{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T13:18:50Z","timestamp":1775913530280,"version":"3.50.1"},"reference-count":80,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2019,4,9]],"date-time":"2019-04-09T00:00:00Z","timestamp":1554768000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"EPSRC-funded \u201cFuture Leaders in Engineering and Physical Sciences\u201d"},{"DOI":"10.13039\/100011403","name":"GCHQ","doi-asserted-by":"crossref","id":[{"id":"10.13039\/100011403","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100009614","name":"Petroleum Technology Development Fund","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100009614","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100000266","name":"EPSRC","doi-asserted-by":"crossref","award":["1490017"],"award-info":[{"award-number":["1490017"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2019,5,31]]},"abstract":"\n As Android has become increasingly popular, so has malware targeting it, thus motivating the research community to propose different detection techniques. However, the constant evolution of the Android ecosystem, and of malware itself, makes it hard to design robust tools that can operate for long periods of time without the need for modifications or costly re-training. Aiming to address this issue, we set to detect malware from a behavioral point of view, modeled as the sequence of abstracted API calls. We introduce M\n A<\/jats:sc>\n M\n A<\/jats:sc>\n D\n ROID<\/jats:sc>\n , a static-analysis-based system that abstracts app\u2019s API calls to their class, package, or family, and builds a model from their sequences obtained from the call graph of an app as Markov chains. This ensures that the model is more resilient to API changes and the features set is of manageable size. We evaluate M\n A<\/jats:sc>\n M\n A<\/jats:sc>\n D\n ROID<\/jats:sc>\n using a dataset of 8.5K benign and 35.5K malicious apps collected over a period of 6 years, showing that it effectively detects malware (with up to 0.99 F-measure) and keeps its detection capabilities for long periods of time (up to 0.87 F-measure 2 years after training). We also show that M\n A<\/jats:sc>\n M\n A<\/jats:sc>\n D\n ROID<\/jats:sc>\n remarkably overperforms D\n ROID<\/jats:sc>\n APIM\n INER<\/jats:sc>\n , a state-of-the-art detection system that relies on the frequency of (\n raw<\/jats:italic>\n ) API calls. Aiming to assess whether M\n A<\/jats:sc>\n M\n A<\/jats:sc>\n D\n ROID<\/jats:sc>\n \u2019s effectiveness mainly stems from the API abstraction or from the sequencing modeling, we also evaluate a variant of it that uses frequency (instead of sequences), of abstracted API calls. We find that it is not as accurate, failing to capture maliciousness when trained on malware samples that include API calls that are equally or more frequently used by benign apps.\n <\/jats:p>","DOI":"10.1145\/3313391","type":"journal-article","created":{"date-parts":[[2019,4,10]],"date-time":"2019-04-10T19:55:16Z","timestamp":1554926116000},"page":"1-34","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":281,"title":["MaMaDroid"],"prefix":"10.1145","volume":"22","author":[{"given":"Lucky","family":"Onwuzurike","sequence":"first","affiliation":[{"name":"University College London, London, United Kingdom"}]},{"given":"Enrico","family":"Mariconti","sequence":"additional","affiliation":[{"name":"University College London, London, United Kingdom"}]},{"given":"Panagiotis","family":"Andriotis","sequence":"additional","affiliation":[{"name":"University of the West of England, Bristol, United Kingdom"}]},{"given":"Emiliano De","family":"Cristofaro","sequence":"additional","affiliation":[{"name":"University College London, London, United Kingdom"}]},{"given":"Gordon","family":"Ross","sequence":"additional","affiliation":[{"name":"University College London, London, United Kingdom"}]},{"given":"Gianluca","family":"Stringhini","sequence":"additional","affiliation":[{"name":"Boston University, MA, United States"}]}],"member":"320","published-online":{"date-parts":[[2019,4,9]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"crossref","unstructured":"Yousra Aafer Wenliang Du and Heng Yin. 2013. DroidAPIMiner: Mining API-level features for robust