Android application classification and anomaly detection with graph-based permission patterns
Charles PEREZ, Karina SOKOLOVA, Marc LEMERCIERAndroid is one of the mobile market leaders, offering more than a million applications on Google Play store. Google checks the application for known malware, but applications abusively collecting users' data and requiring access to sensitive services not related to functionalities are still present on the market. A permission system is a user-centric security solution against abusive applications and malware that has been unsuccessful: users are incapable of understanding and judging the permissions required by each application and often ignore on-installation warnings. State-of-the-art shows that the current permission system is inappropriate for end-users. However, Android permission lists do provide information about the application's behavior and may be suitable for automatic application analysis. Identifying key permissions for functionalities and expected permission requests can help leverage abnormal application behavior and provide a simpler risk warning for users. Applications with similar functionalities are grouped into categories on Google Play and this work therefore analyzes permission requests by category.
In this study, we propose a methodology to characterize normal behavior for each category of applications, highlighting expected permission requests. The co-required permissions are modeled as a graph and the category patterns and central permissions are obtained using graph analysis metrics. The obtained patterns are evaluated by the performance of the application classification into categories that allow choosing the best graph metrics representing categories. Finally, this study proposes a privacy score and a risk warning threshold based on the best metrics. The efficiency of the proposed methodology was tested on a set of 9512 applications collected from Google Play and a set of malware.