A Novel Android Malware Detection Approach Using Operand Sequences

Abstract

Android malware detection has become increasingly important over the past few years, due to the popularity of Android devices and the explosive growth of Android applications. This asks for more effective techniques to detect the Android malware. Some works in the literature show that the opcode sequences have a remarkable effect on Android malware detection. However, they omitted the information contained in operand sequences. In this paper, we do not analyse the opcode sequences but the API calls used in operand sequences, and abstract the API calls to their package names with the aim to be resilient to API changes in different Android API levels. In order to avoid to be computationally expensive, we only capitalize on the n-grams analysis. In addition, we apply the package level information extracted from API calls to build a Android malware prediction model. We perform experiments on malicious Android applications, composed of 5560 malware samples which are belong to Drebin dataset, 361 malware samples collected from Contagio Mobile Malware and 5900 benign Android applications retrieved from Google Play. Results show that the accuracy of our approach exceeds the opcode n-grams in some ways.