{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,1]],"date-time":"2026-04-01T17:56:47Z","timestamp":1775066207447,"version":"3.50.1"},"reference-count":60,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2021,5,8]],"date-time":"2021-05-08T00:00:00Z","timestamp":1620432000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"the Key Program of National Science Foundation of China","award":["U1936211"],"award-info":[{"award-number":["U1936211"]}]},{"name":"the Key-Area Research and Development Program of Guangdong Province","award":["2019B010139001"],"award-info":[{"award-number":["2019B010139001"]}]},{"name":"the Shenzhen Fundamental Research Program","award":["JCYJ20170413114215614"],"award-info":[{"award-number":["JCYJ20170413114215614"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2021,7,31]]},"abstract":"Android, the most popular mobile operating system, has attracted millions of users around the world. Meanwhile, the number of new Android malware instances has grown exponentially in recent years. On the one hand, existing Android malware detection systems have shown that distilling the program semantics into a graph representation and detecting malicious programs by conducting graph matching are able to achieve high accuracy on detecting Android malware. However, these traditional graph-based approaches always perform expensive program analysis and suffer from low scalability on malware detection. On the other hand, because of the high scalability of social network analysis, it has been applied to complete large-scale malware detection. However, the social-network-analysis-based method only considers simple semantic information (i.e., centrality) for achieving market-wide mobile malware scanning, which may limit the detection effectiveness when benign apps show some similar behaviors as malware.<\/jats:p>\n \n In this article, we aim to combine the high accuracy of traditional graph-based method with the high scalability of social-network-analysis--based method for Android malware detection. Instead of using traditional heavyweight static analysis, we treat function call graphs of apps as complex social networks and apply social-network--based centrality analysis to unearth the central nodes within call graphs. After obtaining the central nodes, the average intimacies between sensitive API calls and central nodes are computed to represent the semantic features of the graphs. We implement our approach in a tool called\n IntDroid<\/jats:italic>\n and evaluate it on a dataset of 3,988 benign samples and 4,265 malicious samples. Experimental results show that\n IntDroid<\/jats:italic>\n is capable of detecting Android malware with an F-measure of 97.1% while maintaining a True-positive Rate of 99.1%. Although the scalability is not as fast as a social-network-analysis--based method (i.e.,\n MalScan<\/jats:italic>\n ), compared to a traditional graph-based method,\n IntDroid<\/jats:italic>\n is more than six times faster than\n MaMaDroid<\/jats:italic>\n . Moreover, in a corpus of apps collected from GooglePlay market,\n IntDroid<\/jats:italic>\n is able to identify 28 zero-day malware that can evade detection of existing tools, one of which has been downloaded and installed by more than ten million users. This app has also been flagged as malware by six anti-virus scanners in VirusTotal, one of which is\n Symantec Mobile Insight<\/jats:italic>\n .\n <\/jats:p>","DOI":"10.1145\/3442588","type":"journal-article","created":{"date-parts":[[2021,5,8]],"date-time":"2021-05-08T11:40:33Z","timestamp":1620474033000},"page":"1-32","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":49,"title":["IntDroid"],"prefix":"10.1145","volume":"30","author":[{"given":"Deqing","family":"Zou","sequence":"first","affiliation":[{"name":"Huazhong University of Science and Technology, Shenzhen, China"}]},{"given":"Yueming","family":"Wu","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"given":"Siru","family":"Yang","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"given":"Anki","family":"Chauhan","sequence":"additional","affiliation":[{"name":"University of Texas at Dallas, Dallsa, USA"}]},{"given":"Wei","family":"Yang","sequence":"additional","affiliation":[{"name":"University of Texas at Dallas, Dallsa, USA"}]},{"given":"Jiangying","family":"Zhong","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"given":"Shihan","family":"Dou","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]},{"given":"Hai","family":"Jin","sequence":"additional","affiliation":[{"name":"Huazhong University of Science and Technology, Wuhan, China"}]}],"member":"320","published-online":{"date-parts":[[2021,5,8]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"2014. Permission-based method. Retrieved from http:\/\/infosec.bjtu.edu.cn\/wangwei\/?page_id=85\/."