malware detection in Android. In SecureComm. Yousra Aafer Wenliang Du and Heng Yin. 2013. DroidAPIMiner: Mining API-level features for robust malware detection in Android. In SecureComm.","DOI":"10.1007\/978-3-319-04283-1_6"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/2393596.2393666"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/WIFS.2016.7823922"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/2594291.2594299"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.5555\/1304596.1304948"},{"key":"e_1_2_1_7_1","volume-title":"USENIX Security Symposium.","author":"Bhoraskar Ravi","year":"2014"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046614.2046619"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2804345.2804349"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2875475.2875481"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.04.009"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2462096.2462100"},{"key":"e_1_2_1_13_1","unstructured":"Check Point. 2017. ExpensiveWall: A Dangerous \u2019Packed\u2019 Malware on Google Play that Will Hit Your Wallet. https:\/\/blog.checkpoint.com\/2017\/09\/14\/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet\/. Check Point. 2017. ExpensiveWall: A Dangerous \u2019Packed\u2019 Malware on Google Play that Will Hit Your Wallet. https:\/\/blog.checkpoint.com\/2017\/09\/14\/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet\/."},{"key":"e_1_2_1_14_1","unstructured":"Check Point. 2017. FalseGuide misleads users on GooglePlay. https:\/\/blog.checkpoint.com\/2017\/04\/24\/falaseguide-misleads-users-googleplay\/. Check Point. 2017. FalseGuide misleads users on GooglePlay. https:\/\/blog.checkpoint.com\/2017\/04\/24\/falaseguide-misleads-users-googleplay\/."},{"key":"e_1_2_1_15_1","doi-asserted-by":"crossref","unstructured":"Sen Chen Minhui Xue Lingling Fan Shuang Hao Lihua Xu Haojin Zhu and Bo Li. 2018. Automated poisoning attacks and defenses in malware detection systems: An adversarial machine learning approach. Computers 8 Security 73 (2018) 326--344. Sen Chen Minhui Xue Lingling Fan Shuang Hao Lihua Xu Haojin Zhu and Bo Li. 2018. Automated poisoning attacks and defenses in malware detection systems: An adversarial machine learning approach. Computers 8 Security 73 (2018) 326--344.","DOI":"10.1016\/j.cose.2017.11.007"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897860"},{"key":"e_1_2_1_17_1","volume-title":"Wireless and Optical Communication Conference (WOCC).","author":"Chen Yang","year":"2014"},{"key":"e_1_2_1_18_1","unstructured":"Jon Clay. 2016. Continued Rise in Mobile Threats for 2016. http:\/\/blog.trendmicro.com\/continued-rise-in-mobile-threats-for-2016\/. Jon Clay. 2016. Continued Rise in Mobile Threats for 2016. http:\/\/blog.trendmicro.com\/continued-rise-in-mobile-threats-for-2016\/."},{"key":"e_1_2_1_19_1","doi-asserted-by":"crossref","unstructured":"S. Dai A. Tongaonkar X. Wang A. Nucci and D. Song. 2013. NetworkProfiler: Towards automatic fingerprinting of Android apps. In IEEE INFOCOM. S. Dai A. Tongaonkar X. Wang A. Nucci and D. Song. 2013. NetworkProfiler: Towards automatic fingerprinting of Android apps. In IEEE INFOCOM.","DOI":"10.1109\/INFCOM.2013.6566868"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653691"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046779"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23379"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2517312.2517315"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/1985793.1985971"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/1064978.1065036"},{"key":"e_1_2_1_28_1","unstructured":"Google. 2018. Android Security 2017 Year in Review. https:\/\/source.android.com\/security\/reports\/Google_Android_Security_2017_Report_Final.pdf. Google. 2018. Android Security 2017 Year in Review. https:\/\/source.android.com\/security\/reports\/Google_Android_Security_2017_Report_Final.pdf."},{"key":"e_1_2_1_29_1","volume-title":"Annual Symposium on Network and Distributed System Security (NDSS).","author":"Gordon Michael I."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/2307636.2307663"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.5555\/1298081.1298084"},{"key":"e_1_2_1_32_1","doi-asserted-by":"crossref","unstructured":"Shifu Hou Yanfang Ye Yanggiu Song and Melih Abdulhayoglu. 