IntelliAV: Toward the Feasibility of Building Intelligent Anti-Malware on Android Devices

IntelliAV is a practical intelligent anti-malware solution for Android devices based on the open-source and multi-platform TensorFlow library.

Android is targeted the most by malware coders as the number of Android users is increasing. Although there are many Android anti-malware solutions available in the market, almost all of them are based on malware signatures, and more advanced solutions based on machine learning techniques are not deemed to be practical for the limited computational resources of mobile devices.

There are many reasons for a user to have an intelligent security tool capable of identifying potential malware on the device.

1. The Google Play Store is not totally free of malware. Many zero-day mobile malware has been found in Google Play in the past.

2. Third-party app stores are popular among mobile users. Nevertheless, security checks on the third-party stores are not as effective as those available on the Google Play Store.

3. It is quite often that users can be dodged by fake tempting titles like free games when browsing the web, so that applications are downloaded and installed directly on devices from untrusted websites.

4. Another source of infection is phishing SMS messages that contain links to malicious applications. Recent reports by Lookout and Google show how a targeted attack malware, namely Pegasus(Chrysaor), which is suspected of infecting devices via a phishing attack, could remain undetected for a few years.

5. One of the main concerns for any computing device in the industry is to make sure that the device a user buys is free of malware. Mobile devices make no exception, and securing the supply chain is paramount difficult, for the number of people and companies involved in the supply chain of the components.
There is a recent report that shows how some malware was added to Android devices somewhere along the supply chain before the user received the phone.

6. Almost all of the Android anti-malware
products are mostly signature-based, which lets both malware variants of known families, and zero-day threats to devices. There are claims by a few Android anti-malware vendors that they use machine learning approaches, even if no detail is
available on the mechanisms that are actually implemented on the device.

7. Offline machine learning systems would fail against wrapper/downloder malware
as the wrapper/downloader app usually doesn’t reveal enough malicious activities.

IntelliAV (http://www.intelliav.com) is a practical intelligent anti-malware solution for Android devices based on the open-source and multi-platform TensorFlow library.
The detail of the system can be found in a paper that the authors will present at CD-MAKE 2017 conference in September at Reggio Calabria, Italy.

IntelliAV does not aim to propose yet another learning-based system for Android malware detection, but by leveraging on the existing literature, they tested the feasibility of having an on-device intelligent anti-malware tool to tackle the deficiencies of existing
Android anti-malware products, mainly based on pattern matching techniques.
The architecture of the proposed IntelliAV system is depicted as follows:
its design consists of two main phases, namely offline training the model, and then its operation on the device to detect potential malware samples.
As the first phase, a classification model is built offline, by resorting to a conventional
computing environment. It is not necessary to perform the training phase on the device because it has to be performed on a substantial set of samples whenever needed to take into account the evolution of malware. The number of times the model needs to be updated should be quite small, as reports by AV-TEST showed that just the 4% of the total number of Android malware is actually new malware.
As the second phase, the model is embedded in the IntelliAV Android application that will provide a risk score for each application on the device.

IntelliAV can scan all of the installed applications on the device, and verify their risk scores (Quick Scan). In addition, when a user downloads an apk, it can be analyzed by IntelliAV before installation to check the related risk score, and take the appropriate decision (Custom Scan).

 

Challenging Modern AV vendors

Based on the recent reports by Virustotal, there is an increase in the number of anti-malware developers that resort to machine learning approaches for malware detection. However, the main focus of these products appears to be on desktop malware, especially Windows PE malware. Based on the available public information, there are just a few pieces of evidence of two anti-malware developers that use machine learning approaches for Android malware detection, namely Symantec and TrustLook. Their products are installed by more than 10 million users. While it is not clear how these products use machine learning, the authors considered them as two candidates for
comparison with IntelliAV. To provide a sound comparison, in addition to the Symantec and Trustlook products, the authors selected three other Android anti-malware products, i.e., AVG, Avast, and Qihoo 360, that are the most popular among
Android users as they have been installed more than 100 million times. the authors
compared the performances of IntelliAV on 2311 recent Android malware
(between January to March 2017).

As an independent test, IntelliAV has been tested by AV-TEST on 500 recent and common Android malware in July 2017.
Interesting, they could achieve 96% detection rate although the last model update of IntelliAV is December 2016, which shows the power of IntelliAV on detecting unknown malware.

About the Author Mansour Ahmadi

IntelliAV has been developed at the University of Cagliari, Italy, by Mansour Ahmadi, Angelo Sotgiu, and Giorgio Giacinto. Mansour Ahmadi is a post-doctoral researcher at the PRA lab at the University of Cagliari, Italy. Angelo Sotgiu has a bachelor degree from the University of Cagliari. Prof. Giorgio Giacinto is an Associate Professor of Computer Engineering at the University of Cagliari.

[adrotate banner=”9″]

Edited by Pierluigi Paganini

(Security Affairs – IntelliAV, antivirus)

[adrotate banner=”13″]