As Android has become increasingly popular, so has malware targeting it, thus motivating the research community to propose different detection techniques. However, the constant evolution of the Android ecosystem, and of malware itself, makes it hard to design robust tools that can operate for long periods of time without the need for modifications or costly re-training. Aiming to address this issue, we set to detect malware from a behavioral point of view, modeled as the sequence of abstracted API calls. We introduce M A M A D ROID , a static-analysis-based system that abstracts app’s API calls to their class, package, or family, and builds a model from their sequences obtained from the call graph of an app as Markov chains. This ensures that the model is more resilient to API changes and the features set is of manageable size. We evaluate M A M A D ROID using a dataset of 8.5K benign and 35.5K malicious apps collected over a period of 6 years, showing that it effectively detects malware (with up to 0.99 F-measure) and keeps its detection capabilities for long periods of time (up to 0.87 F-measure 2 years after training). We also show that M A M A D ROID remarkably overperforms D ROID APIM INER , a state-of-the-art detection system that relies on the frequency of ( raw ) API calls. Aiming to assess whether M A M A D ROID ’s effectiveness mainly stems from the API abstraction or from the sequencing modeling, we also evaluate a variant of it that uses frequency (instead of sequences), of abstracted API calls. We find that it is not as accurate, failing to capture maliciousness when trained on malware samples that include API calls that are equally or more frequently used by benign apps.

中文翻译：

---

妈妈机器人

随着 Android 变得越来越流行，针对它的恶意软件也越来越流行，从而激励研究社区提出不同的检测技术。然而，Android 生态系统和恶意软件本身的不断发展，使得很难设计出无需修改或昂贵的重新培训即可长时间运行的强大工具。为了解决这个问题，我们开始从行为的角度检测恶意软件，建模为抽象的 API 调用序列。我们介绍 M一种米一种D罗伊德，一个基于静态分析的系统，它将应用程序的 API 调用抽象到它们的类、包或系列，并根据从应用程序调用图中获得的序列构建模型，作为马尔可夫链。这可确保模型对 API 更改更具弹性，并且功能集的大小可管理。我们评估 M一种米一种D罗伊德使用在 6 年内收集的 8.5K 良性和 35.5K 恶意应用程序的数据集，表明它有效地检测恶意软件（最高 0.99 F-measure）并保持其检测能力很长一段时间（最高 0.87 F - 训练后 2 年测量）。我们还证明了 M一种米一种D罗伊德明显优于 D罗伊德APIMINE，一种最先进的检测系统，它依赖于 (生的) API 调用。旨在评估是否 M一种米一种D罗伊德的有效性主要源于 API 抽象或排序建模，我们还评估了它的一个变体，它使用抽象 API 调用的频率（而不是序列）。我们发现它不够准确，在对恶意软件样本进行训练时未能捕捉到恶意，这些恶意软件样本包括被良性应用程序同样或更频繁地使用的 API 调用。