近年來,，智慧型手機的使用率逐漸上升，其技術也越來越成熟，智慧型裝置
提供多樣的功能，讓使用者的生活越來越便利。根據調查，使用Android 系統手
機的比率為84%，這代表全世界有八成以上的智慧型裝置使用者是使用Android
系統。Android 系統的普及吸引了眾多有興趣的開發者，他們可以自行撰寫不同
功能而且有創意的應用程式，也可以設計出一些惡意軟體, 偽裝成一般應用程式，
但卻在背後執行惡意行為。手機上安裝的惡意軟體很可能會偷取使用者的一些個
人隱私資料，像是手機號碼、信用卡帳號等，也可能造成使用者的財物損失，因
此如何偵測手機安全也成了很大的一門議題。

過去行動裝置上的惡意軟體分析最常用的檢測方式為signature-based detection，是以特徵碼比對的方式來檢測，但隨著Android 開發者越多技術越來越發達，惡意軟體發展的數量也大量增加，傳統的signature-based detection 已經越來越趕不上惡意軟體發展的技術，因此本論文透過behavior-based detection 結合machine learning 的方式來偵測惡意軟體。本系統改良了Droidbox 的不足，加入自訂的可辨識應用程式當下執行UI 介面的自動觸擊程式，希望可以有效的觸發惡意軟體，紀錄背後所產生的行為並結合網路行為, 讀寫順序等等。透過宣告的權限作為判斷的輔助，利用machine learning 去判斷是否為惡意軟體，以降低惡意軟體危害使用者的機率。我們也取得了大量的惡意程式樣本以及正常的app 來進行實驗，並且驗證此方法的效果。

In recent years, smart phones become very popular. Lots of people use smart phones instead of traditional phones and almost everyone has one. More and more functional mobile applications are released and it makes user’s life more convenient. The popularity of Android attracts many developers to build not only useful and creative applications, but also some malicious software. Malware installed in user’s smart phone probably not merely steal some privacy information such as phone number, IMEI, credit card number among other but cause some property loss. Therefore, how to detect malicious software on smart phone has become a big issue.
In the past, signature-based detection is the most common method to detect malicious software on smart phone. However, the spread of infected malware is faster than researches. Signature-based detection is no longer an effective detect method. In this thesis, we propose An Android behavior-based Malware detection method using Machine learning. We improve an Android application sandbox, Droidbox by inserting a view-identification automatic trigger program which can click mobile applications more effectively. In addition, we collect the behavior such as network activities, file read/write and permission as the feature data and use different machine learning algorithms to classify malware and evaluate the performance. We use a large number of malware and normal application samples to prove that accuracy of our method is pretty high .

Chapter 1 Introduction 1
1.1 Motivation 2
1.2 Our Contribution 4
1.3 Organization 4
Chapter 2 Background 5
2.1 Android System Architecture 5
2.1.1 The Overview of Android 5
2.1.2 Android application security mechanism 7
2.2 Malware analysis Method 10
2.2.1 Signature-based detection 11
2.2.2 Behavior-based detection 12
Chapter 3 Related Works 14
3.1 Review of Patrik’s protocol 14
3.2 Weakness of Patrik’s protocol 16
3.3 The improved scheme 17
3.3.1 Automatic stress-test 17
3.3.2 Machine learning approaches 19
Chapter 4 System Architecture and Design 20
4.1 Overview 20
4.1.1 Challenge 21
4.2 System Framework 21
4.3 Tools we use 23
4.3.1 Android Asset Packaging Tool (aapt) 23
4.3.2 android tool and Another Neat tool (ANT) 24
4.3.3 keytool and jarsigner 24
4.3.4 Robotium 24
4.3.5 Weka library 25
Chapter 5 Implementation 26
5.1 Environment 26
5.2 Preprocessing 26
5.2.1 Delete Signature 26
5.2.2 Robotium automatic test program 27
5.2.3 Our Framework of Robotium trigger program 30
5.2.4 Compile, Re-signature and Install 35
5.3 Trigger process and Data Monitor 36
5.4 Decision Model 36
5.4.1 Feature data 37
5.4.2 Weka library input - ARFF Format 37
5.4.3 Machine learning algorithm 39
5.4.4 Machine learning process 42
5.5 Database 42
Chapter 6 Discussion
6.1 Sample set 45
6.2 Preliminary 48
6.3 Evaluation result 49
6.3.1 All feature data 50
6.4 Comparison 52
6.5 Experiment 55
Chapter 7 Conclusions 56

