Search Results (51)

As technology advances, developers continually create innovative solutions to enhance smartphone security. However, the rapid spread of Android malware poses significant threats to devices and sensitive data. The Android Operating System (OS)’s open-source nature and Software Development Kit (SDK) availability mainly contribute to this alarming growth. Conventional malware detection methods, such as signature-based, static, and dynamic analysis, face challenges in detecting obfuscated techniques, including encryption, packing, and compression, in malware. Although developers have created several visualization techniques for malware detection using deep learning (DL), they often fail to accurately identify the critical malicious features of malware. This research introduces MalVis, a unified visualization framework that integrates entropy and N-gram analysis to emphasize meaningful structural and anomalous operational patterns within the malware bytecode. By addressing significant limitations of existing visualization methods, such as insufficient feature representation, limited interpretability, small dataset sizes, and restricted data access, MalVis delivers enhanced detection capabilities, particularly for obfuscated and previously unseen (zero-day) malware. The framework leverages the MalVis dataset introduced in this work, a publicly available large-scale dataset comprising more than 1.3 million visual representations in nine malware classes and one benign class. A comprehensive comparative evaluation was performed against existing state-of-the-art visualization techniques using leading convolutional neural network (CNN) architectures, MobileNet-V2, DenseNet201, ResNet50, VGG16, and Inception-V3. To further boost classification performance and mitigate overfitting, the outputs of these models were combined using eight distinct ensemble strategies. To address the issue of imbalanced class distribution in the multiclass dataset, we employed an undersampling technique to ensure balanced learning across all types of malware. MalVis achieved superior results, with 95% accuracy, 90% F1-score, 92% precision, 89% recall, 87% Matthews Correlation Coefficient (MCC), and 98% Receiver Operating Characteristic Area Under Curve (ROC-AUC). These findings highlight the effectiveness of MalVis in providing interpretable and accurate representation features for malware detection and classification, making it valuable for research and real-world security applications. Full article

The pervasive spread of Android malware poses significant threats to users and systems worldwide. In most existing studies, differences in feature importance are often overlooked, and the calculation of feature weights is conducted independently of the classification model. In this paper, we propose an Android malware detection method, Leveraging Extraction Method and Soft Voting classification (LEMSOFT). This approach includes a novel preprocessing module, lexical occurrence ratio-based filtering (LORF), and an improved Soft Voting mechanism optimized through genetic algorithms. We introduce LORF to evaluate and enhance the significance of permissions, API calls, and opcodes. Each type of feature is then independently classified using tailored machine learning models. To integrate the outputs of these classifiers, this paper proposes an innovative soft voting mechanism that improves prediction accuracy for encountered applications by assigning weights through a genetic algorithm. Our solution outperforms the baseline methods we studied, as evidenced by the evaluation of 5560 malicious and 8340 benign applications, with an average accuracy of 99.89%. The efficacy of our methodology is demonstrated through extensive experiments, showcasing significant improvements in detection rates compared to state-of-the-art (SOTA) methods. Full article

Malware analytics suffer from scarce, delayed, and privacy-constrained labels, limiting fully supervised detection and hampering responsiveness to zero-day threats. We propose SMAD, a Semi-supervised Android Malicious App Detector that integrates a segmentation-oriented backbone—to extract pixel-level, multi-scale features from APK imagery—with a dual-branch consistency objective that enforces predictive agreement between two parallel branches on the same image. We evaluate SMAD on CICMalDroid2020 under label budgets of 0.5, 0.25, and 0.125 and show that it achieves higher accuracy, macro-precision, macro-recall, and macro-F1 with smoother learning curves than supervised training, a recursive pseudo-labeling baseline, a FixMatch baseline, and a confidence-thresholded consistency ablation. A backbone ablation (replacing the dense encoder with WideResNet) indicates that pixel-level, multi-scale features under agreement contribute substantially to these gains. We observe a coverage–precision trade-off: hard confidence gating filters noise but lowers early-training performance, whereas enforcing consistency on dense, pixel-level representations yields sustained label-efficiency gains for image-based malware detection. Consequently, SMAD offers a practical path to high-utility detection under tight labeling budgets—a setting common in real-world security applications. Full article

