SigColDroid: An Efficient and Reliable Approach to Discriminate Colluding Applications from Single-App Malware Based on Significant Permissions Intelligence
Listed in
This article is not in any list yet, why not save it to one of your lists.Abstract
Mobile devices are vulnerable to malicious apps that jeopardize user privacy and device integrity. Thisincludes single-app malware that operates independently and colluding Android apps that collaboratewith each other to carry out a malicious attack. Existing detection methods primarily focus on single-appmalware and hence will misclassify colluding Android apps. This paper introduces SigColDroid, a novelapproach for detecting colluding Android apps and single-app malware by leveraging dangerous permissions.The research begins by extracting and identifying key features, such as permissions, smali file size, andpermission rates, for model training. To facilitate comprehensive evaluation, a balanced dataset of 1,455apps is created, consisting of 485 benign apps, 485 randomly sampled single-app malware from theAndroZoo repository, and 485 colluding applications. Extensive experimentation is conducted using fiveensemble classifiers: random forest, Extra Trees, AdaBoost, XGBoost, and LightGBM. The classifiers areevaluated based on five metrics: Precision, Recall, F1-score, accuracy, and the area under the receiveroperation curve (ROC_AUC). The experimental findings highlight the following key insights: (i) Identificationof the five most significant permission features for detecting colluding applications; (ii) Positive impact ofsmali file size and permission rates on classification performance; (iii) Superior performance of RandomForest with a ROC_AUC of 99.48% and LightGBM with 96.91% accuracy, 96.96% precision, 96.90% recalland 96.90% F1-score compared to other classifiers; (iv) Comparative analysis with previous researchdemonstrates that SigColDroid, despite utilizing fewer features, outperforms state-of-the-art approaches.The proposed approach presents an effective solution for detecting colluding Android apps using permissionsand contributes to the advancement of improved detection and prevention mechanisms in mobile security
