Android has been targeted by Malware developers since it has emerged as widest used operating system for smartphones and mobile devices. Android security mainly relies on user decisions regarding to installing applications (apps) by approving their requested permissions. Therefore, a systematic user assistance mechanism for making appropriate decisions can significantly improve the security of Android based devices by preventing malicious apps installation. However, the criticality of permissions and the security risk values of apps are not well determined for users in order to make correct decisions. In this study, a new metric is introduced for effective risk computation of untrusted apps based on their required permissions. The metric leverages both frequency of permission usage in Malwares and rarity of them in normal apps. Based on the proposed metric, an algorithm is developed and implemented for identifying critical permissions and effective risk computation. The proposed solution can be directly used by the mobile owners to make better decisions or by Android markets to filter out suspicious apps for further examination. Empirical evaluations on real malicious and normal app samples show that the proposed metric has high Malware Detection rate and is superior to recently proposed risk score measurements. Moreover, it has good performance on unseen apps in term of security risk computation.

With the widespread use of Android smartphones, the Android platform has become an attractive target for cybersecurity attackers and Malware authors. Meanwhile, the growing emergence of zero-day Malware has long been a major concern for cybersecurity researchers. This is because Malware that has not been seen before often exhibits new or unknown behaviors, and there is no documented defense against it. In recent years, deep learning has become the dominant machine learning technique for Malware Detection and could achieve outstanding achievements. Currently, most deep Malware Detection techniques are supervised in nature and require training on large datasets of benign and malicious samples. However, supervised techniques usually do not perform well against zero-day Malware. Semi-supervised and unsupervised deep Malware Detection techniques have more potential to detect previously unseen Malware. In this paper, we present MalGAE, a novel end-to-end deep Malware Detection technique that leverages one-class graph neural networks to detect Android Malware in a semi-supervised manner. MalGAE represents each Android application with an attributed function call graph (AFCG) to benefit the ability of graphs to model complex relationships between data. It builds a deep one-class classifier by training a stacked graph autoencoder with graph convolutional layers on benign AFCGs. Experimental results show that MalGAE can achieve good Detection performance in terms of different evaluation measures.

The use of mobile phones with Android operating system is expanding day by day. Android itself does not have a powerful Malware Detection tool. Therefore, attackers easily enter people's privacy through their mobile phones and put them at serious risk. So far, a lot of research has been done on Malware Detection. One of the main problems of these solutions is the low accuracy in multi-class Detection on the dataset or the failure to achieve the desired result in both types of binary and multi-class Detection. In this paper, by using Convolutional Neural Network (CNN) and changing the number of different layers, we have tried to extract the maximum number of important features from the dataset. In the data classification phase, we use the Deep Learning-based algorithm named Long Short-Term Memory (LSTM) to classify the data with the maximum possible accuracy by testing it on the selected features. The test results on the new MalMemAnalysis-2022 dataset show that the use of these two algorithms and the change in the number of layers can lead to 99.99% and 99.71% accuracies in binary and multi-class classification in Malware Detection, respectively, which is superior to existing methods.

Android Malware is one of the most dangerous threats on the Internet. It has been on the rise for several years. As a result, it has impacted many applications such as healthcare, banking, transportation, government, e-commerce, etc. One of the most growing attacks is on Android systems due to its use in many devices worldwide. De-spite significant efforts in detecting and classifying Android Malware, there is still a long way to improve the Detection process and the classification performance. There is a necessity to provide a basic understanding of the behavior displayed by the most common Android Malware categories and families. Hence, understand the distinct ob-jective of Malware after identifying their family and category. This paper proposes an effective systematic and functional parallel machine-learning model for the dynamic Detection of Android Malware categories and families. Standard machine learning classifiers are implemented to analyze a massive Malware dataset with 14 major mal-ware categories and 180 prominent Malware families of the CCCS-CIC-AndMal2020 on dynamic layers to detect Android Malware categories and families. The paper ex-periments with many machine learning algorithms and compares the proposed model with the most recent related work. The results indicate more than 96 % accuracy for Android Malware Category Detection and more than 99% for Android Malware family Detection overperforming the current related methods. The proposed model offers a highly accurate method for dynamic analysis of Android Malware that cuts down the time required to analyze smartphone Malware.

Dynamic analysis is a prominent approach in analyzing the behavior of Android apps. To perform dynamic analysis, we need an event generator to provide proper environment for executing the app in an emulator. Monkey is the most popular event generator for Android apps in general, and is used in dynamic analysis of Android Malware as well. Monkey provides high code coverage and yet high speed in generating events. However, in the case of Malware analysis, Monkey su ers from several limitations. It only considers UI events but no system events, and because of random behavior in generating UI events, it may lose dropping the connectivity of the test environment during the analysis process. Moreover, it provides no defense against Malware evasion techniques. In this paper, we try to enhance Monkey by reducing its limitations while preserving its advantages. The proposed approach has been implemented as an extended version of Monkey, named Curious-Monkey. Curious-Monkey provides facilities for handling system events, handling evasion techniques, and keeping the test environment's connectivity up during the analysis process. We conducted many experiments to evaluate the e ectiveness of the proposed tool regarding two important criteria in dynamic Malware analysis: the ability to trigger malicious payloads and the code coverage. In the evaluation process, we used the Evadroid benchmark and the AMD Malware data-set. Moreover, we compared Curious-Monkey with Monkey and Ares tools. The results show that the Curious-Monkey provides better results in case of triggering malicious payloads, as well as better code coverage.

Today, with the advancement of science and technology, the use of smartphones has become very common, and the Android operating system has been able to gain lots of popularity in the meantime. However, these devices face many security challenges, including Malware. Malware may cause many problems in both the security and privacy of users. So far, the state-of-the-art method in Malware Detection is based on deep learning, however, this approach requires a lot of computing resources and leads to high battery usage, which is unacceptable in smartphone devices. This paper proposes the knowledge distillation approach for lightening Android Malware Detection. To this end, first, a heavy model is taught and then with the knowledge distillation approach, its knowledge is transferred to a light model called student. To simplify the learning process, soft labels are used here. The resulting model, although slightly less accurate in identification, has a much smaller size than the heavier model. Moreover, ensemble learning was proposed to recover the dropped accuracy. We have tested the proposed approach on CISC datasets including dynamic and static features, and the results show that the proposed method is not only able to lighten the model up to 99%, but also maintain the accuracy of the lightened model to the extent of the heavy model.

Sensitive methods are those that are commonly used by Android Malware to perform malicious behavior. These methods may be either evasion or malicious payload methods. Although there are several approaches to handle these methods for performing effective dynamic Malware analysis, but generally most of them are based on a manually created list. However, the performance shown by the selected approaches is dependent on completeness of the manually created list that is not almost a complete and up-to-date one. Missing some sensitive methods causes to degrade the overall performance and affects the effectiveness of analyzing Android Malware.In this paper, we propose a machine learning approach to predict new sensitive methods that might be used in Android Malware. We use a manually collected training dataset to train two classifiers: a classifier for detecting the sensitivity nature of the Android methods, and another classifier to categorize the detected sensitive methods into predefined categories. We applied the proposed approach to a large number of methods extracted from Android API 27. The proposed approach is able to predict hundreds of sensitive methods with accuracy of 90.5% for the first classifier and 87.4% for the second classifier. To evaluate the proposed approach, we built a new list of the detected sensitive methods and used it in a number of tools to perform dynamic Malware analysis. The proposed model found various sensitive methods that were not considered before by any other tools. Hence, the effectiveness of these tools in performing dynamic analysis are increased.