},{"key":"e_1_2_1_2_1","unstructured":"2017. MaMaDroid. Retrieved from https:\/\/bitbucket.org\/gianluca_students\/mamadroid_code\/."},{"key":"e_1_2_1_3_1","unstructured":"2018. Cyber attacks on Android devices on the rise. Retrieved from https:\/\/www.gdatasoftware.com\/blog\/2018\/11\/31255-cyber-attacks-on-android-devices-on-the-rise\/."},{"key":"e_1_2_1_4_1","unstructured":"2018. Worldwide Smartphone Sales to End Users by Operating System in 2Q18. Retrieved from https:\/\/www.gartner.com\/en\/newsroom\/press-releases\/2018-08-28-gartner-says-huawei-secured-no-2-worldwide-smartphone-vendor-spot-surpassing-apple-in-second-quarter\/."},{"key":"e_1_2_1_5_1","unstructured":"2019. APK Protect\u2014Provide Android APK Encryption and Protection. Retrieved from https:\/\/sourceforge.net\/projects\/apkprotect\/."},{"key":"e_1_2_1_6_1","unstructured":"2019. scikit-learn. Retrieved from https:\/\/scikit-learn.org\/."},{"key":"e_1_2_1_7_1","unstructured":"2019. VirusTotal\u2014Free online virus malware and URL scanner. Retrieved from https:\/\/www.virustotal.com\/."},{"key":"e_1_2_1_8_1","unstructured":"2020. SanDroid\u2014An automatic Android application analysis system. Retrieved from http:\/\/sanddroid.xjtu.edu.cn\/."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-04283-1_6"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274744"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2903508"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201912)","author":"Yee Au Kathy Wain","year":"2012","unstructured":"Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: Analyzing the Android permission specification. In Proceedings of the ACM Conference on Computer and Communications Security (CCS\u201912)."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.61"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568286"},{"key":"e_1_2_1_16_1","volume-title":"Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915)","author":"Chen Kai","year":"2015","unstructured":"Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou, and Peng Liu. 2015. Finding unknown malice in 10 seconds: Mass vetting for new threats at the google-play scale. In Proceedings of the 24th USENIX Security Symposium (USENIX Security\u201915)."},{"key":"e_1_2_1_17_1","volume-title":"Android HIV: A study of repackaging malware for evading machine-learning detection","author":"Chen Xiao","year":"2018","unstructured":"Xiao Chen, Chaoran Li, Derui Wang, Sheng Wen, Jun Zhang, Surya Nepal, Yang Xiang, and Kui Ren. 2018. Android HIV: A study of repackaging malware for evading machine-learning detection. IEEE Trans. Info. Forens. Secur. (2018)."},{"key":"e_1_2_1_18_1","doi-asserted-by":"crossref","unstructured":"Nigel Coles. 2001. It\u2019s not what you know-It\u2019s who you know that counts. Analysing serious crime groups as social networks. Brit. J. Criminol. (2001).","DOI":"10.1093\/bjc\/41.4.580"},{"key":"e_1_2_1_19_1","unstructured":"Anthony Desnos et\u00a0al. 2011. Androguard. Retrieved from https:\/\/github.com\/androguard\/androguard."},{"key":"e_1_2_1_20_1","volume-title":"Sheth","author":"Enck William","year":"2014","unstructured":"William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2014. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (2014)."},{"key":"e_1_2_1_21_1","volume-title":"CTDroid: Leveraging a corpus of technical blogs for android malware analysis","author":"Fan Ming","year":"2019","unstructured":"Ming Fan, Xiapu Luo, Jun Liu, Chunyin Nong, Qinghua Zheng, and Ting Liu. 2019. CTDroid: Leveraging a corpus of technical blogs for android malware analysis. IEEE Trans. Reliabil. (2019)."},{"key":"e_1_2_1_22_1","doi-asserted-by":"crossref","unstructured":"Katherine Faust. 