Android botnet detection using machine learning models based on a comprehensive static analysis approach

Today, Android stands out amongst the most well-known and far reaching smartphones' operating systems. It has millions of applications that are distributed at either accredited or informal stores. Botnet applications are classified as malwares that can be distributed by utilizing these stores and downloaded by the unfortunate users on their smartphones. This work investigates Android botnets using static analysis to extract possible features from the applications source code after being reverse engineered. The features are then used to develop effective machine learning models to detect such malicious applications. Additionally, the study proposes a new set of features related to accessing resources on the target mobile. The features are extracted from 1928 Android botnet applications (ISCX dataset) and 2224 of Android benign applications (downloaded and scanned by special tools developed as part of this work). The extracted features are categorized into six groups of features in addition to a group that contains all the extracted features. Each group of features undergoes training and testing processes using four popular ML classifiers (i.e. Random Forest, Multi-Layer Perceptron neural networks, Decision trees, and Naive Bayes). After comparing the results and performing features importance analysis, it can be noted that the URL set of features play the key role in the Android botnet detection problem and the Random Forest classifier obtains the best results based on all sets of features.

Automated summary

This study investigates Android botnets using static analysis to extract features from the applications' source code. Machine learning models are developed to detect malicious applications, with a focus on a set of features related to accessing resources on the target mobile. The Random Forest classifier performs the best in detecting Android botnets based on all sets of features.