{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T13:18:51Z","timestamp":1775913531051,"version":"3.50.1"},"reference-count":65,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2017,7,31]],"date-time":"2017-07-31T00:00:00Z","timestamp":1501459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CCF-1252644, CNS-1629771 and CCF-1618132"],"award-info":[{"award-number":["CCF-1252644, CNS-1629771 and CCF-1618132"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000181","name":"Air Force Office of Scientific Research","doi-asserted-by":"crossref","award":["FA95501610030"],"award-info":[{"award-number":["FA95501610030"]}],"id":[{"id":"10.13039\/100000181","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/100000180","name":"Department of Homeland Security","doi-asserted-by":"crossref","award":["HSHQDC-14-C-B0040"],"award-info":[{"award-number":["HSHQDC-14-C-B0040"]}],"id":[{"id":"10.13039\/100000180","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2017,7,31]]},"abstract":"<jats:p>The number of malicious Android apps is increasing rapidly. Android malware can damage or alter other files or settings, install additional applications, and so on. To determine such behaviors, a security analyst can significantly benefit from identifying the family to which an Android malware belongs rather than only detecting if an app is malicious. Techniques for detecting Android malware, and determining their families, lack the ability to handle certain obfuscations that aim to thwart detection. Moreover, some prior techniques face scalability issues, preventing them from detecting malware in a timely manner.<\/jats:p>\n          <jats:p>To address these challenges, we present a novel machine-learning-based Android malware detection and family identification approach, RevealDroid, that operates without the need to perform complex program analyses or to extract large sets of features. Specifically, our selected features leverage categorized Android API usage, reflection-based features, and features from native binaries of apps. We assess RevealDroid for accuracy, efficiency, and obfuscation resilience using a large dataset consisting of more than 54,000 malicious and benign apps. Our experiments show that RevealDroid achieves an accuracy of 98% in detection of malware and an accuracy of 95% in determination of their families. We further demonstrate RevealDroid\u2019s superiority against state-of-the-art approaches.<\/jats:p>","DOI":"10.1145\/3162625","type":"journal-article","created":{"date-parts":[[2018,1,12]],"date-time":"2018-01-12T13:49:50Z","timestamp":1515764990000},"page":"1-29","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":141,"title":["Lightweight, Obfuscation-Resilient Detection and Family Identification of Android Malware"],"prefix":"10.1145","volume":"26","author":[{"given":"Joshua","family":"Garcia","sequence":"first","affiliation":[{"name":"Department of Informatics, University of California, Irvine, CA"}]},{"given":"Mahmoud","family":"Hammad","sequence":"additional","affiliation":[{"name":"Department of Informatics, University of California, Irvine, CA"}]},{"given":"Sam","family":"Malek","sequence":"additional","affiliation":[{"name":"Department of Informatics, University of California, Irvine, CA"}]}],"member":"320","published-online":{"date-parts":[[2018,1,12]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Android Trojan Looks Acts Like Windows Malware. Retrieved from http:\/\/www.snoopwall.com\/android-trojan-looks-acts-like-windows-malware\/.  Android Trojan Looks Acts Like Windows Malware. Retrieved from http:\/\/www.snoopwall.com\/android-trojan-looks-acts-like-windows-malware\/."},{"key":"e_1_2_1_2_1","unstructured":"Bitcoin-mining malware reportedly found on Google Play. Retrieved from http:\/\/www.cnet.com\/news\/bitcoin-mining-malware-reportedly-discovered-at-google-play\/.  Bitcoin-mining malware reportedly found on Google Play. Retrieved from http:\/\/www.cnet.com\/news\/bitcoin-mining-malware-reportedly-discovered-at-google-play\/."},{"key":"e_1_2_1_3_1","unstructured":"Cisco 2014 Annual Security Report. Retrieved from http:\/\/www.cisco.com\/web\/offers\/lp\/2014-annual-security-report\/index.html.  