Mawoh Roger Yiran, Wacka Joan Beri Ali, Tchakounte Franklin, Fachkha Claude
Department of Mathematics and Computer Science, Faculty of Science, University of Ngaoundéré, Ngaoundéré, Cameroon.
Department of Computer Science, Faculty of Science, University of Buea, Buea, Cameroon.
Sci Rep. 2025 Mar 28;15(1):10680. doi: 10.1038/s41598-025-86568-w.
Mobile devices are vulnerable to malicious apps that jeopardize user privacy and device integrity. This includes single-app malware that operates independently and colluding Android apps that collaborate with each other to carry out a malicious attack. Existing detection methods primarily focus on single-app malware and hence will misclassify colluding Android apps. This paper introduces SigColDroid, a novel approach for detecting colluding Android apps and single-app malware by leveraging dangerous permissions. The research begins by extracting and identifying key features, such as permissions, smali file size, and permission rates, for model training. To facilitate comprehensive evaluation, a balanced dataset of 1455 apps is created, consisting of 485 benign apps, 485 randomly sampled single-app malware from the AndroZoo repository, and 485 colluding applications. Extensive experimentation is conducted using five ensemble classifiers: random forest, Extra Trees, AdaBoost, XGBoost, and LightGBM alongside our proposed custom Artificial Neural Network (ANN) and Deep Neural Network (DNN) architectures. The classifiers are evaluated based on five metrics: Precision, Recall, F1-score, accuracy, and the area under the receiver operation curve (ROC_AUC). The experimental findings highlight the following key insights: (i) Identification of the five most significant permission features for detecting colluding applications; (ii) Positive impact of smali file size and permission rates on classification performance; (iii) Superior performance of Random Forest with a ROC_AUC of 99.48% and LightGBM with 96.91% accuracy, 96.96% precision, 96.90% recall and 96.90% F1-score compared to other classifiers; (iv) Comparative analysis with previous research demonstrates that SigColDroid, despite utilizing fewer features, outperforms state-of-the-art approaches. The proposed approach presents an effective solution for detecting colluding Android apps using permissions and contributes to the advancement of improved detection and prevention mechanisms in mobile security.
移动设备容易受到恶意应用程序的攻击,这些恶意应用程序会危及用户隐私和设备完整性。这包括独立运行的单应用恶意软件以及相互勾结以实施恶意攻击的安卓应用程序。现有的检测方法主要集中在单应用恶意软件上,因此会将勾结的安卓应用程序误分类。本文介绍了SigColDroid,这是一种通过利用危险权限来检测勾结安卓应用程序和单应用恶意软件的新方法。该研究首先提取并识别关键特征,如权限、smali文件大小和权限率,用于模型训练。为了便于进行全面评估,创建了一个由1455个应用程序组成的平衡数据集,其中包括485个良性应用程序、从AndroZoo存储库中随机抽取的485个单应用恶意软件以及485个勾结应用程序。使用五个集成分类器进行了广泛的实验:随机森林、极端随机树、自适应增强、XGBoost和LightGBM,以及我们提出的自定义人工神经网络(ANN)和深度神经网络(DNN)架构。基于五个指标对分类器进行评估:精确率、召回率、F1分数、准确率以及接收者操作特征曲线下面积(ROC_AUC)。实验结果突出了以下关键见解:(i)识别出用于检测勾结应用程序的五个最重要的权限特征;(ii)smali文件大小和权限率对分类性能的积极影响;(iii)随机森林的性能优越,ROC_AUC为99.48%,LightGBM的准确率为96.91%、精确率为96.96%、召回率为96.90%、F1分数为96.90%,与其他分类器相比表现更佳;(iv)与先前研究的对比分析表明,SigColDroid尽管使用的特征较少,但性能优于现有方法。所提出的方法为使用权限检测勾结安卓应用程序提供了一种有效的解决方案,并有助于推动移动安全中改进检测和预防机制的发展。
