On Existence of Common Malicious System Call Codes in Android Malware Families

Most of the existing Android malware detection mechanisms are based on machine learning algorithms. The problem with the machine learning approaches is the difficulty in finding the best features that uniquely characterize the malwares. Hence, in this article we explore the property that uniquely characterizes Android malware applications. Toward this, we model the system call sequence generated by a malware application as a stationary first-order ergodic Markov chain and prove the existence of typical patterns which contains the malicious system call code of the application. In our implementation, we find the occurrence of common malicious system call codes in the system call sequence of several malware families. Finally a malware detection mechanism is proposed based on the occurrence of malicious system call codes in the system call sequence of an application. We obtain a consistent accuracy of around 0.95 in balanced, slightly unbalanced, and highly unbalanced data sets. In the balanced and slightly unbalanced data sets we obtain greater precision than 0.90; whereas in the highly unbalanced data sets the precision obtained are slightly lower at 0.72.