"Due to the mobility and ever expanding capabilities, smart phones have become increasingly ubiquitous in people’s everyday life performing tasks such as social networking, online banking, and entertainment. Android, as an open source and customizable operating system (OS) for smart phones, is currently dominating the smart phone market by 77.32% (Statcounter 2018). However, due to its large market share and open source ecosystem of development, Android attracts not only the developers for producing legitimate Android applications (apps), but also attackers to disseminate malware (malicious software) that deliberately fulfills the harmful intent to the smart phone users (e.g., stealing user credentials, pushing unwanted apps or advertisements). Because of lacking trustworthiness review methods, developers can easily upload their Android apps including repackaged apps and malware to the official marketplace (i.e., Google Play)".
The Tencent Security Lab has developed a malware detection system called AiDroid that uses machine learning to identify potentially malicious apps on Android phones. It is currently being used in Tencent''s Mobile Security product, with millions of users globally. It does so after analysing semantic relationships between apps using API call sequences and then built a deep neural network classifier to predict which apps are malicious.
The researchers "first extract the API call sequences from runtime executions of Android apps and further analyze higherlevel semantic relationships within the ecosystem. To depict such complex relations, we introduce HIN for modeling and use meta-path based approach to build up relatednesses over apps. To efficiently classify nodes (i.e., apps) in HIN, we propose the HinLearning method to first gain insample node embeddings and then learn representations of out-of-sample nodes without rerunning/adjusting HIN embeddings for the first time. Afterwards, we design a DNN classifier leveraging the advantages of CNNs and Inception for Android malware detection".
The data used was "large-scale real sample collection from Tencent Security Lab, which contains 190,696 training app (i.e., 83,784 benign and 106,912 malicious). After feature extraction and based on the designed network schema, the constructed HIN has 286,421 nodes (i.e., 190,696 nodes with type of app, 331 nodes with type of API, 70,187 nodes with type of IMEI, 8,499 nodes with type of signature, and 16,708 with type of affiliation) and 4,170,047 edges including relations of R1-R6. The new coming 17,746 unknown apps are used as testing data (to obtain the ground truth, they are further analyzed by the anti-malware experts, 13,313 of which are labeled as benign and 4,433 are malicious)."
The research resulted in an ROC curve of "an impressive 0.9914 true positive rate (TPR) at 0.0094 false positive rate (FPR). We can conclude that AiDroid is indeed feasible in practical use for real-time Android malware detection." AiDroid has "been incorporated into Tencent Mobile Security product that serves millions of users worldwide".