The proper use of Android app permissions is crucial to the success and security of these apps. Users must agree to permission requests when installing or running their apps. Despite official Android platform documentation on proper permission usage, there are still many cases of permission abuse. This study provides a comprehensive analysis of the Android permission landscape, highlighting trends and patterns in permission requests across various applications from the Google Play Store. By distinguishing between benign and malicious applications, we uncover developers’ evolving strategies, with malicious apps increasingly requesting fewer permissions to evade detection, while benign apps request more to enhance functionality. In addition to examining permission trends across years and app features such as advertisements, in-app purchases, content ratings, and app sizes, we leverage association rule mining using the FP-Growth algorithm. This allows us to uncover frequent permission combinations across the entire dataset, specific years, and 16 app genres. The analysis reveals significant differences in permission usage patterns, providing a deeper understanding of co-occurring permissions and their implications for user privacy and app functionality. By categorizing permissions into high-level semantic groups and examining their application across distinct app categories, this study offers a structured approach to analyzing the dynamics within the Android ecosystem. The findings emphasize the importance of continuous monitoring, user education, and regulatory oversight to address permission misuse effectively. Full article

The open-source structure and ease of development in the Android platform are exploited by attackers to develop malicious programs, greatly increasing malicious Android apps aimed at committing financial fraud. This study proposes a machine learning (ML) model based on static analysis to detect malware. We validated the significance of private datasets collected from Bank A, comprising 183,938,730 and 11,986 samples of benign and malicious apps, respectively. Undersampling was performed to adjust the proportion of benign applications in the training data because the data on benign and malicious apps were unbalanced. Moreover, 92 datasets were compiled through daily training to evaluate the proposed approach, with benign app data updated over 70 days (D-70 to D-1) and malware app data cumulatively aggregated to address the imbalance. Five ML algorithms were used to evaluate the proposed approach, and the optimal hyperparameter values for each algorithm were obtained using a grid search method. We then evaluated the models using common evaluation metrics, such as accuracy, precision, recall, F1-Score, etc. The LightGBM model was selected for its superior performance, achieving high accuracy and effectiveness. The optimal decision threshold for determining whether an application was malicious was 0.5. Following re-evaluation, the LightGBM model obtained accuracy and F1-Score values of 99.99% and 97.04%, respectively, highlighting the potential of using the proposed model for real-world financial fraud detection. Full article

As Android holds a commanding position in the smartphone operating system market, the proliferation of malicious applications on this platform has also escalated rapidly. This surge in diverse malware variants has compelled researchers to explore innovative techniques leveraging machine learning. Given the significance of static analysis in network security, and the proven effectiveness of Dalvik opcode as a precise representation of malware, many studies have adopted the use of Dalvik opcode in conjunction with machine learning algorithms to detect Android malware. Currently, a considerable number of opcode-based approaches are being developed to extract semantic information from opcode sequences. Nonetheless, these approaches encounter considerable challenges in terms of achieving precision. Despite the integration of additional semantic features, they do not succeed in enhancing precision and often result in longer computation times. Furthermore, the extensive length of opcode sequences poses a significant obstacle in the analysis of their underlying semantics. When confronted with these challenges, delving into alternative characteristics could hold the potential to overcome the prevailing predicament, thereby enhancing our comprehension of malwares’ operational mechanisms. Considering the rich informational content embedded within opcode dependencies, despite the scarcity of research in this domain, we intend to prioritize our focus on these dependencies. By constructing opcode graphs, we aim to gain deeper insights into the topological properties of these dependencies, thereby facilitating a more comprehensive analysis. This paper presents an innovative Android malware detection method. The core process of this method includes building a Dalvik opcode graph, extracting frequent subgraphs, and embedding subgraphs using graph convolutional neural networks to extract topological features and train classification models. This model aims to accurately distinguish between malicious Android applications and legitimate applications. Based on the above method, we have successfully developed a lightweight prototype for Android malware variant detection. Through theoretical analysis and practical experimental verification, the prototype demonstrates excellent effectiveness, efficiency, and stability. Specifically, its detection accuracy is nearly 95%, and the time cost for a single detection does not exceed 0.1 s. Full article

