A study of run-time behavioral evolution of benign versus malicious apps in android

•We look into the execution-structural underpinnings of Android app behaviors via a multi-faceted, longitudinal dynamic characterization.•Our study reveals a number of new findings about app behaviors in addition to novel understanding about the evolutionary dynamics of apps in Android.•Our study provides a first look into the security implications of run-time app behaviors in terms of code-level execution structures.•We offer insights into the implications of our findings for enhancing app understanding, code analysis, and security defense.•Our datasets are shared publicly to facilitate reproduction and future research on mobile software engineering and security. The constant evolution of the Android platform and its applications have imposed significant challenges both to understanding and securing the Android ecosystem. Yet, despite the growing body of relevant research, it remains unclear how Android apps evolve in terms of their run-time behaviors in ways that impede our gaining consistent empirical knowledge about the workings of the ecosystem and developing effective technical solutions to defending it against security threats. Intuitively, an essential step towards addressing these challenges is to first understand the evolution itself. Among others, one avenue to examining a program’s run-time behavior is to dissect the program’s execution in terms of its syntactic and semantic structure. In this paper, we study how benign Android apps execute differently from malware over time, in terms of their execution structures measured by the distribution and interaction among functionality scopes, app components, and callbacks. In doing so, we attempt to reveal how relevant app execution structure is to app security orientation (i.e., benign or malicious). By tracing the method calls and inter-component communications (ICCs) of 15,451 benign apps and 15,183 malware developed during eight years (2010–2017), we systematically characterized the execution structure of malware versus benign apps and revealed similarities and disparities between them that are not previously known. Our results show, among other findings, that (1) despite their similarity in execution distribution over functionality scopes, malware accessed framework functionalities mainly through third-party libraries, while benign apps were dominated by calls within the framework; (2) use of Activity component had been rising in malware while benign apps saw continuous drop in such uses; (3) mal