indicative apps that were identified as malicious by more
than 22 antiviruses.
Presented within this article are three different classifiers
for detecting malware apps. The first was based on POSIX
calls frequently used by malicious apps and rarely used by
benign ones, and the second involved an SVM classifier.
Both classifiers identified a number of apps from the Google
Play store as malicious. However, when we attempted to
verify our results by using multiple antiviruses we observed
a small percentage of these apps were potentially malicious
( 25. 29 percent and 18 percent respectively). The third classifier examined the usage of obfuscated libraries. An interesting finding is if an app includes such libraries, there is a high
probability it is potentially malicious. I need to mention the
precision of our classifiers depend heavily on the precision of
the corresponding antiviruses. In general, our results indicate a malware detector cannot be based solely on these classifiers. In turn, researchers can pair the results of the various
studies to develop better detection approaches that examine
the different aspects of potentially malicious software. In
this sense, the results shown here can be used together with
results of other researchers, like Truong et al., who found
advertising within applications and cross-promotional deals
might act as infection vectors [ 3].
The present research is under the Action 2 of Athens
University of Economics and Business’ (AUEB) Research
Funding Program for Excellence and Extroversion of the
academic year 2016/2017. It is financed by the University’s
[ 1] Atlidakis, V., Andrus, J., Geambasu, R., Mitropoulos, D., and Nieh, J. POSIX abstractions
in modern operating systems: The old, the new, and the missing. In Proceedings of the
11th European Conference on Computer Systems (EuroSys.). ACM, New York, 2016.
[ 2] Jiang, X., and Zhou, Y. Dissecting Android mal ware: Characterization and evolution. In
IEEE Symposium on Security and Privacy. IEEE, Washington D. C., 2012, 95-109.
[ 3] Asokan, N., Bhattacharya, S., Lagerspetz, E., Nurmi, P., Oliner, A. J., Truong, H. T., and
Tarkoma, S. The company you keep: mobile malware infection rates and inexpensive
risk indicators. In Proceedings of the 23rd International Conference on World Wide
Web. ACM, New York, 2014.
Dimitris Mitropoulos is a senior software and security engineer at the Greek Research
and Technology Network (GRNE T) and a researcher at the Athens University of Economics
and Business. Mitropoulos holds a Ph.D. in computer security from the Athens University
of Economics and Business and has been a postdoctoral researcher at the Net work
Security Laboratory (NSL) of Columbia University in the City of Ne w York. His research
interests include application security, systems security, software evolution and soft ware
engineering. He a member of ACM, IEEE, O WASP and SysSec.
Through our experiments, we came across a number of
Android apps that included obfuscated libraries (991 apps
in total). Given the fact that obfuscation techniques have
been extensively encountered while analyzing Android
malware, we decided to examine all the apps that contained such libraries by using the 54 antiviruses of the
Virus Total website. Surprisingly, almost half of the apps
(481 in total or 48. 53 percent) were classified as suspicious. An interesting observation is the majority of these
apps were indicated as potentially malicious by a large
number of antiviruses (see Figure 4). Table 2, presents
A game-based smoking cessation
app, Goalpost, doubles the quit rate
among the general population.
Figure 4: Potentially malicious apps.
The identification was based on the obfuscated libraries.
2 3 4 5 6 7 8 9 10 11 12 13 14 15 1617 18 19 20 21 22 23 24 25 26
Table 2: Indicative potentially malicious apps containing
com.dengzer.ringtonebox- 1.apk 24
com.evy.popidions- 4.apk 23
com.fkccy.view- 25.apk 22
com.gameworld.game.sweetlink- 5.apk 23
com.jobsowen.tilegame- 1.apk 26
com.zbx.ct.game.starpic- 1.apk 26
These apps were identified as malicious by more than