Android Malware Detection using Markov Chain Model of Application Behaviors in Requesting System Services

Widespread growth in Android malwares stimulates security researchers to propose different methods for analyzing and detecting malicious behaviors in applications. Nevertheless, current solutions are ill-suited to extract the fine-grained behavior of Android applications accurately and efficiently. In this paper, we propose ServiceMonitor, a lightweight host-based detection system that dynamically detects malicious applications directly on mobile devices. ServiceMonitor reconstructs the fine-grained behavior of applications based on a novel systematic system service use analysis technique. Using proposed system service use perspective enables us to build a statistical Markov chain model to represent what and how system services are used to access system resources. Afterwards, we consider built Markov chain in the form of a feature vector and use it to classify the application behavior into either malicious or benign using Random Forests classification algorithm. ServiceMonitor outperforms current host-based solutions with evaluating it against 4034 malwares and 10024 benign applications and obtaining 96\% of accuracy rate and negligible overhead and performance penalty.