The popularity of Android means it is a common target for malware. Over the years, various studies have found that machine learning models can effectively discriminate malware from benign applications. However, as the operating system evolves, so does malware, bringing into question the findings of these previous studies, many of which report very high accuracies using small, outdated, and often imbalanced datasets. In this paper, we reimplement 18 representative past works and reevaluate them using a balanced, relevant, and up-to-date dataset comprising 124,000 applications. We also carry out new experiments designed to fill holes in existing knowledge, and use our findings to identify the most effective features and models to use for Android malware detection within a contemporary environment. We show that high detection accuracies (up to 96.8%) can be achieved using features extracted through static analysis alone, yielding a modest benefit (1%) from using far more expensive dynamic analysis. API calls and opcodes are the most productive static and TCP network traffic provide the most predictive dynamic features. Random forests are generally the most effective model, outperforming more complex deep learning approaches. Whilst directly combining static and dynamic features is generally ineffective, ensembling models separately leads to performances comparable to the best models but using less brittle features.

翻译：安卓系统的广泛流行使其成为恶意软件的常见攻击目标。多年来的研究表明，机器学习模型能有效区分恶意软件与良性应用。然而，随着操作系统与恶意软件的持续演化，早期研究结论的可靠性受到质疑——这些研究多采用规模小、过时且常存在类别不平衡的数据集，却报告了极高的检测准确率。本文复现了18项代表性过往研究，使用包含124,000个应用的平衡、相关且最新的数据集进行重新评估。我们设计了填补现有知识空白的新实验，基于实证结果确定当代环境下安卓恶意软件检测的最优特征与模型。研究表明，仅通过静态分析提取的特征即可实现高达96.8%的检测准确率，而采用成本高昂的动态分析仅能获得1%的微弱性能提升。API调用与操作码是最有效的静态特征，TCP网络流量则提供最具预测性的动态特征。随机森林普遍优于更复杂的深度学习方法，成为最有效的模型。虽然直接融合静态与动态特征通常效果不佳，但分别集成两类特征的模型可获得与最优模型相当的性能，且所需特征更具鲁棒性。