Cisco 2014 Annual Security Report. Retrieved from http:\/\/www.cisco.com\/web\/offers\/lp\/2014-annual-security-report\/index.html."},{"key":"e_1_2_1_4_1","unstructured":"RevealDroid. Retrieved from http:\/\/tiny.cc\/revealdroid.  RevealDroid. Retrieved from http:\/\/tiny.cc\/revealdroid."},{"key":"e_1_2_1_5_1","unstructured":"Server-side polymorphic android applications. Retrieved from http:\/\/www.symantec.com\/connect\/blogs\/server-side-polymorphic-android-applications.  Server-side polymorphic android applications. Retrieved from http:\/\/www.symantec.com\/connect\/blogs\/server-side-polymorphic-android-applications."},{"key":"e_1_2_1_6_1","unstructured":"The Drebin Dataset. Retrieved from http:\/\/user.informatik.uni-goettingen.de\/darp\/drebin\/.  The Drebin Dataset. Retrieved from http:\/\/user.informatik.uni-goettingen.de\/darp\/drebin\/."},{"key":"e_1_2_1_7_1","unstructured":"THREAT DESCRIPTION TROJAN:ANDROID\/OLDBOOT.A. Retrieved from https:\/\/www.f-secure.com\/v-descs\/trojan_android_old boot_a.shtml.  THREAT DESCRIPTION TROJAN:ANDROID\/OLDBOOT.A. Retrieved from https:\/\/www.f-secure.com\/v-descs\/trojan_android_old boot_a.shtml."},{"key":"e_1_2_1_8_1","unstructured":"VirusShare.com. Retrieved from http:\/\/www.virusshare.com\/.  VirusShare.com. Retrieved from http:\/\/www.virusshare.com\/."},{"key":"e_1_2_1_9_1","unstructured":"VirusTotal. Retrieved from https:\/\/www.virustotal.com\/.  VirusTotal. Retrieved from https:\/\/www.virustotal.com\/."},{"key":"e_1_2_1_10_1","volume-title":"Threat Report","year":"2015","unstructured":"2015. Quick Heal Annual Threat Report 2015 . Retrieved from http:\/\/www.quickheal.co.in\/resources\/threat-reports. (January 2015). 2015. Quick Heal Annual Threat Report 2015. Retrieved from http:\/\/www.quickheal.co.in\/resources\/threat-reports. (January 2015)."},{"key":"e_1_2_1_11_1","unstructured":"2017. 1.5. Stochastic Gradient Descent\u2014scikit-learn 0.18.2 documentation. Retrieved from http:\/\/scikit-learn.org\/stable\/modules\/sgd.html. (2017).  2017. 1.5. Stochastic Gradient Descent\u2014scikit-learn 0.18.2 documentation. Retrieved from http:\/\/scikit-learn.org\/stable\/modules\/sgd.html. (2017)."},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCSW.2012.13"},{"key":"e_1_2_1_13_1","doi-asserted-by":"crossref","unstructured":"Kevin Allix Tegawend\u00e9 F. Bissyand\u00e9 Jacques Klein and Yves Le Traon. 2015. Are Your Training Datasets Yet Relevant? Springer International Publishing Cham 51--67.  Kevin Allix Tegawend\u00e9 F. Bissyand\u00e9 Jacques Klein and Yves Le Traon. 2015. Are Your Training Datasets Yet Relevant? Springer International Publishing Cham 51--67.","DOI":"10.1007\/978-3-319-15618-7_5"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2903508"},{"key":"e_1_2_1_15_1","unstructured":"Mohamed Aly. 2005. Survey on multiclass classification methods. Neur. Netw. (2005) 1--9.  Mohamed Aly. 2005. Survey on multiclass classification methods. Neur. Netw. (2005) 1--9."},{"key":"e_1_2_1_16_1","unstructured":"Axelle Apvrille and Ruchna Nigam. 2014. Obfuscation in Android malware and how to fight back.Virus Bull. (2014).  Axelle Apvrille and Ruchna Nigam. 2014. Obfuscation in Android malware and how to fight back.Virus Bull. (2014)."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.5555\/2818754.2818808"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2259051.2259056"},{"key":"e_1_2_1_20_1","volume-title":"Olshen","author":"Breiman Leo","year":"1984","unstructured":"Leo Breiman , Jerome Friedman , Charles J. Stone , and Richard A . Olshen . 1984 . Classification and Regression Trees. CRC Press . Leo Breiman, Jerome Friedman, Charles J. Stone, and Richard A. Olshen. 1984. Classification and Regression Trees. CRC Press."},{"key":"e_1_2_1_21_1","unstructured":"Gert Cauwenberghs and Tomaso Poggio. 2001. Incremental and decremental support vector machine learning. In Advances in Neural Information Processing Systems. 409--415.   Gert Cauwenberghs and Tomaso Poggio. 2001. Incremental and decremental support vector machine learning. In Advances in Neural Information Processing Systems. 409--415."