Differentiating Malicious and Benign Android App Operations Using Second-Step Behavior Features

Security-sensitive operations in Android applications (apps for short) can either be benign or malicious. In this work, we introduce an approach of static program analysis that extracts "second-step behavior features", i.e., what was triggered by the security-sensitive operation, to assist app analysis in differentiating between malicious and benign operations. Firstly, we summarized the characteristics of malicious operations, such as spontaneity, independence, stealthiness and continuity, which can be used to classify the malicious operations and benign ones. Secondly, according to these characteristics, Second step behavior features (SSBFs for short) have been presented, including structural features and semantic features. Thirdly, an analysis prototype named SSdroid has been implemented to automatically extract SSBFs of security-sensitive operations. Finally, experiments on 9285 operations from both benign and malicious apps show that SSBFs are effective and usefulness. Our evaluation results suggest that the second-step behavior can greatly assist in Android malware detection.