Extracting Android Applications Data for Anomaly-based Malware Detection

Abstract

In order to apply any machine learning algorithm or classifier, it is fundamentally important to first and foremost collect relevant features. This is most important in the field of dynamic analysis approach to anomaly malware detection systems. In this approach, the behaviour patterns of applications while in execution are analysed. The behaviour features that Android as a system allows access permissions to depend on the type of device; either rooted or not. Android is based on the Linux kernel at the bottom layer, all layers on top of the kernel run without privileged mode. Thus, if a behaviour feature vector is created from features of Android (Application Programming Interface) API in unrooted mode, then only system information made available by Android can be used. In this paper, a Device Monitoring system for an unrooted device is developed and used to collect Android application data. The application data is used to build feature vectors that describes the Android application behaviour for Anomaly malware detection. This application is able to collect essential information from Android application such as installed applications and services running within the device before or after the Monitoring application was started, the date/time stamp, calls initiated from the device, calls received by the device, sent short message services (SMSs), SMSs received, and the status of the device as at when the event took place. This information is logged in a comma separated value (.csv) file format and stored on the SDcard of the device. The .csv file is converted to attribute relation file format (.arff); the format acceptable by WEKA machine learning tool. This .arff file of feature vectors is then used as input to the Classifier in the Android malware detection system.