GranDroid: Graph-based detection of malicious network behaviors in android applications

Abstract

As Android malware increasingly relies on network interfaces to perform malicious behaviors, detecting such malicious network behaviors becomes a critical challenge. Traditionally, static analysis provides soundness for Android malware detection, but it also leads to high false positives. It is also challenging to guarantee the completion of static analysis within a given time constraint, which is an important requirement for real-world security analysis. Dynamic analysis is often used to precisely detect malware within a specific time budget. However, dynamic analysis is inherently unsound as it only reports analysis results of the executed paths. In this paper, we introduce GranDroid, a graph-based hybrid malware detection system that combines dynamic analysis, incremental and partial static analysis, and machine learning to provide time-sensitive malicious network behavior detection with high accuracy. Our evaluation using 1,500 malware samples and 1,500 benign apps shows that our approach achieves 93% accuracy while spending only eight minutes to dynamically execute each app and determine its maliciousness. GranDroid can be used to provide rich and precise detection results while incurring similar analysis time as a typical malware detector based on pure dynamic analysis.