Andro-Profiler

1.  Introduction

Mass-market mobile security threats have increased recently due to the growth of mobile technologies and the popularity of mobile devices. Accordingly, techniques have been introduced for identifying, classifying, and defending against mobile threats utilizing static, dynamic, on-device, and off-device techniques. Static techniques are easy to evade, while dynamic techniques are expensive. On-device techniques are evasion, while off-device techniques need being always online. To address some of those shortcomings, we introduce Andro-profiler, a hybrid behavior based analysis and classification system for mobile malware. Andro-profiler main goals are efficiency, scalability, and accuracy. For that, Andro-profiler classifies malware by exploiting the behavior profiling extracted from the integrated system logs including system calls. Andro-profiler executes a malicious application on an emulator in order to generate the integrated system logs, and creates human-readable behavior profiles by analyzing the integrated system logs. By comparing the behavior profile of malicious application with representative behavior profile for each malware family using a weighted similarity matching technique, Andro-profiler detects and classifies it into malware families. The experiment results demonstrate that Andro-profiler is scalable, performs well in detecting and classifying malware with accuracy greater than 98 %, outperforms the existing state-of-the-art work, and is capable of identifying 0-day mobile malware samples.

2.  Publication

Jang, Jae-wook, et al. "Detecting and classifying method based on similarity matching of Android malware behavior with profile." SpringerPlus 5.1 (2016): 1.

http://springerplus.springeropen.com/articles/10.1186/s40064-016-1861-x

• Download full paper

• Download citation as EndNote

A two-page abstract on this work was firstly appeared in Jang, Jae-wook, et al. "Andro-profiler: anti-malware system based on behavior profiling of mobile malware." Proceedings of the companion publication of the 23rd international conference on World wide web companion. International World Wide Web Conferences Steering Committee, 2014. (WWW 2014)

• Download extended abstract

• Download citation as BibTex

3.  Dataset Release

• For full dataset access

  • For academic purposes, we are happy to release our dataset. However, to avoid indiscriminate distribution of mobile malware, you need the password to unzip the dataset. Please send us a request sent by your official email account. If you use our dataset for your experiment, please cite our paper.

  • Contact : Huy Kang Kim (cenda at korea.ac.kr)

  • If you want to download dataset, please fill out the questionnaire at the following URL.

  • Before downloading it, please read the following instructions carefully.

    1. 1. 1. 1. • (1) The most of samples are zipped using 7zip.

                • (2) Then send e-mail to cenda at korea.ac.kr to get the decompress password. (Please identify your name, affiliation and purpose.)

                • (3) Please use these samples at your own risk. 

• • Dataset Download Link: Download

    1. 1. 1. 1. • 8840 benign samples from Google Play

                • 702 malware samples (We add some more samples than used in the paper (643 samples), you can find all descriptions in the excel file in 7zip file.)

                • 225 samples misclassified by Andro-Profiler (mentioned in Page 20 of the paper)

                • Additional 91 Zero-day samples (described in Effectiveness of detecting 0‐day malware section of the paper) 

                • If you want to perform comparative analysis with our older version of publication appeared in SIMPLEX workshop 2014 , then use these following two dataset. 

                  • Jang, Jae-wook, et al. "Andro-profiler: anti-malware system based on behavior profiling of mobile malware." Proceedings of the companion publication of the 23rd international conference on World wide web companion. International World Wide Web Conferences Steering Committee, 2014.

                  • Benign_apps 350

                  • Malware apps 709 

• For quick access

  • We outline the false positive GooglePlay samples in the Andro-Profiler paper's subsection 'Discriminatory Ability Between Malware and Benign', which were diagnosed as malware by VirusTotal dataset. (See the attached csv file, "FP GooglePlay samples.csv" at the bottom of this page.)

4.  Demo Video Clip (early version) 

• https://youtu.be/m9Uy5mxOzCY 

5.  Acknowledgement

Andro-Profiler is developed by Hacking and Countermeasure Research Lab in the Graduate School of Information Security at the Korea University of Korea.

This dataset is used for the AI/ML based malicious app detection track in '2018 Information Security R&D dataset challenge' in South Korea. 

You can find additional resources and tutorials (written in Korean) in the above URLs.