Abstract

Malware detection methods are divided in two groups: static and dynamic. While methods based on static analysis might be lightweight and suitable for constrained resources of mobile devices, they suffer from inability to detect malware during its execution. On the other side, dynamic detection methods are usually too complex to be run on mobile devices. This paper is about dynamic, but lightweight, detection methods and, in particular, about features that can be used in these methods to identify malware. We take into account all the features related to memory and CPU usage that can be collected and observed on the mobile device through its operating system. We analyze these features and their significance within the malware families they belong to, and take into account the most indicative ones for each family. Furthermore, we analyze the occurrence of features in all the families. By taking into account the most indicative features per malware family we determine ones that are more resistant to variety of mobile malware rather than just observe the overall significance of features. Results show that the number of occurrences of features among the most indicative ones varies; some features appear as good candidates for malware detection in general, some features appear as good candidates for detection of specific malware families, and some others are simply irrelevant.