Recently, the popularity of smart phone has dramatically increased and that has lead to move of malware from general computers to mobile devices. By this trend, many researchers conducted studies to detect malicious applications (or application) in mobile device. Detection of android malwares is classified into two methods: (i) static analysis, which investigates the source code of malware to detect the malicious behaviors of malware and (ii) dynamic analysis, which monitors the run-time behaviors of malware to detect its un-allowed operations. Surveying
recent works, we have noticed that little of works had been done with dynamic method while we have found plentiful studies with static analysis.
This has motivated us to conduct the research which aims to detect Android malware with dynamic method. We have discovered that there are three observable parts for detecting malicious behavior in android application: (i) network, (ii) Android APIs, (iii) Android permissions. The detection system consists of three engines and each of them monitors its own observable part of the application, independently detects malicious behavior. Then, taken the information from three of engines, correlator determines a final decision ("malicious" or "benign"). The multiple engines are designed to complement each other.
Finally, we have evaluated with 795 malicious applications and 826 malicious applications (1/2 for train, 1/2 for test). We have proved that our proposed method detected malicious applications at very low rate of error and with very small time overhead. To show its high precision of malware detection, we have measured false positive rate and false negative rate and the rate were very low. By comparing precision rate from each engine and overall precision, we have proved that three engines properly compensate failure of detection each other.