MADLIRA, a tool for Android malware detection

Share this…

Malware detection by learning and retrieving information for Android

Overview

MADLIRA is a tool for Android malware detection. According to cyber security professionals, this tool consists of two components: the TFIDF component and the SVM learning component. In general, a set of malwares and benwares is needed to then extract the malicious behaviors (TFIDF component) or computes training model (SVM classifier). Then, it uses this knowledge to detect malicious behaviors in the Android application.

Installing

Download file MADLIRA.7z and decompress it.

Installed Data:

MADLIRA.jar is the main application.

noAPI.txt declares the prefix of APIs.

family.txt lists malwares by family.

Folder TrainData contains the training configuration and training model.

Folder Samples contains sample data.

Folder TempData contains data for kernel computation.

TFIDF

Command: MADLIRA TFIDF

For this component, the data security expert comments that there are two functions: the training function (Malicious behavior extraction) and the test function (Malicious behavior detection)

Malicious behavior extraction

Collect benign applications and malicious applications and choose them in folders named benginAPKFolder and maliciousApkFolder, respectively.

Prepare training data and pack them in two files named benignPack and maliciousPack by using the command:

MADLIRA TFIDF packAPK -PB benignApkFolder -B benignPack -PM maliciousApkFolder -M maliciousPack

Extracting malicious behaviors from two packed files (benignPack and maliciousPack) by using the command:

MADLIRA TFIDF train -B benignPack -M maliciousPack

Malicious behavior detection

Collect new applications and put them in a folder named checkApk.

Detect malicious behaviors of applications in the folder checkApk by using the command:

MADLIRA TFIDF check -S checkApk

MADLIRA 1

MADLIRA 2

SMV

Command: MADLIRA SVM

According to the data security expert, for this component there are also two functions: the training function and the test function.

Training phase

Collect benign applications in a folder named benignApkFolder and malicious applications in a folder named maliciousApkFolder.

Prepare training data by using the commands:

MADLIRA SVM packAPK -PB benignApkFolder -B benignPack -PM maliciousApkFolder -M maliciousPack

Compute the training model by this command:

MADLIRA SVM train -B benignPack -M maliciousPack

Malicious behavior detection

Collect new applications and put them in a folder named checkApk

Detect malicious behaviors of applications in the folder checkApk by using the command:

MADLIRA SVM check -S checkApk

MADLIRA 3

Packages:

This tool uses the following packages:

apktool-2.2.1 (https://ibotpeaches.github.io/Apktool/)

ojalgo-41.0.0 (https://github.com/optimatika/ojAlgo)

libsvm (https://www.csie.ntu.edu.tw/~cjlin/libsvm/)