Mobile Malware Detection using Op-code Frequency Histograms

Gerardo Canfora, Francesco Mercaldo, Corrado Aaron Visaggio


Mobile malware has grown in scale and complexity, as a consequence of the unabated uptake of smartphones worldwide. Malware writers have been developing detection evasion techniques which are rapidly making anti-malware technologies uneffective. In particular, zero-days malware is able to easily pass signature based detection, while dynamic analysis based techniques, which could be more accurate and robust, are too costly or inappropriate to real contexts, especially for reasons related to usability. This paper discusses a technique for discriminating Android malware from trusted applications that does not rely on signature, but on identifying a vector of features obtained from the static analysis of the Android’s Dalvik code. Experimentation accomplished on a sample of 11,200 applications revealed that the proposed technique produces high precision (over 93%) in mobile malware detection, with an accuracy of 95%.


  1. Androguard (2014).
  2. apktool (2014).
  3. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., and Rieck, K. (2014). Drebin: Effective and explainable detection of android malware in your pocket. In NDSS'14, Network and Distributed System Security Symposium. IEEE.
  4. Attaluri, S., McGhee, S., and Stamp, M. (2008). Profile hidden markov models and metamorphic virus detec-
  5. niques, 5(2):179-192.
  6. Baysa, D., Low, R. M., and Stamp, M. (2013). Structural entropy and metamorphic malware. Journal of Computer Virology and Hacking Techniques, 9(4):179- 192.
  7. Bilar, D. (2007). Opcodes as predictor for malware. International Journal of Electronic Security and Digital Forensics, Vol. 1, No. 2, pp. 156-168.
  8. Canfora, G., Mercaldo, F., and Visaggio, C. (2013). A classifier of malicious android applications. In IWSMA'13, 2nd International Workshop on Security of Mobile Applications, in conjunction with the International Conference on Availability, Reliability and Security, pp. 607-614. IEEE.
  9. Chakradeo, S., Reaves, B., Traynor, P., and Enck, W. (2013). Mast: Triage for market-scale mobile malware analysis. In WISEC'13, 6th ACM Conference on Security in Wireless and Mobile Networks, pp 13-24. ACM.
  10. Chandra, D. and Franz, M. (2007). Fine-grained information flow analysis and enforcement in a java virtual machine. In ACSAC'07, 23th Annual Computer Security Applications Conference, pp 463-475. IEEE.
  11. Choucane, M. and Lakhotia, A. (2006). Using engine signature to detect metamorphic malware. In WORM'06, 4th ACM workshop on Recurring malcode, pp.73-78. ACM.
  12. dalvik (2014). opcodes.html
  13. Desnos, A. (2012). Android: Static analysis using similarity distance. In HICSS'12, 45th Hawaii International Conference on System Sciences, pp.5394-5403. IEEE.
  14. Enck, W., Gilbert, P., Chun, B., Con, L., Jung, J., McDaniel, P., and Sheth, A. (2010). Taintdroid: An informationflow tracking system for realtime privacy monitoring on smartphones. In OSDI'10, 9th USENIX Symposium on Operating Systems Design and Implementation.
  15. Fedler, R., Schütte, J., and Kulicke, M. (2014). On the effectiveness of malware protection on android: An evaluation of android antivirus apps,
  16. Gartner (2014).
  17. Gibler, C., Crussell, J., Erickson, J., and Chen, H. (2012). AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. Trust and Trustworthy Computing Lecture Notes in Computer Science.
  18. GoogleMobile (2014). 02/android-and-security.html
  19. GooglePlay (2014).
  20. Marforio, C., Aurelien, F., and Srdjan, C. (2011). Application collusion attack on the permissionbased security model and its implications for modern smartphone systems,
  21. Oberheide, J. and Miller, C. (2012). Dissecting the android bouncer. In SummerCon, bouncer.pdf
  22. Peng, H., Gates, C., Sarma, B., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., and Molloy, I. (2012). Using probabilistic generative models for ranking risks of android apps. In CCS'12, 19th ACM Conference on Computer and Communications Security, pp. 241-252.
  23. Rad, B., Masrom, M., and Ibrahim, S. (2012). Opcodes histogram for classifying metamorphic portable executables malware. In ICEEE'12, International Conference on e-Learning and e-Technologies in Education, pp. 209-213.
  24. Rad, B. B. and Masrom, M. (2010). Metamorphic Virus Variants Classification Using Opcode Frequency Histogram. Latest Trends on Computers (Volume I).
  25. Reina, A., Fattori, A., and Cavallaro, L. (2013). A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In EUROSEC'13, 6th European Workshop on Systems Security.
  26. Sahs, J. and Khan, L. (2012). A machine learning approach to android malware detection. In EISIC'12, European Intelligence and Security Informatics Conference, pp. 141-147.
  27. smali (2014).
  28. Spreitzenbarth, M., Ectler, F., Schreck, T., Freling, F., and Hoffmann, J. (2013). Mobilesandbox: Looking deeper into android applications. In SAC'13, 28th International ACM Symposium on Applied Computing.
  29. weka 3 (2014). In
  30. Wu, D., Mao, C., Wei, T., Lee, H., and Wu, K. (2012). Droidmat: Android malware detection through manifest and api calls tracing. In Asia JCIS'12, 7th Asia Joint Conference on Information Security, pp. 62-69.
  31. Zheng, M., Sun, M., and Lui, J. (2013). Droid analytics: A signature based analytic system to collect, extract, analyze and associate android malware. In TrustCom'13, International Conference on Trust, Security and Privacy in Computing and Communications, pp. 163-171.
  32. Zhou, Y. and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In SP'12, IEEE Symposium on Security and Privacy, pp. 95-109.

Paper Citation

in Harvard Style

Canfora G., Mercaldo F. and Aaron Visaggio C. (2015). Mobile Malware Detection using Op-code Frequency Histograms . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 27-38. DOI: 10.5220/0005537800270038

in Bibtex Style

author={Gerardo Canfora and Francesco Mercaldo and Corrado Aaron Visaggio},
title={Mobile Malware Detection using Op-code Frequency Histograms},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},

in EndNote Style

JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - Mobile Malware Detection using Op-code Frequency Histograms
SN - 978-989-758-117-5
AU - Canfora G.
AU - Mercaldo F.
AU - Aaron Visaggio C.
PY - 2015
SP - 27
EP - 38
DO - 10.5220/0005537800270038