Malware is undoubtedly one of the most real and potent threats in the smartphone industry. Android’s open ecosystem in terms of code as well as distribution channels is often credited as the primary reason for its popularity and mass adoption. However, the very same factors make it a primary target for attackers looking to cash in by exploiting system, user, or channel weaknesses. From stealing personal data to owned devices, malware as an attack medium has consistently been a top concern for users, enterprises, and manufacturers alike. At Google I/O 2018, many improvements to Android were announced. Key among them is Android Protected Confirmation--“confirmation screens handled by a sequestered trusted execution environment (TEE), and can be used to get secure verifications from a user” [1]--which at least theoretically makes the impact from malware quite manageable.

While these developments address the malware issue on Android phones manufactured by Google and select companies and apps downloaded from Google Play, the universe of Android-enabled phones and app stores is huge and the threat of malware is still quite large.

RevealDroid, the result of the research work described in this paper, is another incremental improvement to the Android malware detection and family identification approaches published over the last few years. Its use of machine learning along with some novel techniques gives it an edge in accuracy, efficiency, and obfuscation resilience, without requiring proportionate increases in computing power. The prototype is available at http://tiny.cc/revealdroid.

While I did not attempt to download and run the program to test the authors’ claims, the paper describes the methodology and results in some detail to give readers an idea of the features chosen and what benefits differentiate RevealDroid from other existing works.

Specifically, the tests conducted by the authors show that RevealDroid has an overall greater accuracy by about 11 to 25 percent, and mislabels 25 to 54 percent fewer benign apps as malicious than MUDFLOW. These tests show that RevealDroid achieves up to 23 percent greater accuracy than Adagio and up to 60 percent greater accuracy than Drebin. Additionally, RevealDroid achieves a 24 to 70 percent higher classification rate than Dendroid.

While being picky with features helps it stay lightweight, moving the focus to application programming interface (API) usage, using reflection and studying the function calls made in the native code, helps immensely with obfuscation resilience. Leveraging machine learning provides the accuracy and speed previously mentioned.

The website and paper provide further details on the RevealDroid architecture, as well as the evaluation design, questions, results, and limitations.