隨著科技的進步以及市場的帶動，越來越多人拋棄傳統手機，開始使用智慧型手機。而在眾多的作業系統中，Android因為其開放性而成為消費市場上的龍頭。根據調查，在 2014年，搭載Android 作業系統的設備出貨量超過 10 億，是 Windows 的 3 倍， iOS 的 5 倍。Android的普及度吸引了大量的開發者來發揮他們的創意開發新穎的應用程式，但也吸引了大量的惡意軟體開發者，希望能從Android市場獲得更多得非法利益。
現存的眾多惡意軟體其實大多出自於某個惡意軟體的變種，而非每個都是一個創新的惡意軟體，因此，大多數的惡意軟體都能被歸類到某個家族。惡意軟體變種的產生，主要是為了防止被防毒軟體偵測到，而使用一些模糊技術，像是將變數隨意改變成無意義的字詞、程式碼加密、增加一些無用的程式碼，來使防毒軟體無法辨識出這是個惡意軟體，達到成功感染更多人的目的。
本篇論文使用 machine learning的方式，並且以 ”要使用變數，就一定要先宣告變數” 的這種概念，找出各android 應用程式的Component 以及 permissions 來當作應用程式的特徵，而實驗數據也顯示我們使用的方法，可以有效的利用在分類惡意軟體至各個惡意軟體家族。

With the advancement of technology and driven by the market, more and more people tend to abandon traditional mobile phone to start using smart phones. In many mobile operating systems, Android because of its openness and becomes the leading consumer market. According to the survey, in 2014, powered by Android operating system equipment shipped over one billion, the number is three times that of Windows, iOS 5 times. Android's popularity not only attracted a large number of developers to develop their creativity to develop new applications, but also attracted a large number of malicious software developers, hoping to get more illegal benefits in Android Market.
In fact, many malware mostly comes from existing variant of a malicious software, malware, rather than each of which is an innovative, therefore, the majority of malware can be classified to a family. Malware variants produced, mainly in order to prevent be detected by the anti-virus software, while using some obfuscation technology, such as the random variable is changed to meaningless words, code encryption, an increase of some useless code to enable anti-virus Software does not recognize that this is a malicious software, to infect more people achieve success purpose.
This paper use machine learning approach, and to "want to use variables, you must first declare the variables" of this concept, identify each android app Component and permissions to be as the application’s feature, and the experimental data are also display method we use, we can effectively use in the classification of malicious software for each various malware families.

Introduction 1 1.1 Motivation . . . . . . . . . . . . . . . . . . . . 2
1.2 Organization . . . . . . . . . . . . . . . . . . . 3
Background 5
2.1 Android System Architecture . . . . . . . . . . . . 5
2.2 Malware analysis Method . . . . . . . . . . . . . . 8
Related Works 10 Methodology 13
4.1 Overview . . . . . . . . . . . . . . . . . . . . . 13
4.2 System Framework . . .. . . . . . . . . . . . . . 13
4.3 Use of Tools . . . . . . . . . . . . . . . . . . . 15
Implementation 18
5.1 Environment . . . . . . . . . . . . . . . . . . . 18
5.2 Preprocessing . . . . . . . . . . . . . . . . . . 18
5.3 Feature Extraction . . . . . . . . . . . . . . . . 20
5.3.1 Activities . . . . . . . . . . . . . . . . . . 21
5.3.2 Services . . . . . . . . . . . . . . . . . . . . 22
5.3.3 Content providers . . . . . . . . . . . . . . . 22
5.3.4 Broadcast receivers . . . . . . . . . . . . . . 23
5.4 Decision Model . . . . . . . . . . . . . . . . . . 24
5.4.1 Feature data . . . . . . . . . . . . . . . . . . 24
5.4.2 Weka library input - ARFF Format . . . . . . . . 24
5.4.3 Machine learning algorithm . . . . . . . . . . . 25
5.4.4 Machine learning process . . . . . . . . . . . . 28
Experiment Result 33
6.1 Sample set . . . . . . . . . . . . . . . . . . . . 33
6.2 Preliminary . . . . . . . . . . . . . . . . . . . 35
6.3 Evaluation result . . . . . . . . . . . . . . . . 37
Conclusion 43
Reference 44

[1] Smartphone os market share. IDC, Q2, 2015.
http : //www.idc.com/prodserv/smartphone − os − market − share. jsp.
[2] Application Fundamentals
https : //developer.android.com/guide/components/ f undamentals.html
[3] Android malware analysis
http : //resources.in f osecinstitute.com/android − malware − analysis/
[4] Android Building and Running Overview
https : //developer.android.com/tools/building/index.html
[5] Android Tutorial
http : //www.tutorialspoint.com/android
[6] Android App Manifest
https : //developer.android.com/guide/topics/mani f est/mani f est − intro.html
[7] Advanced ApkTool
http : // f orum.xda − developers.com/showthread.php?t = 2639400
[8] Weka library.
http : //www.cs.waikato.ac.nz/ml/weka/.
[9] Android sdk.
https : //developer.android.com/sdk/installing/adding − packages.html.
[10] Part algorithm.
http : //wiki.pentaho.com/display/DATAMINING/PART.
[11] Randomcommittee algorithm.
http : //wiki.pentaho.com/display/DATAMINING/RandomCommittee.
[12] Kstar algorithm.
http : //weka.source f orge.net/doc.dev/weka/classi f iers/lazy/KStar.html.
[13] Arff format.
http : //www.cs.waikato.ac.nz/ml/weka/ar f f.html.
[14] Yajin Zhou, Xuxian Jiang. Dissecting Android Malware: Characterization and Evolution.
Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages
95−109. ACM, 2012.
[15] Tong Shen. Detect Android Malware Variants using Component Based Topology
Graph. Trust, Security and Privacy in Computing and Communications, pages
406−413. IEEE, 2014.
[16] Adrienne Porter Felt. A survey of mobile malware in the wild. Security and privacy
in smartphones and mobile devices, pages 3−14. ACM, 2011.
[17] A.P. Fuchs, A. Chaudhuri, and J.S. Foster. SCanDroid Automated Security Certif cation
of Android Applications. Technical Report CSTR−4991, Department of Computer
Science, University of Maryland, 2009.
[18] M. Ongtang W. Enck and P. McDaniel. On lightweight mobile phone application certif
cation. In Proceedings of the 16th ACM conference on Computer and communications
security, pages 235−245. ACM, 2009.
[19] Justin Sahs and Latifur Khan. On the Automatic Categorisation of Android Applications.
Consumer Communications and Networking Conference (CCNC), pages
149−153. IEEE, 2012 .
[20] Y. Elovici C. Glezer A. Shabtai, U. Kanonov and Y. Weiss. andromaly: a behavioral
malware detection framework for android devices. In Journal of Intelligent Information
Systems, pages 161−190, 2012.
[21] M. Zhao, F. Ge, T. Zhang, and Z. Yuan. Antimaldroid: An efficient svm−based malware
detection framework for android.Information Computing and Applications, pages
158−166. Springer, 2011.
[22] Iker Burguera, Urko Zurutuza. Crowdroid: Behavior-Based Malware Detection System
for Android. SPSM ’11 Proceedings of the 1st ACM workshop on Security and
privacy in smartphones and mobile devices, pages 15−26. ACM, 2011.
[23] Syed Zainudeen Mohd Shaid, Mohd Aizaini Maarof. Malware Behavior Image for
Malware Variant Identif cation. International Symposium on Biometric and Security
Technologies (ISBAST),pages 238−243. IEEE, 2014.