An Effective Risk Computation Metric for Android Malware Detection

security risk

Table of Contents


Android has been targeted by malware developers since it has emerged as widest used operating system for smartphones and mobile devices. Android security mainly relies on user decisions regarding to installing applications (apps) by approving their requested permissions. Therefore, a systematic user assistance mechanism for making appropriate decisions can significantly improve the security of Android based devices by preventing malicious apps installation. However, the criticality of permissions and the security risk values of apps are not well determined for users in order to make correct decisions. In this study, a new metric is introduced for effective risk computation of untrusted apps based on their required permissions. The metric leverages both frequency of permission usage in malwares and rarity of them in normal apps. Based on the proposed metric, an algorithm is developed and implemented for identifying critical permissions and effective risk computation. The proposed solution can be directly used by the mobile owners to make better decisions or by Android markets to filter out suspicious apps for further examination. Empirical evaluations on real malicious and normal app samples show that the proposed metric has high malware detection rate and is superior to recently proposed risk score measurements. Moreover, it has good performance on unseen apps in term of security risk computation.


Android becomes the most popular operating system for smartphones and tablets which made its users the largest target group for security threats. This operating system security architecture reduces the attack surface by restricting applications using permissions and sandboxing. Therefore, in order to perform malicious activities, e.g., stealing user’s data, sending premium messages and making phone call, an attacker must deceive users to install a malicious app since other ways of intrusion are almost closed in Android. For installing an app, Android requires the user to grant privileges through the requested permissions. There are large number of applications (Apps) developed for this operating system which requires various permissions based on their functionalities. For an application, these permissions are displayed in the first screen of the installation program. The end user of an Android based mobile device must approve these permissions or discard to install the application. The privileges are remain unchanged until they are revoked from the app when the user issues the app removal process. Although, this security mechanism is very simple and straight forward for users, it causes many challenges. First, users usually does not spend much time for studying the permissions and think about their effects. Therefore, they tend to go forward and to complete the installation process. Moreover, an ordinary user does not have technical skills about the Android permissions and their impacts. Therefore, this security model is not effective regarding to security and privacy of end users in order to preserve their personal information from disclosure or to prevent monetary resource abuse by various type of potential malwares. Consequently, an Android malware e.g., spyware, Trojan, Adware, can deceive the users by introducing itself as a useful app and stole their personal or business data as well as using their mobile phone credit and monetary. There exists some research regarding to enhance the Android security model and its security risk communication mechanism. Using better and intuitive titles for permissions, categorization of permissions based on their effects, reducing the number of permissions by merging similar ones, utilizing user reviews about apps, using visual security indicators for risky apps, and etc. are some samples of these efforts [1-6]. Additionally, a number of statistical and mining models have so far been presented in order to measure the security risk of Android apps. The number of critical permissions and the number of critical permissions combinations requested by an app are simple examples of the statistical measures of security risk for apps [2]. Based on an effective security measure, it can be possible to compute the security risk of an app and fire a warning signal to the user if the computed risk exceeds a predetermined threshold. Moreover, the users can compare similar functionality apps in term of their risk scores. Furthermore, Android markets require an effective risk computation metric to identify suspicious apps among vast number of newly submitted apps by developers for further examination. The reason is detailed analysis and deterministic malware detection for each app is a very time consuming process and systematic filtering of low risk apps is an important requirement. However, our evaluations show that current measures and models of Android risk computation do not have acceptable performance. That is, they don’t compute relative high risk values for known malwares and low risk quantities for benign apps to well recognize malicious apps from non-malicious ones. In this paper, a new security risk score measurement has been proposed which has better performance with respect to previously proposed ones. This risk score benefits from statistics of permission usages in known malicious and clean apps. However, it can be simply extended to other features of Android apps including static and dynamic ones. Moreover, we have attempted to give better definition of permission criticality to aim users for making the best decision for new apps installation. We have shown effectiveness of the proposed metric through extensive experiments on large number of real Android app samples including both malwares and goodwares. The paper is organized as follows. In the next section, some previous research works regarding to Android security and malware detection are reviewed. The problem statement is presented in Section 3. In Section 4, the new security risk score metric is introduced. In this section, our algorithm for risk computation by the proposed metric is also described. Extensive experimental evaluations of the proposed measure with respect to previously proposed ones are presented and illustrated in Section 5. These experiments have been performed using known malwares in the Android world and ordinary useful apps belong to Google App store. Finally, Section 6 concludes the paper.


In this study, a new risk score metric namely RF is devised which has better detection rate with respect to other measurements due to precise identification of the critical permissions. Empirical evaluations on real Android apps show that RF computes relative high risk values for known malwares rather than ordinary apps since it can well differentiate between permissions in term of their usage in malwares and clean apps. As a result, RF has high detection rate in comparison to previous risk score measurement. Moreover, the proposed measurement is highly explainable since it can be computed for an app by simply summation of the risk values of critical permissions requested by that app. Risk values of the permissions can be pre-computed using available known malwares and goodwares. An overview on top most critical permissions listed in Table (2) obtained by the proposed metric shows that these permissions are examples of those ones that an app can perform malicious activities by granting a subset of them. In this study, all analyzed malicious apps are categorized into the same category named malwares. However, by using larger and categorized malware datasets we can compute risk scores more precisely. In the other words, exploiting prior knowledge of malware types including Trojan, Adware, Spyware and etc. could enhances the obtained performance since various malware types have different impacts and thus various security risk values. For example, an Adware can be less dangerous than a spyware. Computing RF for pair of permissions can further improve the performance of devised approach and thus obtaining better estimation of security risk values. Although the proposed approach is based on permission analysis it can be extended to or completed using other features like Android function calls and dynamic running flow analysis which contain more detailed information.

About KSRA

The Kavian Scientific Research Association (KSRA) is a non-profit research organization to provide research / educational services in December 2013. The members of the community had formed a virtual group on the Viber social network. The core of the Kavian Scientific Association was formed with these members as founders. These individuals, led by Professor Siavosh Kaviani, decided to launch a scientific / research association with an emphasis on education.

KSRA research association, as a non-profit research firm, is committed to providing research services in the field of knowledge. The main beneficiaries of this association are public or private knowledge-based companies, students, researchers, researchers, professors, universities, and industrial and semi-industrial centers around the world.

Our main services Based on Education for all Spectrum people in the world. We want to make an integration between researches and educations. We believe education is the main right of Human beings. So our services should be concentrated on inclusive education.

The KSRA team partners with local under-served communities around the world to improve the access to and quality of knowledge based on education, amplify and augment learning programs where they exist, and create new opportunities for e-learning where traditional education systems are lacking or non-existent.



Mahmood Deypir, Ehsan Sharifi



Journal of Information Systems and Telecommunication (JIST)





PDF reference and original file: Click here


+ posts

Ehsan Sharifi has a Ph.D. in software engineering from Amirkabir University of Technology. His major research interests are software quality, software architecture and semantic web.