Android Malware Detection Method Based on Permission Complement and API Calls

作     者：YANG Jiyun TANG Jiang YAN Ran XIANG Tao YANG Jiyun;TANG Jiang;YAN Ran;XIANG Tao

作者机构：College of Computer Science Chongqing University 

出 版 物：《Chinese Journal of Electronics》 (电子学报(英文))

年 卷 期：2022年第31卷第4期

页      面：773-785页

核心收录：

学科分类：0839[工学-网络空间安全] 08[工学] 0835[工学-软件工程] 081201[工学-计算机系统结构] 081202[工学-计算机软件与理论] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：supported by the Technological Innovation and Application Projects of Chongqing (cstc2019jscx-msxmX0077) 

主　　题：Android Malware detection Dynamic code loading Permission complement 

摘      要：The dynamic code loading mechanism of the Android system allows an application to load executable files externally at runtime. This mechanism makes the development of applications more convenient, but it also brings security issues. Applications that hide malicious behavior in the external file by dynamic code loading are becoming a new challenge for Android malware detection. To overcome this challenge, based on dynamic code loading mechanisms, three types of threat models,i.e. Model I, Model II, and Model III are defined. For the Model I type malware, its malicious behavior occurs in Dex Code, so the application programming interface(API)classes were used to characterize the behavior of the DexCode file. For the Model II type and Model III type malwares whose malicious behaviors occur in an external file,the permission complement is defined to characterize the behaviors of the external file. Based on permission complement and API calls, an Android malicious application detection method is proposed, of which feature sets are constructed by improving a feature selection method. Five datasets containing 15,581 samples are used to evaluate the performance of the proposed method. The experimental results show that our detection method achieves accuracy of 99.885% on general dataset, and performes the best on all evaluation metrics on all datasets in all comparison methods.