Android Antimalware

About

This is an educational endeavor to explore methods of detecting malware on the Android platform with machine learning. I'm doing all of this in Arch Linux with Android 4.1. It is still under development.

Usage

1. Populate TestSuite/Training and/or TestSuite/Testing with APK files to tests with names <M/B><Number>-<PackageName>.apk. Where <M/B> represents the classification of the application (malicious or benign), represents an optional, arbitrary number to help with identification and sorting of different types of applications, and is the name of the main package of the application. An example would be B001-foo.bar.baz.apk.
2. Change to the TestSuite directory and verify that the $ADB variable is correct. Run ./testapps.sh <Testing/Training> to start the tests.
3. Collected data will be saved to arff/<date>
4. The weka.sh script in this directory can then be copied to the subdirectory with collected data in it and run to create and evaluate different classifiers.

Main Application

The main application that is used to collect data is simply called Antimalware and is an Eclipse project. See below for a short section on increasing Eclipse's memory if you are trying to load it in Eclipse. Please also note that the collected data is stored on an sdcard on the device.

Testing Suite

A shell script is used to automatically load and test applications to collect feature vectors. For security and intellectual property reasons, I won't upload any applications. However, data I collected is in the arff directory

Increasing Eclipse's Default Memory

Importing the Antimalware Android project into Eclipse is simple. However, Eclipse's memory needs to be increased to load the Weka library used. First, find eclipse.ini in your system.

$ sudo find / -name 'eclipse.ini'
/usr/share/eclipse/eclipse.ini 

Then edit it and increase the memory settings:

$ vim /usr/share/eclipse/eclipse.ini

[...]
--launcher.XXMaxPermSize
2048m
[...]
--launcher.defaultAction
[...]
-Xms1024m
-Xmx2028m
[...]

Directory Structure

.
├── Antimalware - The main Eclipse application
│   ├── assets
│   ├── bin
│   │   ├── classes
│   │   │   └── org
│   │   │       └── vt
│   │   │           └── magnum
│   │   │               └── antimalware
│   │   │                   ├── features
│   │   │                   └── main
│   │   └── res
│   │       ├── drawable-hdpi
│   │       ├── drawable-ldpi
│   │       ├── drawable-mdpi
│   │       └── drawable-xhdpi
│   ├── gen
│   │   └── org
│   │       └── vt
│   │           └── magnum
│   │               └── antimalware
│   │                   └── main
│   ├── libs - The modified Weka library
│   ├── res
│   │   ├── drawable-hdpi
│   │   ├── drawable-ldpi
│   │   ├── drawable-mdpi
│   │   ├── drawable-xhdpi
│   │   ├── layout
│   │   └── values
│   └── src
│       └── org
│           └── vt
│               └── magnum
│                   └── antimalware
│                       ├── features
│                       └── main
├── arff - Collected data and results
│   ├── 2012.08.11
│   ├── 2012.08.19
│   └── tmp
└── TestSuite - Test Suite for automatically testing applications.
    ├── Testing
    ├── Training
    ├── Unsorted-Benign
    ├── Unsorted-Malware
    └── Unused-Malware