An Empirical Study on Android Malware Characterization by Social Network Analysis

Android malware detection has always been a hot research field. Prior work has validated that graph-based Android malware detection methods are effective, and several works have been proposed to regard the call graph of an app as a social network for more efficient classification. However, a social network contains many properties and there is a lack of perception as to which social network properties are more useful in differentiating malware from benign apps. Therefore, in this article, we present the first empirical study to analyze Android malware by different social network properties. We conduct extensive statistical analysis on 100 000 Android apps and apply three feature ranking methods to research the ability of 57 social network properties on malware detection. Moreover, in an effort to validate the effectiveness of these social network properties on malware detection, we implement a tool called SNADroid by using these properties as features for models training and use it to complete classification. Our study reveals that the average triangles number is the most impactful social network property in distinguishing malware from benign apps. Combined with the experimental results and in-depth analysis, we present the 15 most effective features for graph-based malware detection using social properties as a guideline.