Mining Apps for Abnormal Usage of Sensitive Data

Author(s): Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden
Venue: IEEE International Conference on Software Engineering
Date: 2015


This paper highlights the characteristics of malicious Android apps and how they can be automatically detected by software. Furthermore, the authors submit their solution to the problem of malicious software detection: their tool called MUDFLOW.

One common way to detect malicious Android apps is to work retrospectively, meaning the detection software compares a target app against known malicious apps to see if they are similar. With MUDFLOW, the authors show that instead of checking how an app is similar to malicious software, it can be checked for how it is different to benign (trusted) software. They accomplish this by characterizing the flow of sensitive data within an app as either normal or suspicious, based on how much of an outlier the target app is in comparison to a set of 2,950 trusted apps pulled from the Google Play app store.

As a result of their study, the authors found the the MUDFLOW tool recognizes 86.4% of malware, with a false positive rate of 18.7%. They conclude that their approach for locating malware based only on learning from benign apps is effective. However, they do note that more work on their tool is still required as it could be fooled by methods such as reflection, native code, and self-decrypting code.