IntelliAV: Building an Effective On-Device Android Malware Detector

TL;DR

IntelliAV demonstrates that effective machine learning-based malware detection can be implemented directly on Android devices, offering improved performance and robustness against obfuscation compared to traditional signature-based solutions.

Contribution

This paper introduces a lightweight feature extraction and on-device machine learning model for Android malware detection, showing its practicality and effectiveness without reliance on signatures.

Findings

IntelliAV outperforms major anti-malware products in detection accuracy.

The system maintains high robustness against common obfuscation techniques.

On-device inference is feasible with limited computational resources.

Abstract

The importance of employing machine learning for malware detection has become explicit to the security community. Several anti-malware vendors have claimed and advertised the application of machine learning in their products in which the inference phase is performed on servers and high-performance machines, but the feasibility of such approaches on mobile devices with limited computational resources has not yet been assessed by the research community, vendors still being skeptical. In this paper, we aim to show the practicality of devising a learning-based anti-malware on Android mobile devices, first. Furthermore, we aim to demonstrate the significance of such a tool to cease new and evasive malware that can not easily be caught by signature-based or offline learning-based security tools. To this end, we first propose the extraction of a set of lightweight yet powerful features from Android applications. Then, we embed these features in a vector space to build an effective as well as efficient model. Hence, the model can perform the inference on the device for detecting potentially harmful applications. We show that without resorting to any signatures and relying only on a training phase involving a reasonable set of samples, the proposed system, named IntelliAV, provides more satisfying performances than the popular major anti-malware products. Moreover, we evaluate the robustness of IntelliAV against common obfuscation techniques where most of the anti-malware solutions get affected.