Anomadroid: profiling Android applications' behaviors for identifying unknown malapps

Android has dominated the market of mobile devices. Meanwhile, it has become the main target for attackers. How to detect and analyze Android malicious applications (malapps) is an ongoing challenge. Current malapps have become increasingly sophisticated. In particular, zero-day (unknown) malapps appear very frequently and can evade most detection systems that are based on the signatures or patterns of existing malapps. In this work, we propose a system called Anomadroid (anomaly Android malapp detection system) that profiles the normal behaviors of Android apps based on only benign samples. Any app whose behaviors unacceptably deviate from the normal profile is identified as malicious. We firstly extract 4209 features that are divided into 9 categories such as permissions and APIs, from each app for the profiling. We then use term frequency-inverse document frequency (tf-idf) and employ k-Nearest Neighbor (k-NN) and Principal Component Analysis (PCA) for anomaly detection. We evaluate Anomadroid on a large app set consisting of 15,000 benign apps as well as 1500 malapps. The experimental results show that our system is better than existing methods and achieves a detection rate as 94.08% with false positive rate as 16.15%.