Understanding Concept Drift with Deprecated Permissions in Android Malware Detection

TL;DR

This paper examines how deprecated and restricted Android permissions affect malware detection models, finding that excluding them can marginally improve accuracy and enhance concept drift detection over time.

Contribution

It investigates the impact of deprecated permissions on Android malware detection models and demonstrates that excluding them can improve concept drift detection and model robustness.

Findings

Excluding deprecated permissions marginally improves detection accuracy.

Removing restricted permissions enhances concept drift detection.

Dataset balancing reduces low-accuracy instances and improves drift detection.

Abstract

Permission analysis is a widely used method for Android malware detection. It involves examining the permissions requested by an application to access sensitive data or perform potentially malicious actions. In recent years, various machine learning (ML) algorithms have been applied to Android malware detection using permission-based features and feature selection techniques, often achieving high accuracy. However, these studies have largely overlooked important factors such as protection levels and the deprecation or restriction of permissions due to updates in the Android OS -- factors that can contribute to concept drift. In this study, we investigate the impact of deprecated and restricted permissions on the performance of machine learning models. A large dataset containing 166 permissions was used, encompassing more than 70,000 malware and benign applications. Various machine learning and deep learning algorithms were employed as classifiers, along with different concept drift detection strategies. The results suggest that Android permissions are highly effective features for malware detection, with the exclusion of deprecated and restricted permissions having only a marginal impact on model performance. In some cases, such as with CNN, accuracy improved. Excluding these permissions also enhanced the detection of concept drift using a year-to-year analysis strategy. Dataset balancing further improved model performance, reduced low-accuracy instances, and enhanced concept drift detection via the Kolmogorov-Smirnov test.