Abstract
According to Nokia's 2017 Threat Intelligence Report, 68.5% of malware targets the Android platform; Windows is second with 28%, followed by iOS and other platforms with 3.5%. The Android spyware family UAPUSH was responsible for the most infections, and several of the top 20 most common Android malware were spyware. Simply put, modern spyware steals the basic information needed to fuel more deadly attacks such as ransomware and banking fraud. Not surprisingly, some forms of spyware are also classified as banking trojans (e.g., ACECARD). We present a data-driven characterization of the principal factors that distinguish modern Android spyware (July 2016-July 2017) both from goodware and other Android malware, using both traditional and deep ML. First, we propose an Ensemble Late Fusion (ELF) architecture that combines the results of multiple classifiers' predicted probabilities to generate a final prediction. We show that ELF outperforms several of the best-known traditional and deep learning classifiers. Second, we automatically identify key features that distinguish spyware both from goodware and from other malware. Finally we present a detailed analysis of the factors distinguishing five important families of Android spyware: UAPUSH, PINCER, HEHE, USBCLEAVER, and ACECARD (the last is a hybrid spyware-banking trojan).
| Original language | English (US) |
|---|---|
| Article number | 3382158 |
| Journal | ACM Transactions on Management Information Systems |
| Volume | 11 |
| Issue number | 1 |
| DOIs | |
| State | Published - Apr 10 2020 |
Funding
This work was supported in part by the Office of Naval Research via grants N00014-15-1-2007 and N00014-16-1-2896, the Army Research Office under grant W911NF1410358, and the North Atlantic Treaty Organization (NATO) Science for Peace and Security (SPS) programme under grant G5319. Authors’ addresses: F. Pierazzi, Department of Informatics, King’s College London, Strand, London, UK; G. Mezzour, International University of Rabat, FIL, TICLab, Morocco; Q. Han and V. S. Subrahmanian, Department of Computer Science, Dartmouth College, Hanover, USA; M. Colajanni, University of Modena and Reggio Emilia, Italy. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. © 2020 Association for Computing Machinery. 2158-656X/2020/04-ART4 $15.00 https://doi.org/10.1145/3382158
Keywords
- Android
- Machine learning
- characterization
- malware
- spyware
ASJC Scopus subject areas
- Management Information Systems
- General Computer Science