A team of German researchers composed by Daniel Arp, Konrad Rieck, Malte Hubner, Michael Spreitzenbarth of Siemens computer emergency response team and Hugo Gascon of the University of Gottingen have developed an Android app capable of detecting 94 percent of mobile malware. The experts have tested their application, dubbed DREBIN, on a large set of code composed by 123,453 benign applications deployed in different Android app stores and 5560 new malware samples. DREBIN detects 94 percent of the malware with few false-positive, nearly one percent, corresponding to a single case of 100 of a benign application recognized as malicious app.
“As the limited resources impede monitoring applications at run-time, DREBIN performs a broad static analysis, gathering as many features of an application as possible,” the researchers wrote in the paper DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket (PDF). “
“DREBIN performs a broad static analysis, gathering as many features from an application’s code and manifest as possible” wrote the authors. “As an example, an application sending premium SMS messages is cast to a specific region in the vector space associated with the corresponding permissions, intents and API calls,” the researchers wrote. “This geometric representation enables DREBIN to identify combinations and patterns of features indicative for malware automatically using machine learning techniques.”
The researchers sustain that DREBIN is the ﬁrst method which provides effective and explainable detection of Android malicious code malware directly on the mobile device. The approach is considered innovative and effective because DREBIN is capable of identifying Android malware with high accuracy and independent of manually crafted detection patterns
“Patterns of features indicative for a detected malware instance can be traced back from the vector space and provide insights into the detection process.” states the paper.
DREBIN is also able to detect obfuscation mechanisms implemented by malware authors to repack their malicious code or insert junk data. According to the researchers DREBIN presents a limitation, it isn’t able to detect dynamically loaded and obfuscated malware because it builds on concepts of static analysis despite it combines it with a machine learning mechanism.
In the following image are reported the results of tests made on the detection capability of the app.
The application is considered innovative because different from its rivals like TaintDroid, DroidRanger and RiskRanker, doesn’t rely on manually crafted detection patterns that would be circumvented by malware authors.
(Security Affairs – DREBIN, mobile)