MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models

摘要

The rise in popularity of the Android platform has resulted in an explosionof malware threats targeting it. As both Android malware and the operatingsystem itself constantly evolve, it is very challenging to design robustmalware mitigation techniques that can operate for long periods of time withoutthe need for modifications or costly re-training. In this paper, we presentMaMaDroid, an Android malware detection system that relies on app behavior.MaMaDroid builds a behavioral model, in the form of a Markov chain, from thesequence of abstracted API calls performed by an app, and uses it to extractfeatures and perform classification. By abstracting calls to their packages orfamilies, MaMaDroid maintains resilience to API changes and keeps the featureset size manageable. We evaluate its accuracy on a dataset of 8.5K benign and35.5K malicious apps collected over a period of six years, showing that it notonly effectively detects malware (with up to 99% F-measure), but also that themodel built by the system keeps its detection capabilities for long periods oftime (on average, 86% and 75% F-measure, respectively, one and two years aftertraining). Finally, we compare against DroidAPIMiner, a state-of-the-art systemthat relies on the frequency of API calls performed by apps, showing thatMaMaDroid significantly outperforms it.