2017. HinDroid: An intelligent Android malware detection system based on structured heterogeneous information network. (2017). Shifu Hou Yanfang Ye Yanggiu Song and Melih Abdulhayoglu. 2017. HinDroid: An intelligent Android malware detection system based on structured heterogeneous information network. (2017).","DOI":"10.1145\/3097983.3098026"},{"key":"e_1_2_1_33_1","volume-title":"Annual Symposium on Network and Distributed System Security (NDSS).","author":"Zhou Yajin","year":"2013"},{"key":"e_1_2_1_34_1","unstructured":"Ian Jolliffe. 2002. Principal Component Analysis. John Wiley 8 Sons Ltd. Ian Jolliffe. 2002. Principal Component Analysis. John Wiley 8 Sons Ltd."},{"key":"e_1_2_1_35_1","volume-title":"Proceedings of the 26th USENIX Security Symposium (USENIX Security","author":"Jordaney Roberto","year":"2017"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2018.01.007"},{"key":"e_1_2_1_37_1","unstructured":"Michael J. Kearns. 1990. The Computational Complexity of Machine Learning. MIT press. Michael J. Kearns. 1990. The Computational Complexity of Machine Learning. MIT press."},{"key":"e_1_2_1_38_1","unstructured":"Jinyung Kim Yongho Yoon Kwangkeun Yi Junbum Shin and SWRD Center. 2012. ScanDal: Static analyzer for detecting privacy leaks in android applications. In MoST. Jinyung Kim Yongho Yoon Kwangkeun Yi Junbum Shin and SWRD Center. 2012. ScanDal: Static analyzer for detecting privacy leaks in android applications. In MoST."},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2614628.2614633"},{"key":"e_1_2_1_40_1","volume-title":"USENIX Security Symposium.","author":"Kolbitsch Clemens","year":"2009"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-08509-8_4"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382223"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/2491411.2491450"},{"key":"e_1_2_1_44_1","unstructured":"Enrico Mariconti. 2019. TESSERACT\u2019s evaluation framework and its use of MaMaDroid. https:\/\/www.benthamsgaze.org\/2019\/02\/12\/tesseracts-evaluation-framework-and-its-use-of-mamadroid\/. Enrico Mariconti. 2019. TESSERACT\u2019s evaluation framework and its use of MaMaDroid. https:\/\/www.benthamsgaze.org\/2019\/02\/12\/tesseracts-evaluation-framework-and-its-use-of-mamadroid\/."},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23353"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3052973.3053001"},{"key":"e_1_2_1_47_1","unstructured":"David Morris. 2017. An Extremely Convincing WhatsApp Fake Was Downloaded More Than 1 Million Times From Google Play. http:\/\/fortune.com\/2017\/11\/04\/whatsapp-fake-google-play\/. David Morris. 2017. An Extremely Convincing WhatsApp Fake Was Downloaded More Than 1 Million Times From Google Play. http:\/\/fortune.com\/2017\/11\/04\/whatsapp-fake-google-play\/."},{"key":"e_1_2_1_48_1","doi-asserted-by":"crossref","unstructured":"James R. Norris. 1998. Markov Chains. Cambridge University Press. James R. Norris. 1998. Markov Chains. Cambridge University Press.","DOI":"10.1017\/CBO9780511810633"},{"key":"e_1_2_1_49_1","unstructured":"Jon Oberheide and Charlie Miller. 2012. Dissecting the Android bouncer. In SummerCon. Jon Oberheide and Charlie Miller. 2012. Dissecting the Android bouncer. In SummerCon."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2393596.2393600"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/PST.2018.8514191"},{"key":"e_1_2_1_52_1","volume-title":"TESSERACT: Eliminating experimental bias in malware classification across space and time. arXiv:1807.07838","author":"Pendlebury Feargus","year":"2018"},{"key":"e_1_2_1_53_1","volume-title":"Annual Symposium on Network and Distributed System Security (NDSS).","author":"Poeplau Sebastian","year":"2014"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-20550-2_9"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920313"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23039"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/2484313.2484355"},{"key":"e_1_2_1_58_1","volume-title":"Madam: Effective and efficient behavior-based android malware detection and prevention","author":"Saracino Andrea","year":"2016"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/2295136.2295141"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-010-0141-5"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23145"},{"key":"e_1_2_1_62_1","unstructured":"May Ying Tee and Martin Zhang. 