Categories: MalwareMobileSecurity

DREBIN Android app detects 94 percent of mobile malware

A team of German researchers developed an innovative Android app dubbed DREBIN capable of detecting 94 percent of mobile malware.

A team of German researchers composed by Daniel Arp, Konrad Rieck, Malte Hubner, Michael Spreitzenbarth of Siemens computer emergency response team and Hugo Gascon of the University of Gottingen have developed an Android app capable of detecting 94 percent of mobile malware. The experts have tested their application, dubbed DREBIN, on a large set of code composed by 123,453 benign applications deployed in different Android app stores and 5560 new malware samples. DREBIN detects 94 percent of the malware with few false-positive, nearly one percent,  corresponding to a single case of 100 of a benign application recognized as malicious app.

The detection mechanism implemented by the team is based on a “a broad static analysis” which allows DREBIN app to gather as many features of an application as possible.
“As the limited resources impede monitoring applications at run-time, DREBIN performs a broad static analysis, gathering as many features of an application as possible,” the researchers wrote in the paper DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket (PDF).
The collected features are archived in a joint vector space, such that typical patterns indicative of  malicious code activity, that are used for a very quick detection of threat agents on the mobile.
“DREBIN performs a broad static analysis, gathering as many features from an application’s code and manifest as possible” wrote the authors. “As an example, an application sending premium SMS messages is cast to a specific region in the vector space associated with the corresponding permissions, intents and API calls,” the researchers wrote. “This geometric representation enables DREBIN to identify combinations and patterns of features indicative for malware automatically using machine learning techniques.”
The researchers tested BREBIN on five popular smartphones, the technique requires just a few seconds,rendering it suitable for checking downloaded applications directly on the device. On older mobile phones the process is anyway very quick, just 20 seconds are necessary to scan a device. The test demonstrated that on a 2.26Ghz core duo desktop with 4Gb of RAM the tool could scan a whopping 100,000 apps a day.

The researchers sustain that DREBIN is the first method which provides effective and explainable detection of Android malicious code malware directly on the mobile device. The approach is considered innovative and effective because DREBIN is capable of identifying Android malware with high accuracy and independent of manually crafted detection patterns

“Patterns of features indicative for a detected malware instance can be traced back from the vector space and provide insights into the detection process.” states the paper.

DREBIN is also able to detect obfuscation mechanisms implemented by malware authors to repack their malicious code or insert junk data. According to the researchers DREBIN presents a limitation, it isn’t able to detect dynamically loaded and obfuscated malware because it builds on concepts of static analysis despite it combines it with a machine learning mechanism.

In the following image are reported the results of tests made on the detection capability of the app.

The application is considered innovative because different from its rivals like TaintDroid, DroidRanger and RiskRanker, doesn’t rely on manually crafted detection patterns that would be circumvented by malware authors.

Pierluigi Paganini

(Security Affairs – DREBIN, mobile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds a Samsung MagicINFO 9 Server flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Samsung MagicINFO 9 Server vulnerability to its…

8 hours ago

New Signal update stops Windows from capturing user chats

Signal implements new screen security on Windows 11, blocking screenshots by default to protect user…

16 hours ago

Law enforcement dismantled the infrastructure behind Lumma Stealer MaaS

Microsoft found 394,000 Windows systems talking to Lumma stealer controllers, a victim pool that included…

21 hours ago

Russia-linked APT28 targets western logistics entities and technology firms

CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing…

23 hours ago

A cyberattack was responsible for the week-long outage affecting Cellcom wireless network

Cellcom, a regional wireless carrier based in Wisconsin (US), announced that a cyberattack is the…

1 day ago

Coinbase data breach impacted 69,461 individuals

Cryptocurrency exchange Coinbase announced that the recent data breach exposed data belonging to 69,461 individuals.…

2 days ago