An accurate approach to discriminate android colluded malware from single app malware using permissions intelligence.

Mobile devices are vulnerable to malicious apps that jeopardize user privacy and device integrity. This includes single-app malware that operates independently and colluding Android apps that collaborate with each other to carry out a malicious attack. Existing detection methods primarily focus on single-app malware and hence will misclassify colluding Android apps. This paper introduces SigColDroid, a novel approach for detecting colluding Android apps and single-app malware by leveraging dangerous permissions. The research begins by extracting and identifying key features, such as permissions, smali file size, and permission rates, for model training. To facilitate comprehensive evaluation, a balanced dataset of 1455 apps is created, consisting of 485 benign apps, 485 randomly sampled single-app malware from the AndroZoo repository, and 485 colluding applications. Extensive experimentation is conducted using five ensemble classifiers: random forest, Extra Trees, AdaBoost, XGBoost, and LightGBM alongside our proposed custom Artificial Neural Network (ANN) and Deep Neural Network (DNN) architectures. The classifiers are evaluated based on five metrics: Precision, Recall, F1-score, accuracy, and the area under the receiver operation curve (ROC_AUC). The experimental findings highlight the following key insights: (i) Identification of the five most significant permission features for detecting colluding applications; (ii) Positive impact of smali file size and permission rates on classification performance; (iii) Superior performance of Random Forest with a ROC_AUC of 99.48% and LightGBM with 96.91% accuracy, 96.96% precision, 96.90% recall and 96.90% F1-score compared to other classifiers; (iv) Comparative analysis with previous research demonstrates that SigColDroid, despite utilizing fewer features, outperforms state-of-the-art approaches. The proposed approach presents an effective solution for detecting colluding Android apps using permissions and contributes to the advancement of improved detection and prevention mechanisms in mobile security.