithms. The best classification results were obtained using gradient boosting algorithm — 85 % of the malicious applications from the test set were classified correctly while false alarms rate on real applications from Google Play resulted in 0,5 %. The proposed method suits for the usage as one of the automated checks on application marketplace side, it can also be used in corporate systems of Mobile Device Management class. Built models have a special value and might be used as auxiliary structures for manual analysis of the suspicious applications. Keywords: Android applications, dynamic analysis, Android emulator, user interaction automation, API calls, permissions, dynamic behavior model, machine learning