EveDroid: Event-Aware Android Malware Detection Against Model Degrading for IoT Devices

With the proliferation of the smart Internet of Things (IoT) devices based on Android system, malicious Android applications targeting for IoT devices have received more and more attention due to the concern of privacy leakage and property loss. However, existing malware detection approaches based on static or dynamic analysis are not scalable to the evolvement of malware and cannot extract enough valid semantics in application programming interface (API) level, failing to detect new malware. In this paper, we propose EveDroid, a scalable and event-aware Android malware detection system, which exploits the behavioral patterns in different events to effectively detect new malware based on the insight that events can reflect apps' possible running activities. Unlike existing approaches using API calls as features directly, we propose to use event group to describe apps' behaviors in event level, which can capture higher level of semantics than in API level. In event group, we adopt function clusters to represent behaviors in each event so that behaviors hidden in events can still be captured as time goes on, which enables EveDroid to detect new malware in the event level. The function clusters can generalize API calls into vectors based on their API composition to capture new API calls, which makes EveDroid scalable to malware evolving. Moreover, a neural network is specifically designed to aggregate the multiple events and automatically mine the semantic relationship among them. We train the system and evaluate its {F}1 -measure on a dataset of 14 956 benign and 28 848 malicious Android apps released in different years. The experimental results show that EveDroid outperforms other malware detection systems.