DCDroid: An APK Static Identification Method Based on Naïve Bayes Classifier and Dual-Centrality Analysis

The static scanning identification of android application packages (APK) has been widely proven to be an effective and scalable method. However, the existing identification methods either collect feature values from known APKs for inefficient comparative analysis, or use expensive program syntax or semantic analysis methods to extract features. Therefore, this paper proposes an APK static identification method that is different from traditional graph analysis. We match application programming interface (API) call graph to a complex network, and use a dual-centrality analysis method to calculate the importance of sensitive nodes in the API call graph, while integrating the global and relative influence of sensitive nodes. Our key insight is that the dual-centrality analysis method can more accurately characterize the graph semantic information of Android malicious APKs. We created and named a method DCDroid and evaluated it on a dataset of 4,428 benign samples and 4,626 malicious samples. The experimental results show that compared to the four advanced methods Drebin, MaMaDroid, MalScan, and HomeDroid, DCDroid can identify Android malicious APKs with an accuracy of 97.5%, with an F1 value of 96.7% and is two times faster than HomeDroid, eight times faster than Drebin, and 17 times faster than MaMaDroid. We grabbed 10,000 APKs from the Google Play Market, DCDroid was able to find 68 malicious APKs, of which 67 were confirmed Android malicious APKs, with a good ability to identify market-level malicious APKs.