The smart TV ecosystem is rapidly expanding, allowing developers to publish their applications on TV markets to provide a wide array of services to TV users. However, this open nature can lead to significant cybersecurity concerns by bringing unauthorized access to home networks or leaking sensitive information. In this study, we focus on the security of Android TVs by developing a lightweight malware detection model specifically for these devices. We collected various Android TV applications from different markets and injected malicious payloads into benign applications to create Android TV malware, which is challenging to find on the market. We proposed a machine learning approach to detecting malware and evaluated our model. We compared the performance of nine classifiers and optimized the hyperparameters. Our findings indicated that the model performed well in rare malware cases on Android TVs. The most successful model classified malware with an F1-Score of 0.9789 in 0.1346 milliseconds per application. Full article

Vishing, a blend of “voice” and “phishing”, has evolved to include techniques like Call Redirection and Display Overlay Attacks, causing significant financial losses. Existing research has largely focused on user behavior and awareness, leaving gaps in addressing attacks originating from vishing applications. In this work, we present Ventinel, an Android-based defense system designed to detect these attacks without requiring OS modifications. Ventinel employs Optical Character Recognition (OCR) to compare phone numbers during calls, effectively preventing Call Redirection and Display Overlay Attacks. Additionally, it safeguards against Duplicated Contacts Attacks by cross-referencing call logs and SMS records. Ventinel achieves 100% detection accuracy, surpassing commercial applications, and operates with minimal data collection to ensure user privacy. We also describe malicious API behavior and demonstrate that the same behavior is possible for API levels 29 and higher. Furthermore, we analyze the limitations of existing solutions and propose new attack and defense strategies. Full article

One of the tasks of security analysts is to detect security vulnerabilities and ongoing attacks. There is already a large number of software tools that can help to collect security-relevant data, such as event logs, security settings, application manifests, and even the (decompiled) source code of potentially malicious applications. The analyst must study these data, evaluate them, and properly identify and classify suspicious activities and applications. Fast advances in the area of Artificial Intelligence have produced large language models that can perform a variety of tasks, including generating text summaries and reports. In this article, we study the potential black-box use of LLM chatbots as a support tool for security analysts. We provide two case studies: the first is concerned with the identification of vulnerabilities in Android applications, and the second one is concerned with the analysis of security logs. We show how LLM chatbots can help security analysts in their work, but point out specific limitations and security concerns related to this approach. Full article

The Android operating system has become increasingly popular, not only on mobile phones but also in various other platforms such as Internet-of-Things devices, tablet computers, and wearable devices. Due to its open-source nature and significant market share, Android poses an attractive target for malicious actors. One of the notable security challenges associated with this operating system is riskware. Riskware refers to applications that may pose a security threat due to their vulnerability and potential for misuse. Although riskware constitutes a considerable portion of Android’s ecosystem malware, it has not been studied as extensively as other types of malware such as ransomware and trojans. In this study, we employ machine learning techniques to analyze the behavior of different riskware families and identify similarities in their actions. Furthermore, our research identifies specific behaviors that can be used to distinguish these riskware families. To achieve these insights, we utilize various tools such as k-Means clustering, principal component analysis, extreme gradient boost classifiers, and Shapley additive explanation. Our findings can contribute significantly to the detection, identification, and forensic analysis of Android riskware. Full article

