Malware detection by applying knowledge discovery processes to application metadata on the Android Market (Google Play)

摘要

Recent smartphone platforms based on new operating systems, such as iOS, Android, or Windows Phone, have been a huge success in recent years and open up many new opportunities. Unfortunately, 2011 also showed us that the new technologies and the privacy-related data on smartphones are also increasingly interesting for attackers. Especially, the Android platform has been the favorite target for malware, mainly because of the openness of the platform, the ability to install applications from other sources than the Android Market, and the significant gains in market share. Although the processes of detecting and analyzing malware are well known from the PC world, where the arms race between attackers and defenders has continued for the past 15years, they cannot be directly applied to smartphone platforms because of differences in the hardware and software architectures. In this paper, we first give an overview of the current malware situation on smartphone platforms with a special focus on Android and explain relevant malware detection and analysis methods. It turns out that most of the current malware relies on the installation by the user, who represents the last line of defense in malware detection. With these conclusions, we then present a new malware detection method that focuses on the information that the user is able to see prior to the installation of an applicationthe metadata within the platform's software market. Depending on the platform, this includes the application's description, its permissions, the ratings, or information about the developer. To analyze these data, we use sophisticated knowledge discovery processes and lean statistical methods. By presenting a wide range of examples based on real application metadata extracted from the Android Market, we show the possibilities of the new method. With the possibilities, we argue that it should be an essential part of a complete malware analysis/detection chain that includes other well-known methods such as network traffic analysis, or static, or dynamic code inspection. Copyright (c) 2013 John Wiley & Sons, Ltd.