Malware detection by applying knowledge discovery processes to application metadata on the Android Market (Google Play)

Authors

  • Peter Teufl,

    Corresponding author
    1. Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, Graz, Austria
    • Correspondence

      Peter Teufl, Institute for Applied Information Processing and Communications IAIK, Graz University of Technology, Inffeldgasse 16a, 8010 Graz, Austria.

      E-mail: peter.teufl@iaik.tugraz.at

    Search for more papers by this author
  • Michaela Ferk,

    1. Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, Graz, Austria
    Search for more papers by this author
  • Andreas Fitzek,

    1. Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, Graz, Austria
    Search for more papers by this author
  • Daniel Hein,

    1. Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, Graz, Austria
    Search for more papers by this author
  • Stefan Kraxberger,

    1. Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, Graz, Austria
    Search for more papers by this author
  • Clemens Orthacker

    1. Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology, Inffeldgasse 16a, Graz, Austria
    Search for more papers by this author

Abstract

Recent smartphone platforms based on new operating systems, such as iOS, Android, or Windows Phone, have been a huge success in recent years and open up many new opportunities. Unfortunately, 2011 also showed us that the new technologies and the privacy-related data on smartphones are also increasingly interesting for attackers. Especially, the Android platform has been the favorite target for malware, mainly because of the openness of the platform, the ability to install applications from other sources than the Android Market, and the significant gains in market share. Although the processes of detecting and analyzing malware are well known from the PC world, where the arms race between attackers and defenders has continued for the past 15 years, they cannot be directly applied to smartphone platforms because of differences in the hardware and software architectures. In this paper, we first give an overview of the current malware situation on smartphone platforms with a special focus on Android and explain relevant malware detection and analysis methods. It turns out that most of the current malware relies on the installation by the user, who represents the last line of defense in malware detection. With these conclusions, we then present a new malware detection method that focuses on the information that the user is able to see prior to the installation of an application—the metadata within the platform's software market. Depending on the platform, this includes the application's description, its permissions, the ratings, or information about the developer. To analyze these data, we use sophisticated knowledge discovery processes and lean statistical methods. By presenting a wide range of examples based on real application metadata extracted from the Android Market, we show the possibilities of the new method. With the possibilities, we argue that it should be an essential part of a complete malware analysis/detection chain that includes other well-known methods such as network traffic analysis, or static, or dynamic code inspection. Copyright © 2013 John Wiley & Sons, Ltd.

Ancillary