Android Malware Detection using Deep Learning on API Method Sequences

TL;DR

This paper introduces MalDozer, a deep learning-based framework that classifies Android apps as malicious or benign using API method call sequences, achieving high accuracy and low false positives across diverse datasets.

Contribution

The paper presents a novel API sequence-based deep learning approach for Android malware detection and family attribution, suitable for deployment on various devices.

Findings

F1-Score of 96%-99% in malware detection

False positive rate of 0.06%-2%

Effective across multiple datasets and device types

Abstract

Android OS experiences a blazing popularity since the last few years. This predominant platform has established itself not only in the mobile world but also in the Internet of Things (IoT) devices. This popularity, however, comes at the expense of security, as it has become a tempting target of malicious apps. Hence, there is an increasing need for sophisticated, automatic, and portable malware detection solutions. In this paper, we propose MalDozer, an automatic Android malware detection and family attribution framework that relies on sequences classification using deep learning techniques. Starting from the raw sequence of the app's API method calls, MalDozer automatically extracts and learns the malicious and the benign patterns from the actual samples to detect Android malware. MalDozer can serve as a ubiquitous malware detection system that is not only deployed on servers, but also on mobile and even IoT devices. We evaluate MalDozer on multiple Android malware datasets ranging from 1K to 33K malware apps, and 38K benign apps. The results show that MalDozer can correctly detect malware and attribute them to their actual families with an F1-Score of 96%-99% and a false positive rate of 0.06%-2%, under all tested datasets and settings.