InfoSec Seminar: A Family of Droids–Android Malware Detection via Behavioral Modeling: Static vs Dynamic Analysis

Speaker: Lucky Onwuzurike

Date/Time: 23-Aug-2018, 16:00 UTC

Venue: Robert 4.21



As smartphones play an increasingly central role in our everyday lives, the number of applications (apps) designed for the mobile ecosystem has skyrocketed. These apps are designed to meet diverse user needs, e.g., banking, communication, social networking, and as such often handle sensitive information. As a result, a growing number of cybercriminals are targeting the mobile ecosystem, by designing and distributing malicious apps that steal information or cause harm to the device's owner. Aiming to counter them, a number of techniques, based on either static or dynamic analysis, have been used to model Android malware and build detection tools. However, we often lack a good understanding of what analysis method works best and in which cases. In this paper, we analyze the performance of static and dynamic analysis methods, using the same modeling approach. Specifically, we build on MaMaDroid, a state-of-the-art detection system that relies on static analysis to create a behavioral model from the sequences of abstracted API calls. To port it to dynamic analysis, we modify CHIMP, a platform recently proposed to crowdsource human inputs for app testing, in order to extract API calls' sequences from the traces produced while executing the app on a CHIMP virtual device. We call this system AuntieDroid and instantiate it by using both automated (Monkey) and user-generated inputs. We find that combining both static and dynamic analysis yields the best performance, with F-measure reaching 0.92. We also show that static analysis is at least as effective as dynamic analysis, depending on how apps are stimulated during execution, and investigate the reasons for inconsistent misclassifications across methods. Finally, we examine the prevalence of dynamic code loading, which constitutes a possible limitation of static analysis based tools


Lucky Onwuzurike is a PhD student in the Information Security Group at University College London (UCL) under the supervision of Dr. Emiliano De Cristofaro and Dr. Gianluca Stringhini. His research interests include: security and privacy of online social networks, Android security, network security, and applied cryptography. Prior to starting his PhD, he obtained an MSc in Information Security at UCL and a BEng in Computer Engineering at the University of Maiduguri, Nigeria. He also have experience as web developer and network engineer.

Add to Calendar

This page was last modified on 27 Mar 2014.