},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2462096.2462100"},{"key":"e_1_2_1_23_1","volume-title":"Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915)","author":"Chen Kai","year":"2015","unstructured":"Kai Chen , Peng Wang , Yeonjoon Lee , XiaoFeng Wang , Nan Zhang , Heqing Huang , Wei Zou , and Peng Liu . 2015 . Finding unknown malice in 10 seconds: Mass vetting for new threats at the google-play scale . In Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915) . USENIX Association, Washington, DC, 659--674. http:\/\/blogs.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/chen-kai. Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou, and Peng Liu. 2015. Finding unknown malice in 10 seconds: Mass vetting for new threats at the google-play scale. In Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915). USENIX Association, Washington, DC, 659--674. http:\/\/blogs.usenix.org\/conference\/usenixsecurity15\/technical-sessions\/presentation\/chen-kai."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2016.25"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653691"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635869"},{"key":"e_1_2_1_29_1","volume-title":"Technical Report GMU-CS-TR-2015-10. Department of CS","author":"Garcia Joshua","unstructured":"Joshua Garcia , Mahmoud Hammad , Bahman Pedrood , Ali Bagheri-Khaligh , and Sam Malek . 2015. Obfuscation-Resilient, Efficient, and Accurate Detection and Family Identification of Android Malware . Technical Report GMU-CS-TR-2015-10. Department of CS , George Mason University , Fairfax, VA . Joshua Garcia, Mahmoud Hammad, Bahman Pedrood, Ali Bagheri-Khaligh, and Sam Malek. 2015. Obfuscation-Resilient, Efficient, and Accurate Detection and Family Identification of Android Malware. Technical Report GMU-CS-TR-2015-10. Department of CS, George Mason University, Fairfax, VA."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2517312.2517315"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568276"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/2307636.2307663"},{"key":"e_1_2_1_33_1","unstructured":"Isabelle Guyon and Andr\u00e9 Elisseeff. 2003. An introduction to variable and feature selection. J. Mach. Learn. Res. 3 (Mar.2003) 1157--1182.   Isabelle Guyon and Andr\u00e9 Elisseeff. 2003. An introduction to variable and feature selection. J. Mach. Learn. Res. 3 (Mar.2003) 1157--1182."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568301"},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.3233\/IDA-2002-6504"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/2500727.2500733"},{"key":"e_1_2_1_37_1","volume-title":"Gliwice","author":"Koziol Jack","year":"2004","unstructured":"Jack Koziol , David Litchfield , Dave Aitel , Chris Anley , Sinan Eren , Neel Mehta , and Riley Hassell . 2004. The shellcoder\u2019s handbook. Edycja polska. Helion , Gliwice ( 2004 ). Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta, and Riley Hassell. 2004. The shellcoder\u2019s handbook. Edycja polska. Helion, Gliwice (2004)."},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.5555\/2818754.2818791"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/11575467_11"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.17"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.5555\/1953048.2078195"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382224"},{"key":"e_1_2_1_43_1","volume-title":"Proceedings of the 20th Annual Network 8 Distributed System Security Symposium (NDSS\u201914)","author":"Poeplau Sebastian","year":"2014","unstructured":"Sebastian Poeplau , Yanick Fratantonio , Antonio Bianchi , Christopher Kruegel , and Giovanni Vigna . 2014 . Execute this&excl; analyzing unsafe and malicious dynamic code loading in android applications . In Proceedings of the 20th Annual Network 8 Distributed System Security Symposium (NDSS\u201914) . Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2014. Execute this&excl; analyzing unsafe and malicious dynamic code loading in android applications. In Proceedings of the 20th Annual Network 8 Distributed System Security Symposium (NDSS\u201914)."},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23066"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/2484313.2484355"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2013.2290431"},{"key":"e_1_2_1_47_1","volume-title":"Proceedings of the European Workshop on Systems Security (EuroSec\u201913)","author":"Reina Alessandro","year":"2013","unstructured":"Alessandro Reina , Aristide Fattori , and Lorenzo Cavallaro . 