Extracting Android Applications Data for Anomaly-based Malware Detection

Abstract

In order to apply any machine learning algorithm or classifier it is fundamentally important to first and foremost collect relevant features This is most important in the field of dynamic analysis approach to anomaly malware detection systems In this approach the behaviour patterns of applications while in execution are analysed The behaviour features that Android as a system allows access permissions to depend on the type of device either rooted or not Android is based on the Linux kernel at the bottom layer all layers on top of the kernel run without privileged mode Thus if a behaviour feature vector is created from features of Android Application Programming Interface API in unrooted mode then only system information made available by Android can be used In this paper a Device Monitoring system for an unrooted device is developed and used to collect Android application data The application data is used to build feature vectors that describes the Android application behaviour for Anomaly malware detection This application is able to collect essential information from Android application such as installed applications and services running within the device before or after the Monitoring application was started the date time stamp calls initiated from the device calls received by the device sent short message services SMSs SMSs received and the status of the device as at when the event took place This information is loggedin a comma separated value csv file format and stored on the SDcard of the device The csv file is converted toattribute relation file format arff the format acceptable by WEKA machine learning tool This arff file of feature vectors is then used as input to the Classifier in the Android malware detection system