Investigating suspected background processes in Android malware classification through dynamic automated reverse engineering and semi-automated debugging

Thumbnail Image



Journal Title

Journal ISSN

Volume Title


University of New Brunswick


Android malware detection is one of the enthusiastic research domains in recent years. Despite researchers’ admirable attempts in malware detection, malicious applications keep becoming resistant every year. Attackers develop sophisticated Apps to conceal malicious intentions on the background to be tolerant against naive malware detection methodologies. To fill the gap in the lack of background malware analysis, we present the novel 3-layered malware analysis framework. We designate the proposed framework with the assistance of automated reverse-engineering and dynamic semi-automated Debugging methods. Our APK repository samples are divided into two groups, based on the existence of particular background processes in their source files. We use two separate activation procedures that differ for each group. Here, we generate our Android malware captured dataset consisted of static features, such as permissions, Intents, and metrics and dynamic features, such as network traffic and background services. Finally, we utilize two machine learning models to evaluate our framework. We have aggregated our APK repository samples from two resources, CICAndMal2017 [30]-CICInvesAndMal2019 [39] and Android Wake Lock Research. Through the evaluation experiments of the proposed framework, we have succeeded in achieving 85% accuracy and 88% precision in classifying malware categories and benign samples with Random-Forest model.