Android Malware Detection Based on Software Complexity Metrics

• Published in: Trust, Privacy, and Security in Digital Business pp. 24 - 35
• Main Authors: Protsenko, Mykola, Müller, Tilo
• Format: Book Chapter
• Language: English
• Published: Cham Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: Cyclomatic Complexity; Dependency Degree; False Positive Rate; Malicious Executable; True Positive Rate
• ISBN: 9783319097695; 3319097695
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-319-09770-1_3

In this paper, we propose a new approach for the static detection of Android malware by means of machine learning that is based on software complexity metrics, such as McCabe’s Cyclomatic Complexity and the Chidamber and Kemerer Metrics Suite. The practical evaluation of our approach, involving 20,703 benign and 11,444 malicious apps, witnesses a high classification quality of our proposed method, and we assess its resilience against common obfuscation transformations. With respect to our large-scale test set of more than 32,000 apps, we show a true positive rate of up to 93% and a false positive rate of 0.5% for unobfuscated malware samples. For obfuscated malware samples, however, we register a significant drop of the true positive rate, whereas permission-based classification schemes are immune against such program transformations. According to these results, we advocate for our new method to be a useful detector for samples within a malware family sharing functionality and source code. Our approach is more conservative than permission-based classifications, and might hence be more suitable for an automated weighting of Android apps, e.g., by the Google Bouncer.