Skip to main content
Log in

An analysis of Android adware

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Most Android smartphone applications, or apps, are free—to generate revenue, advertisements are displayed when an app is used. Billions of dollars are lost annually due to adware committing advertising fraud. In this research, we propose and analyze a machine learning based scheme to detect Android adware based on static and dynamic features. We collect static features from the manifest file, while dynamic features are obtained from network traffic. Using these features, we classify Android applications as either adware or benign, and further classify each adware sample into a specific family. We employ a variety of machine learning techniques, including neural networks, random forests, AdaBoost and support vector machines. We show that a combination of static and dynamic features is most effective, and we find that, ironically, the multiclass adware classification problem is easier than the binary detection problem.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Android for all: Android architecture. https://letsknowaboutandroid.wordpress.com/about/, June 2013

  2. Android.spy.277.origin, dr. web. https://vms.drweb.com/virus/?_is=1&i=8020079&lng=en, 2016

  3. Arora, A., Peddoju, S.K.: Minimizing network traffic features for android mobile malware detection. In: Proceedings of the 18th International Conference on Distributed Computing and Networking, ICDCN ’17, pp. 32:1–32:10. ACM (2017)

  4. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: Effective and explainable detection of android malware in your pocket. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014. The Internet Society (2014)

  5. Bluestacks. https://www.bluestacks.com, 2018

  6. Bradley, A.P.: The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recognit. 30(7), 1145–1159 (1997)

    Article  Google Scholar 

  7. Cimpanu, C.: CopyCat adware infects Zygote Android core process, bleepingcomputer. https://www.bleepingcomputer.com/news/security/copycat-adware-infects-zygote-android-core-process/, 2017

  8. Crussell, J., Stevens, R., Chen, H.: Madfraud: investigating ad fraud in Android applications. In: Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services, pp. 123–134. ACM (2014)

  9. Daswani, N., Stoppelman, M.: The anatomy of Clickbot.A. In: Proceedings of the First Conference on Hot Topics in Understanding Botnets, HotBots ’07, pp. 11–31. USENIX Association, Berkeley (2007)

  10. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5 (2014)

    Article  Google Scholar 

  11. Geater, J.: How to remove Android:Hamob-D. https://www.solvusoft.com/en/malware/potentially-unwanted-application/android-hamob-d/

  12. GhostClicker adware is a phantomlike Android click fraud. TrendLabs Security Intelligence Blog. http://blog.trendmicro.com/trendlabs-security-intelligence/ghostclicker-adware-is-a-phantomlike-android-click-fraud/, August (2017)

  13. Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, MobiSys’12 (2012)

  14. Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, pp. 101–112. ACM (2012)

  15. How the CopyCat malware infected Android devices around the world. CheckPoint Blog. https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/, July (2017)

  16. HummingBad—a persistent mobile chain attack. CheckPoint Blog. https://blog.checkpoint.com/2016/02/04/hummingbad-a-persistent-mobile-chain-attack/, March (2017)

  17. Kapratwar, A., Troia, F.D., Stamp, M.: Static and dynamic analysis of android malware. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy (2017)

  18. Lashkari, A.H., Gil, G.D., Mamun, M.S.I., Ghorbani, A.A.: Characterization of Tor traffic using time based features. In: Proceedings of the 3rd International Conference on Information Systems Security and Privacy (2017)

  19. Lashkari, A.H., Kadir, A.F.A., Gonzalez, H., Mbah, K.F., Ghorbani, A.A.: Towards a network-based framework for android malware detection and characterization. In: Proceeding of the 15th International Conference on Privacy, Security and Trust, PST’17 (2017)

  20. Liu, B., Nath, S., Govindan, R., Liu, J.: DECAF: Detecting and characterizing ad fraud in mobile apps. In: Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation, NSDI’14, pp. 57–70. USENIX Association (2014)

  21. Metwally, A., Agrawal, D., El Abbadi, A.: Detectives: detecting coalition hit inflation attacks in advertising networks streams. In: Proceedings of the 16th international conference on World Wide Web, pp. 241–250. ACM (2007)

