Pierluigi Paganini October 09, 2014

A team of German researchers developed an innovative Android app dubbed DREBIN capable of detecting 94 percent of mobile malware.

A team of German researchers composed by Daniel Arp, Konrad Rieck, Malte Hubner, Michael Spreitzenbarth of Siemens computer emergency response team and Hugo Gascon of the University of Gottingen have developed an Android app capable of detecting 94 percent of mobile malware. The experts have tested their application, dubbed DREBIN, on a large set of code composed by 123,453 benign applications deployed in different Android app stores and 5560 new malware samples. DREBIN detects 94 percent of the malware with few false-positive, nearly one percent,  corresponding to a single case of 100 of a benign application recognized as malicious app.

The detection mechanism implemented by the team is based on a “a broad static analysis” which allows DREBIN app to gather as many features of an application as possible.

“As the limited resources impede monitoring applications at run-time, DREBIN performs a broad static analysis, gathering as many features of an application as possible,” the researchers wrote in the paper DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket (PDF). “

The collected features are archived in a joint vector space, such that typical patterns indicative of  malicious code activity, that are used for a very quick detection of threat agents on the mobile.

“DREBIN performs a broad static analysis, gathering as many features from an application’s code and manifest as possible” wrote the authors. “As an example, an application sending premium SMS messages is cast to a specific region in the vector space associated with the corresponding permissions, intents and API calls,” the researchers wrote. “This geometric representation enables DREBIN to identify combinations and patterns of features indicative for malware automatically using machine learning techniques.”

The researchers tested BREBIN on five popular smartphones, the technique requires just a few seconds,rendering it suitable for checking downloaded applications directly on the device. On older mobile phones the process is anyway very quick, just 20 seconds are necessary to scan a device. The test demonstrated that on a 2.26Ghz core duo desktop with 4Gb of RAM the tool could scan a whopping 100,000 apps a day.

The researchers sustain that DREBIN is the first method which provides effective and explainable detection of Android malicious code malware directly on the mobile device. The approach is considered innovative and effective because DREBIN is capable of identifying Android malware with high accuracy and independent of manually crafted detection patterns

“Patterns of features indicative for a detected malware instance can be traced back from the vector space and provide insights into the detection process.” states the paper.

DREBIN is also able to detect obfuscation mechanisms implemented by malware authors to repack their malicious code or insert junk data. According to the researchers DREBIN presents a limitation, it isn’t able to detect dynamically loaded and obfuscated malware because it builds on concepts of static analysis despite it combines it with a machine learning mechanism.

In the following image are reported the results of tests made on the detection capability of the app.

The application is considered innovative because different from its rivals like TaintDroid, DroidRanger and RiskRanker, doesn’t rely on manually crafted detection patterns that would be circumvented by malware authors.

Pierluigi Paganini

(Security Affairs – DREBIN, mobile)