[1] Android sdk. https://developer.android.com/sdk/installing/
adding-packages.html.
[2] Android secure tips. http://developer.android.com/training/articles/
security-tips.html.
[3] Android test automation framework ”robotium”. https://code.google.com/
p/robotium/.
[4] android tool. https://developer.android.com/tools/help/android.html.
[5] Android tool ”monkey”. http://developer.android.com/tools/help/
monkey.html.
[6] Android tool ”monkeyrunner”. https://developer.android.com/tools/
help/monkeyrunner_concepts.html.
[7] Arff format. http://www.cs.waikato.ac.nz/ml/weka/arff.html.
[8] Cross validation. https://cg2010studio.wordpress.com/2012/10/22/%E4%
BA%A4%E5%8F%89%E9%A9%97%E8%AD%89-cross-validation/.
[9] Gray box testing. http://en.wikipedia.org/wiki/Gray_box_testing.
[10] Jarsigner. http://docs.oracle.com/javase/6/docs/technotes/tools/
windows/jarsigner.html.
[11] Keytool. http://docs.oracle.com/javase/7/docs/technotes/tools/
solaris/keytool.html.
[12] Kstar algorithm. http://weka.sourceforge.net/doc.dev/weka/
classifiers/lazy/KStar.html.
[13] Official android blog. http://googlemobile.blogspot.tw/2012/02/
android-and-security.html.
[14] Part algorithm. http://wiki.pentaho.com/display/DATAMINING/PART.
[15] Randomcommittee algorithm. http://wiki.pentaho.com/display/DATAMINING/RandomCommittee.
[16] virustotal. https://www.virustotal.com/zh-tw/.
[17] Weka library. http://www.cs.waikato.ac.nz/ml/weka/.
[18] Smartphone os market share. IDC, Q3, 2014. http://www.idc.com/prodserv/
smartphone-os-market-share.jsp.
[19] Mobile threat report. F-Secure, Q4, 2012.
[20] Y. Elovici C. Glezer A. Shabtai, U. Kanonov and Y. Weiss. “andromaly”:
a behavioral malware detection framework for android devices. In Journal of
Intelligent Information Systems, pages 161–190, 2012.
[21] A.P. Fuchs, A. Chaudhuri, and J.S. Foster. SCanDroid Automated Security Certification
of Android Applications. Technical Report CSTR-4991, Department
of Computer Science, University of Maryland, 2009.
[22] H. S. Ham and M.J. Choi. Analysis of android malware detection performance
using machine learning classifiers. In Proceedings of International Conference
on ICT Convergence (ICTC), pages 490–495, 2013.
[23] M. Karami, M.and Elsabagh, P. Najafiborazjani, and A. Stavrou. Behavioral
analysis of android applications using automated instrumentation. In Proceedings
of IEEE 7th International Conference on Software Security and Reliability-
Companion, pages 182–187, 2013.
[24] H. Kim, J. Smith, and K. G. Shin. Detecting energy-greedy anomalies and
mobile malware variants. In Proceedings of the 6th international conference on
Mobile systems, applications, and services, pages 239––252. ACM, 2008.
[25] P. Lantz. An android application sandbox for dynamic analysis. Master’s thesis,
lectrical and Information Technology, Lund university.
[26] A. Mujumda, G. Masiwal, and Dr. B.B. Meshram. Analysis of signature-based
and behavior-based anti-malware approaches. In Proceedings of International
Journal of Advanced Research in Computer Engineering and Technology, 2013.
[27] Jon Oberheide and Charlie Miller. Dissecting the android bouncer. BUSTICATI
PRODUCTIONS PRESENTS, 2012.
[28] Szor. The Art of Computer Virus Research and Defense. Addison-Wesley, 2005.
[29] Li-Luen Tsai. An android machine learning malware detection system using the
result of static analysis and dynamic analysis as the features. Master’s thesis,
National Chiao Tung University, 2014.
[30] M. Ongtang W. Enck and P. McDaniel. On lightweight mobile phone application
certification. In Proceedings of the 16th ACM conference on Computer
and communications security, pages 235–245. ACM, 2009.
[31] M. Zhao, F. Ge, T. Zhang, and Z. Yuan. Antimaldroid: An efficient svmbased
malware detection framework for android. Springer, 2011.
[32] C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou. Smartdroid:
an automatic system for revealing ui-based trigger conditions in android applications.
In Proceedings of the second ACM workshop on Security and privacy
in smartphones and mobile devices, pages 93–104, 2012.