A Preliminary Study On the Sustainability of Android Malware Detection

TL;DR

This study analyzes the evolution of Android apps over seven years, revealing consistent behavioral differences between benign and malicious apps, and introduces DroidSpan, a behavioral profile-based malware detector with high long-term accuracy and resilience.

Contribution

The paper presents DroidSpan, a novel malware detection system based on behavioral profiles, demonstrating superior long-term sustainability and resistance to evasion compared to existing methods.

Findings

DroidSpan achieves 93% F1 score over four years.

Behavioral differences between malware and benign apps are consistent over time.

DroidSpan is resilient to sophisticated evasion techniques.

Abstract

Machine learning-based malware detection dominates current security defense approaches for Android apps. However, due to the evolution of Android platforms and malware, existing such techniques are widely limited by their need for constant retraining that are costly, and reliance on new malware samples that may not be timely available. As a result, new and emerging malware slips through, as seen from the continued surging of malware in the wild. Thus, a more practical detector needs not only to be accurate but, more critically, to be able to sustain its capabilities over time without frequent retraining. In this paper, we study how Android apps evolve as a population over time, in terms of their behaviors related to accesses to sensitive information and operations. We first perform a longitudinal characterization of 6K benign and malicious apps developed across seven years, with focus on these sensitive accesses in app executions. Our study reveals, during the long evolution, a consistent, clear differentiation between malware and benign apps regarding such accesses, measured by relative statistics of relevant method calls. Following these findings, we developed DroidSpan, a novel classification system based on a new behavioral profile for Android apps. Through an extensive evaluation, we showed that DroidSpan can not only effectively detect malware but sustain high detection accuracy (93% F1 measure) for four years (with 81% F1 for five years). Through a dedicated study, we also showed its resiliency to sophisticated evasion schemes. By comparing to a state-of-the-art malware detector, we demonstrated the largely superior sustainability of our approach at reasonable costs.