Towards a Longitudinal Comparison Between Different Strategies for Android Malware Detection

Abstract

The growing popularity of the Android platform makes it a target of malware authors. The effective identification of such malware is an ongoing challenge. Several methods using machine learning have been proposed to prevent this threat. These methods are usually conventionally evaluated without considering the extent of performance over time. Given the evolving nature of both malware and benign apps, conventional evaluation may lack information. To imitate reality, this study compares the longitudinal performance of different machine learning models, using different strategies that combine permissions and API calls as features extracted through static analysis. Thus, to determine which strategy of features on which classifier are most effective to characterize malware for building a robust malware detector. To achieve this goal, on the one hand, we use a large real-world app set consisting of 100K (50k benign, 50k malware) apps date-labeled, collected across ten years, first seen between 2013 and 2022. On the other hand, each feature's strategy is fed into five classifiers (i.e., SVM, RF, LR, DT, and ANN), using old apps for the training and new apps for the evaluation. Among the assessed machine learning models, the SVM achieves the most promising results over time by employing the combination strategy of the high difference usage of API calls and permissions.