MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models

TL;DR

MaMaDroid is a malware detection system that models app behavior using Markov chains of abstracted API calls, demonstrating high accuracy and resilience over multiple years, outperforming existing methods.

Contribution

It introduces a robust behavioral modeling approach using Markov chains with API call abstraction, maintaining effectiveness over long periods without retraining.

Findings

Achieves up to 99% F-measure in malware detection.

Maintains 86% and 75% F-measure after one and two years.

Outperforms DroidAPIMiner significantly.

Abstract

The rise in popularity of the Android platform has resulted in an explosion of malware threats targeting it. As both Android malware and the operating system itself constantly evolve, it is very challenging to design robust malware mitigation techniques that can operate for long periods of time without the need for modifications or costly re-training. In this paper, we present MaMaDroid, an Android malware detection system that relies on app behavior. MaMaDroid builds a behavioral model, in the form of a Markov chain, from the sequence of abstracted API calls performed by an app, and uses it to extract features and perform classification. By abstracting calls to their packages or families, MaMaDroid maintains resilience to API changes and keeps the feature set size manageable. We evaluate its accuracy on a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it not only effectively detects malware (with up to 99% F-measure), but also that the model built by the system keeps its detection capabilities for long periods of time (on average, 86% and 75% F-measure, respectively, one and two years after training). Finally, we compare against DroidAPIMiner, a state-of-the-art system that relies on the frequency of API calls performed by apps, showing that MaMaDroid significantly outperforms it.