Abstract

The explosion in mobile malware has led to the need for early, rapid detection mechanisms that can detect malware and identify risky applications prior to their deployment on end-user devices without the high cost of manual static and dynamic analysis. Previous work has shown that specific combinations of Android permissions, intents, broadcast receivers, native code and embedded applications can be effectively used to identify potentially malicious applications. We extend this work by using frequent combinations of such attributes as training features for random decision forest classification of malicious and benign applications. We demonstrate that using combinations of frequently-occuring permissions in this manner significantly improves previous results, and provides true positive rates in excess of 90% while maintaining tractable false positive rates. This is true even with novel malware that is not reliably detected at the time of release by conventional anti-malware tools. In addition, the auxiliary information generated by the random decision forest algorithm provides useful insights into the key indicators of malicious activity and the functionality of the associated malware.