The popularity and relative openness of Android means it is a popular target for malware. Over the years, various studies have found that machine learning models can effectively discriminate malware from benign applications. However, as the operating system evolves, so does malware, bringing into question the findings of these previous studies, many of which used small, outdated, and often imbalanced datasets. In this paper, we reimplement 16 representative past works and evaluate them on a balanced, relevant and up-to-date dataset comprising 124,000 Android applications. We also carry out new experiments designed to fill holes in existing knowledge, and use our findings to identify the most effective features and models to use for Android malware detection within a contemporary environment. Our results suggest that accuracies of up to 96.8% can be achieved using static features alone, with a further 1% achievable using more expensive dynamic analysis approaches. We find the best models to be random forests built from API call usage and TCP network traffic features.

翻译：安卓系统的流行性和相对开放性使其成为恶意软件的主要攻击目标。多年以来，多项研究表明机器学习模型能有效区分恶意软件与良性应用。然而，随着操作系统不断演进，恶意软件也在持续演变，这使得以往研究的结论面临质疑——许多研究使用过时、小规模且类别不平衡的数据集。本文重新实现了16项具有代表性的过往研究，并在一个包含124,000个安卓应用的平衡、相关且最新的数据集上进行了评估。我们还设计了填补现有知识空白的新实验，并基于研究结果识别出当代环境下安卓恶意软件检测中最有效的特征与模型。结果表明，仅使用静态特征即可实现高达96.8%的准确率，而采用更昂贵的动态分析方法可再提升1%。我们发现，基于API调用使用情况与TCP网络流量特征构建的随机森林模型表现最佳。