2018. Hidden App Malware Found on Google Play. https:\/\/www.symantec.com\/blogs\/threat-intelligence\/hidden-app-malware-google-play. May Ying Tee and Martin Zhang. 2018. Hidden App Malware Found on Google Play. https:\/\/www.symantec.com\/blogs\/threat-intelligence\/hidden-app-malware-google-play."},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1002\/sec.675"},{"key":"e_1_2_1_64_1","volume-title":"Conference of the Centre for Advanced Studies on Collaborative Research.","author":"Vall\u00e9e-Rai Raja","year":"1999"},{"key":"e_1_2_1_65_1","unstructured":"Dinesh Venkatesan. 2016. Android.Bankosy: All ears on voice call-based 2FA. http:\/\/www.symantec.com\/connect\/blogs\/androidbankosy-all-ears-voice-call-based-2fa. Dinesh Venkatesan. 2016. Android.Bankosy: All ears on voice call-based 2FA. http:\/\/www.symantec.com\/connect\/blogs\/androidbankosy-all-ears-voice-call-based-2fa."},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590325"},{"key":"e_1_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/2637364.2592003"},{"key":"e_1_2_1_68_1","unstructured":"Antonio Villas-Boas. 2018. More than 500 000 People Downloaded Games on the Google Play Store that were Infected with Nasty Malware -- Here are the 13 Apps Affected. https:\/\/www.businessinsider.com\/google-play-store-game-apps-removed-malware-2018-11?r=US8IR=T. Antonio Villas-Boas. 2018. More than 500 000 People Downloaded Games on the Google Play Store that were Infected with Nasty Malware -- Here are the 13 Apps Affected. https:\/\/www.businessinsider.com\/google-play-store-game-apps-removed-malware-2018-11?r=US8IR=T."},{"key":"e_1_2_1_69_1","volume-title":"Annual Symposium on Network and Distributed System Security (NDSS).","author":"Michelle"},{"key":"e_1_2_1_70_1","unstructured":"Ben Woods. 2016. Google Play has hundreds of Android apps that contain malware. http:\/\/www.trustedreviews.com\/news\/malware-apps-downloaded-google-play. Ben Woods. 2016. Google Play has hundreds of Android apps that contain malware. http:\/\/www.trustedreviews.com\/news\/malware-apps-downloaded-google-play."},{"key":"e_1_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1109\/AsiaJCIS.2012.18"},{"key":"e_1_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.60"},{"key":"e_1_2_1_73_1","volume-title":"USENIX Security Symposium.","author":"Yan Lok Kwong","year":"2012"},{"key":"e_1_2_1_74_1","volume-title":"Droidminer: Automated mining and characterization of fine-grained malicious behaviors in Android applications. In ESORICS.","author":"Yang Chao","year":"2014"},{"key":"e_1_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.5555\/2818754.2818793"},{"key":"e_1_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516676"},{"key":"e_1_2_1_77_1","doi-asserted-by":"publisher","DOI":"10.1145\/2536853.2536881"},{"key":"e_1_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1145\/2924715.2924719"},{"key":"e_1_2_1_79_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.61"},{"key":"e_1_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.16"},{"key":"e_1_2_1_81_1","volume-title":"Annual Symposium on Network and Distributed System Security (NDSS).","author":"Zhou Yajin","year":"2012"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3313391","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3313391","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:54:33Z","timestamp":1750204473000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3313391"}},"subtitle":["Detecting Android Malware by Building Markov Chains of Behavioral Models (Extended Version)"],"short-title":[],"issued":{"date-parts":[[2019,4,9]]},"references-count":80,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2019,5,31]]}},"alternative-id":["10.1145\/3313391"],"URL":"https:\/\/doi.org\/10.1145\/3313391","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,4,9]]},"assertion":[{"value":"2017-11-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-04-09","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}