  22. Miller, B., Pearce, P., Grier, C., Kreibich, C., Paxson, V.: What’s clicking what? Techniques and innovations of today’s clickbots. In: Proceedings of the 8th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA’11, pp. 164–183. Springer (2011)

  23. Monkeyrunner (2018). https://developer.android.com/studio/test/monkeyrunner/. Accessed 7 Dec 2018

  24. Moonsamy, V., Rong, J., Liu, S.: Mining permission patterns for contrasting clean and malicious Android applications. Future Gener. Comput. Syst. 36, 122–132 (2014)

    Article  Google Scholar 

  25. Naked Security: The Google Play adware apps that just won’t die. https://nakedsecurity.sophos.com/2017/06/16/the-google-play-adware-apps-that-just-wont-die/, June (2017)

  26. Plisson, F.: Choosing the right features—feature importance and selection (2018). https://www.fabienplisson.com/tag/recursive-feature-elimination//. Accessed 7 Dec 2018

  27. Rahul, R.K., Anjali, T., Menon, V.K., Soman, K.P.: Deep learning for network flow analysis and malware classification. In: Communications in Computer and Information Science Security in Computing and Communications: Proceedings of the 5th International Symposium on Security in Computing and Communications, SSCC 2017, pp. 226–235 (2017)

  28. Sampi: Chinese programmatic ads—6 most common types of ad fraud in China. https://sampi.co/6-most-common-types-ad-fraud-in-china/

  29. Sharma, D.: Android malware detection using decision trees and network traffic. Int. J. Comput. Sci. Inf. Technol. 7(4), 1970–1974 (2016)

    Google Scholar 

  30. Sizmek: Impressions that inspire. https://www.sizmek.com/media/filer_public/eb/13/eb13ee88-972e-441a-a879-8e641609b4c2/casestudy_060514_fraud.pdf

  31. Stamp, M.: Introduction to Machine Learning with Applications in Information Security. Chapman and Hall/CRC, Boca Raton (2017)

    Book  MATH  Google Scholar 

  32. Statista: Distribution of free and paid Android apps 2017. https://www.statista.com/statistics/266211/distribution-of-free-and-paid-android-apps/, January (2018)

  33. Statista: Multilayer perceptrons. http://www.helsinki.fi/~ahonkela/dippa/node41.html, January (2018)

  34. Styk, M.: Github: Martinstyk/apkanalyzer. https://github.com/MartinStyk/ApkAnalyzer

  35. The Judy malware — possibly the largest malware campaign found on Google Play. CheckPoint Blog. https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/, May (2017)

  36. Tomita, M.: Marketo: 7 reasons digital advertising wins. https://blog.marketo.com/2015/11/join-the-big-league-7-reason-to-go-digital-with-your-advertising.html, September (2016)

  37. VirusTotal (2018). https://www.virustotal.com/#/home/upload. Accessed 7 Dec 2018

  38. Wang, T.L.: Blackhat: AI based antivirus: Detecting android malware variants with a deep learning system. https://www.blackhat.com/docs/eu-16/materials/eu-16-Wang-AI-Based-Antivirus-Can-Alphaav-Win-The-Battle-In-Which-Man-Has-Failed.pdf

  39. Wang, W., Zhu, M., Zeng, X., Ye, X., Sheng, Y.: Malware traffic classification using convolutional neural network for representation learning. In: 2017 International Conference on Information Networking (ICOIN), pp. 712–717 (2017)

  40. Whatis.com: What is ad fraud? http://whatis.techtarget.com/definition/ad-fraud

  41. Whatis.com: What is adware? https://searchsecurity.techtarget.com/definition/adware

  42. Wireshark (2018). https://www.wireshark.org. Accessed 7 Dec 2018

  43. Yan, L.-K., Yin, H.: DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)

  44. Zhang, L., Guan, Y.: Detecting click fraud in pay-per-click streams of online advertising networks. In: The 28th International Conference on Distributed Computing Systems, ICDCS’08, pp. 77–84. IEEE (2008)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Mark Stamp.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Suresh, S., Di Troia, F., Potika, K. et al. An analysis of Android adware. J Comput Virol Hack Tech 15, 147–160 (2019). https://doi.org/10.1007/s11416-018-0328-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-018-0328-8

Navigation