A Data-driven Characterization of Modern Android Spyware

Citations Over TimeTop 10% of 2020 papers

Abstract

According to Nokia’s 2017 Threat Intelligence Report, 68.5% of malware targets the Android platform; Windows is second with 28%, followed by iOS and other platforms with 3.5%. The Android spyware family U A P USH was responsible for the most infections, and several of the top 20 most common Android malware were spyware. Simply put, modern spyware steals the basic information needed to fuel more deadly attacks such as ransomware and banking fraud. Not surprisingly, some forms of spyware are also classified as banking trojans (e.g., A CE C ARD ). We present a data-driven characterization of the principal factors that distinguish modern Android spyware (July 2016–July 2017) both from goodware and other Android malware, using both traditional and deep ML. First, we propose an Ensemble Late Fusion (ELF) architecture that combines the results of multiple classifiers’ predicted probabilities to generate a final prediction. We show that ELF outperforms several of the best-known traditional and deep learning classifiers. Second, we automatically identify key features that distinguish spyware both from goodware and from other malware. Finally we present a detailed analysis of the factors distinguishing five important families of Android spyware: U A P USH , P INCER , H E H E , USBC LEAVER , and A CE C ARD (the last is a hybrid spyware-banking trojan).

Related Papers

• → DroidEnemy: Battling adversarial example attacks for Android malware detection(2021)28 cited
• → Android malware detection: state of the art(2017)25 cited
• → Characterization of Android Malware Families by a Reduced Set of Static Features(2016)12 cited
• → Android Malware Detection Using BERT(2022)10 cited
• → A Dynamic Countermeasure Method to Android Malware by User Approval(2013)6 cited