Revisiting the description-to-behavior fidelity in Android applications

Abstract

Since more than 96% of mobile malware targets on Android platform, various techniques based on static code analysis or dynamic behavior analysis have been proposed to detect malicious applications. As malware is becoming more complicated and stealthy, recent research proposed a promising detection approach that looks for the inconsistency between an application's permissions and its description. In this paper, we revisit this approach and find that using description and permission will lead to many false positives. Therefore, we propose employing app's privacy policy and its bytecode to enhance description and permission for malware detection. It is non-trivial to automatically analyze privacy policy and perform the cross-verification among these four kinds of software artifacts including, privacy policy, bytecode, description, and permissions. We propose a novel data flow model for analyzing privacy policy, and develop a novel system, named TAPVerifier, for carrying out investigation of individual software artifacts and conducting the cross-verification. The experimental results show that TAPVerifier can analyze privacy policy with a high accuracy and recall rate. More importantly, integrating privacy policy and code level information removes 8.1%-65.5% false positives of existing systems based on description and permission.