Mobile devices face significant security challenges due to the increasing proliferation of Android malware. This study introduces an innovative approach to Android malware detection, combining Support Vector Regression (SVR) and dynamic feature analysis to address escalating mobile security challenges. Our research aimed to develop a more accurate and reliable malware detection system capable of identifying both known and novel malware variants. We implemented a comprehensive methodology encompassing dynamic feature extraction from Android applications, feature preprocessing and normalization, and the application of SVR with a Radial Basis Function (RBF) kernel for malware classification. Our results demonstrate the SVR-based model’s superior performance, achieving 95.74% accuracy, 94.76% precision, 98.06% recall, and a 96.38% F1-score, outperforming benchmark algorithms including SVM, Random Forest, and CNN. The model exhibited excellent discriminative ability with an Area Under the Curve (AUC) of 0.98 in ROC analysis. The proposed model’s capacity to capture complex, non-linear relationships in the feature space significantly enhanced its effectiveness in distinguishing between benign and malicious applications. This research provides a robust foundation for advancing Android malware detection systems, offering valuable insights for researchers and security practitioners in addressing evolving malware challenges. Full article

Today, malware is arguably one of the biggest challenges organisations face from a cybersecurity standpoint, regardless of the types of devices used in the organisation. One of the most malware-attacked mobile operating systems today is Android. In response to this threat, this paper presents research on the functionalities and performance of different malicious Android application package analysis tools, including one that uses machine learning techniques. In addition, it investigates how these tools streamline the detection, classification, and analysis of malicious Android Application Packages (APKs) for Android operating system devices. As a result of the research included in this article, it can be highlighted that the AndroPytool, a tool that uses machine learning (ML) techniques, obtained the best results with an accuracy of 0.986, so it can be affirmed that the tools that use artificial intelligence techniques used in this study are more efficient in terms of detection capacity. On the other hand, of the online tools analysed, Virustotal and Pithus obtained the best results. Based on the above, new approaches can be suggested in the specification, design, and development of new tools that help to analyse, from a cybersecurity point of view, the code of applications developed for this environment. Full article

The explosive growth of malware targeting Android devices has resulted in the demand for the acquisition and integration of comprehensive information to enable effective, robust, and user-friendly malware detection. In response to this challenge, this paper introduces HertDroid, an innovative Android malware detection method that leverages the hidden contextual information within application entities. Specifically, we formulate a heterogeneous graph encapsulating rich semantics of entities and their interactions to model the behavior of Android applications. To alleviate computational burdens, a filter is implemented to identify nodes containing crucial information. The Transformer architecture is then deployed for efficient information aggregation across diverse entities. In our experiments, HertDroid demonstrates superior performance by achieving the highest F1 scores when compared to baseline methods on a dataset comprising 10,361 benign and 11,043 malicious apps. Notably, HertDroid excels in maintaining a lightweight profile, and its performance is achieved without the necessity of manual meta-path configuration. Full article

The presence of malicious software (malware), for example, in Android applications (apps), has harmful or irreparable consequences to the user and/or the device. Despite the protections app stores provide to avoid malware, it keeps growing in sophistication and diffusion. In this paper, we explore the use of machine learning (ML) techniques to detect malware in Android apps. The focus is on the study of different data pre-processing, dimensionality reduction, and classification techniques, assessing the generalization ability of the learned models using public domain datasets and specifically developed apps. We find that the classifiers that achieve better performance for this task are support vector machines (SVM) and random forests (RF). We emphasize the use of feature selection (FS) techniques to reduce the data dimensionality and to identify the most relevant features in Android malware classification, leading to explainability on this task. Our approach can identify the most relevant features to classify an app as malware. Namely, we conclude that permissions play a prominent role in Android malware detection. The proposed approach reduces the data dimensionality while achieving high accuracy in identifying malware in Android apps. Full article

Android malware detection is a critical research field due to the increasing prevalence of mobile devices and apps. Improved methods are necessary to address Android apps’ complexity and malware’s elusive nature. We propose an approach for Android malware detection based on Graph Convolutional Networks (GCNs). Our method focuses on learning the behavioral-level features of Android applications using the call graph extracted from the application’s Dex file. Combining the call graph with sensitive permissions and opcodes creates a new subgraph representing the application’s runtime behavior. Subsequently, we propose an enhanced detection model utilizing graph convolutional networks (GCNs) for Android malware detection. The experimental results demonstrate our proposed method’s high precision and accuracy in detecting malicious code. With a precision of 98.89% and an F1-score of 98.22%, our approach effectively identifies and classifies Android malicious code. Full article