Abstract

A hidden Markov model approach is leveraged to detect potentially malicious Android applications at runtime based on analyzing the Intents passing through the binder. Real world applications are emulated, their Intents are parsed, and, after appropriate discretization of the Intent action fields, they train the hidden Markov models for recognizing anomalous and benign Android application behaviors. The inferred stochastic processes can probabilistically estimate whether an application is performing a malicious or benign action as it is running on the device. Such a decision is realized through a maximum likelihood estimation. The results show that the method is capable of detecting malicious Android applications as they run on the platform.