Open AccessDifferentiating Malicious and Benign Android App Operations Using Second‐Step Behavior Features
Author(s) -
LI Pengwei,
FU Jianming,
XU Chao,
CHENG Binlin,
ZHANG Huanguo
Publication year - 2019
Publication title -
chinese journal of electronics
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.267
H-Index - 25
eISSN - 2075-5597
pISSN - 1022-4653
DOI - 10.1049/cje.2019.06.014
Subject(s) - computer science , android (operating system) , android malware , operating system
Security‐sensitive operations in Android applications (apps for short) can either be benign or malicious. In this work, we introduce an approach of static program analysis that extracts fisecond‐step behavior featuresfl, i.e., what was triggered by the security‐sensitive operation, to assist app analysis in differentiating between malicious and benign operations. Firstly, we summarized the characteristics of malicious operations, such as spontaneity, independence, stealthiness and continuity, which can be used to classify the malicious operations and benign ones. Secondly, according to these characteristics, Second step behavior features (SSBFs for short) have been presented, including structural features and semantic features. Thirdly, an analysis prototype named SSdroid has been implemented to automatically extract SSBFs of security‐sensitive operations. Finally, experiments on 9285 operations from both benign and malicious apps show that SSBFs are effective and usefulness. Our evaluation results suggest that the second‐step behavior can greatly assist in Android malware detection.