2013 . A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors . In Proceedings of the European Workshop on Systems Security (EuroSec\u201913) . Alessandro Reina, Aristide Fattori, and Lorenzo Cavallaro. 2013. A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In Proceedings of the European Workshop on Systems Security (EuroSec\u201913)."},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818038"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-45719-2_11"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2013.07.106"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23145"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.5555\/781995.782008"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660357"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/AsiaJCIS.2012.18"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.60"},{"key":"e_1_2_1_56_1","volume-title":"Proceedings of the 18th International Conference on Machine Learning","volume":"1","author":"Xing Eric P.","year":"2001","unstructured":"Eric P. Xing , Michael I. Jordan , Richard M. Karp , and others. 2001 . Feature selection for high-dimensional genomic microarray data . In Proceedings of the 18th International Conference on Machine Learning , Vol. 1 . Citeseer, 601--608. Eric P. Xing, Michael I. Jordan, Richard M. Karp, and others. 2001. Feature selection for high-dimensional genomic microarray data. In Proceedings of the 18th International Conference on Machine Learning, Vol. 1. Citeseer, 601--608."},{"key":"e_1_2_1_57_1","volume-title":"2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering (ICSE\u201915)","volume":"1","author":"Yang W.","unstructured":"W. Yang , X. Xiao , B. Andow , S. Li , T. Xie , and W. Enck . 2015. AppContext: Differentiating malicious and benign mobile app behaviors using context . In 2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering (ICSE\u201915) , Vol. 1 . 303--313. W. Yang, X. Xiao, B. Andow, S. Li, T. Xie, and W. Enck. 2015. AppContext: Differentiating malicious and benign mobile app behaviors using context. In 2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering (ICSE\u201915), Vol. 1. 303--313."},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516676"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/2627393.2627395"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660359"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/1015330.1015332"},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516689"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-37300-8_5"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1109\/TrustCom.2013.25"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.16"},{"key":"e_1_2_1_66_1","volume-title":"Proceedings of Network and Distributed System Security Symposium (NDSS\u201912)","author":"Zhou Yajin","year":"2012","unstructured":"Yajin Zhou , Zhi Wang , Wu Zhou , and Xuxian Jiang . 2012 . Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets . In Proceedings of Network and Distributed System Security Symposium (NDSS\u201912) . Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. 2012. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of Network and Distributed System Security Symposium (NDSS\u201912)."}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3162625","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3162625","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3162625","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T19:07:29Z","timestamp":1750273649000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3162625"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,7,31]]},"references-count":65,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2017,7,31]]}},"alternative-id":["10.1145\/3162625"],"URL":"https:\/\/doi.org\/10.1145\/3162625","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,7,31]]},"assertion":[{"value":"2016-06-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2017-10-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-01-12","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}