Research On Feature-Driven Detection Method For Android Malicious Code

With the rapid development of mobile Internet and communication technology,represented by 5G,more and more application scenarios are moving from PC to mobile.Android,as an open-source system,has become the world’s No.1 smartphone operating system since the end of 2010.However,due to its openness and freedom,Android is also increasingly becoming the focus of attackers.Malicious code targeting Android devices can perform a variety of attacks,such as spoofing applications,sending paid SMS messages,leaking private data,and pushing spam messages.Malicious code on Android devices pose a serious threat to the security of users’ privacy and property.Based on this,this paper starts the research of Android malicious code detection from three aspects:feature extraction,feature analysis and feature-based detection,respectively.Firstly,this paper proposes a dual environment sandbox Android malicious code feature extraction method,which is more than 50%more compatible with the latest samples than the commonly used dynamic detection tools;secondly,this paper proposes a weighted malicious weight-based Android malicious code feature analysis method,whose F1 value can reach up to 99.478%.On this basis,this paper proposes an Android malicious code detection method based on dynamic feature extraction and metadata analysis,which finds potential malicious applications existing in the official application market.The specific work and innovation points of this paper are as follows:(1)In response to the problems of the old simulation environment,poor compatibility,and inaccurate monitoring data of the current Android malicious code dynamic detection tool,we propose a dual-environment sandbox feature extraction method for Android application samples.The method supports both simulator and real device sandbox environments,and the monitoring scope can be easily modified to expand compatibility and meet different feature extraction requirements.Experiments show that the method is more than 50%compatible with the latest samples and reduces the size of feature extraction logs by about 90%on average,compared to the most widely used dynamic detection tool in the research field.(2)Given the current situation that the security awareness of Android applications is low and multiple malicious code are prone to serious security threats,we propose a malicious weight-based feature detection method for Android platform.Based on the malicious sample dataset,this method calculates the maliciousness of each label,and use various machine learning classifiers to evaluate the effectiveness of the method,then finally detect malicious code.Experiments show that the model F1 value can achieve up to 99.478%by applying this method and it consumes fewer resources on the system during the analysis process.(3)To address the threat of potentially unwanted application(PUA)code on Android platform to users,we propose a method based on dynamic feature extraction and metadata analysis to detect PUA on Android.The method starts from metadata such as application developer information,user reviews and ratings,and the presence of advertisements then incorporates dynamic detection methods to determine the number of times the code visits advertisements and malicious URLs and uses clustering algorithms to form clusters of PUA for further processing.Through experiments,the classical clustering models applying the method are able to generate clusters of suspicious applications.The experimental results reveal the characteristics of PUAs and identify the PUAs present in the official app marketplace.