Android application classification and anomaly detection with graph-based permission patterns

- We build permission usage patterns for Android application categories using graph.
- We classify applications into categories using patterns and graph-analysis features.
- Among metrics, betweenness centrality and weighted degree performed the best for classification.
- We build a pattern-based risk metric for applications.
- The risk metric showed high performance for malware detection.

Android is one of the mobile market leaders, offering more than a million applications on Google Play store. Google checks the application for known malware, but applications abusively collecting users' data and requiring access to sensitive services not related to functionalities are still present on the market. A permission system is a user-centric security solution against abusive applications and malware that has been unsuccessful: users are incapable of understanding and judging the permissions required by each application and often ignore on-installation warnings. State-of-the-art shows that the current permission system is inappropriate for end-users. However, Android permission lists do provide information about the application's behavior and may be suitable for automatic application analysis. Identifying key permissions for functionalities and expected permission requests can help leverage abnormal application behavior and provide a simpler risk warning for users. Applications with similar functionalities are grouped into categories on Google Play and this work therefore analyzes permission requests by category.In this study, we propose a methodology to characterize normal behavior for each category of applications, highlighting expected permission requests. The co-required permissions are modeled as a graph and the category patterns and central permissions are obtained using graph analysis metrics. The obtained patterns are evaluated by the performance of the application classification into categories that allow choosing the best graph metrics representing categories. Finally, this study proposes a privacy score and a risk warning threshold based on the best metrics. The efficiency of the proposed methodology was tested on a set of 9512 applications collected from Google Play and a set of malware.

Graphical Abstract158