Malware Detection in Android Phones

Text Sample:
CHAPTER 2: METHODOLOGY
Our method for the detection of Android malware is based on two key observations. First, malicious functionality of an Android application often concentrates on only a small number of its functions and second, similar malicious code is often found throughout the malware landscape as attackers reuse existing code to infect different applications.
Here, we are describing our approach of malware detection in android system. Following are the steps involved:
Step 1: Upload an android application file of .apk extension.
Step 2: Decompilation of the android application.
Step 3: The function call graph for the application is extracted, which contains a node for each function of the application. Nodes are labelled according to the instructions contained in their corresponding functions.
Step 4: Neighbourhood Hash Graph Kernel converts the function call graph input into a feature set which can be classified by the SVM (Support vector Machine).
Step 5: Support Vector Machine matches the function call graphs of the application with other malware applications to identify whether the application is malicious or not.
The project is divided into following three modules:-
REVERSE ENGINEERING OF THE ANDROID APPLICATION
In reverse engineering of the android application, we decompile the application into .java files so that methods along with their class names can be extracted. We used the decompiled code to draw a flow graph of any given android application. Following are the steps involved:
1. Conversion of .apk file to jar file
Here, we use one application programming interface namely dex2jar. There is no direct method for getting java source code from the .apk file.
2. Conversion of jar file to java files
Here, we use one application programming interface namely jd-clid. This is a command line tool used for decompiling jar files into java files.
[...]
CHAPTER 4: DEVELOPMENT PHASES
We are provided with a dataset of 91 android applications out of which roughly 70% are We are provided with a dataset of 91 android applications out of which roughly 70% are malware while 30% are benign. Our project was mainly divided into 3 main phases.
Preprocessing of dataset
In this phase we pre-process the data by following the following steps
- Decompiling of the application to get its source code
- Creation of function call graph
- Labelling of each node with a 15 bit number
- After pre-processing of the application we store the pre-processed data in a text file.
Analysis of dataset
After pre-processing we create a default vector corresponding to our malwares. This vector corresponds to the centroid of our dataset.
This default vector is used to compare the application under scrutiny to the degree of the malware in them. Our entire concept is based on the fact that each type of malware has similar structure.
After analysing the dataset we come to the conclusion that max hash value is 998 and the maximum frequency of the hash function is 775. These two facts help us reducing the size of the feature vector to a constant size of 775 998.
Classification
After creating the labels of the function of all the applications in the dataset. The dataset has been used for the training of the SVM. To train the SVM we have used NHGK kernel to map the data in the linearly separable dimensions. The advantage of NHGK kernel is that it reduces the graph isomorphism complexity to O (n). We store the processed hashed data of all the applications in a text file.
Result
We have successfully classified the android applications for fake installer malware. Our project can classify with an accuracy of 69%.