1997. Centrality in affiliation networks. Soc. Netw. (1997).","DOI":"10.1016\/S0378-8733(96)00300-0"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICECCS.2019.00014"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635869"},{"key":"e_1_2_1_25_1","doi-asserted-by":"crossref","unstructured":"Yu Feng Osbert Bastani Ruben Martins Isil Dillig and Saswat Anand. 2016. Automated synthesis of semantic malware signatures using maximum satisfiability. Retrieved from https:\/\/arXiv:1608.06254.","DOI":"10.14722\/ndss.2017.23379"},{"key":"e_1_2_1_26_1","doi-asserted-by":"crossref","unstructured":"Linton C. Freeman. 1978. Centrality in social networks conceptual clarification. Soc. Netw. (1978).","DOI":"10.1016\/0378-8733(78)90021-7"},{"key":"e_1_2_1_27_1","doi-asserted-by":"crossref","unstructured":"Joshua Garcia Mahmoud Hammad and Sam Malek. 2018. Lightweight obfuscation-resilient detection and family identification of Android malware. ACM Trans. Softw. Eng. Methodol. (2018).","DOI":"10.1145\/3180155.3182551"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2517312.2517315"},{"key":"e_1_2_1_29_1","volume-title":"Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS\u201912)","author":"Grace Michael C.","year":"2012","unstructured":"Michael C. Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang. 2012. Systematic detection of capability leaks in stock android smartphones. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS\u201912)."},{"key":"e_1_2_1_30_1","volume-title":"The worldwide air transportation network: Anomalous centrality, community structure, and cities","author":"Guimera Roger","year":"2005","unstructured":"Roger Guimera, Stefano Mossa, Adrian Turtschi, and L. A. Nunes Amaral. 2005. The worldwide air transportation network: Anomalous centrality, community structure, and cities\u2019 global roles. Proc. Natl. Acad. Sci. U.S.A. (2005)."},{"key":"e_1_2_1_31_1","doi-asserted-by":"crossref","unstructured":"Chun-Ying Huang Yi-Ting Tsai and Chung-Han Hsu. 2013. Performance evaluation on permission-based detection for android malware. In Advances in Intelligent Systems and Applications.","DOI":"10.1007\/978-3-642-35473-1_12"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-38908-5_13"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2017.57"},{"key":"e_1_2_1_34_1","volume-title":"Oltvai","author":"Jeong Hawoong","year":"2001","unstructured":"Hawoong Jeong, Sean P. Mason, A.-L. Barab\u00e1si, and Zoltan N. Oltvai. 2001. Lethality and centrality in protein networks. Nature (2001)."},{"key":"e_1_2_1_35_1","volume-title":"A new status index derived from sociometric analysis. Psychometrika","author":"Katz Leo","year":"1953","unstructured":"Leo Katz. 1953. A new status index derived from sociometric analysis. Psychometrika (1953)."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2017.2789219"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/2931037.2931044"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1109\/BADGERS.2014.7"},{"key":"e_1_2_1_39_1","unstructured":"Xiaoming Liu Johan Bollen Michael L. Nelson and Herbert Van de Sompel. 2005. Co-authorship networks in the digital library research community. Info. Process. Manage. (2005)."},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274731"},{"key":"e_1_2_1_41_1","volume-title":"Whitney","author":"Mann Henry B.","year":"1947","unstructured":"Henry B. Mann and Donald R. Whitney. 1947. On a test of whether one of two random variables is stochastically larger than the other. Ann. Math. Stat. (1947)."},{"key":"e_1_2_1_42_1","unstructured":"Massimo Marchiori and Vito Latora. 2000. Harmony in the small-world. Physica A: Stat. Mech. Appl. (2000)."},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23353"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/2931037.2931043"},{"key":"e_1_2_1_45_1","doi-asserted-by":"crossref","unstructured":"Annamalai Narayanan Mahinthan Chandramohan Lihui Chen and Yang Liu. 2018. A multi-view context-aware approach to Android malware detection and malicious code localization. Empir. Softw. Eng. (2018).","DOI":"10.1007\/s10664-017-9539-8"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382224"},{"key":"e_1_2_1_47_1","volume-title":"Catch me if you can: Evaluating android anti-malware against transformation attacks","author":"Rastogi Vaibhav","year":"2013","unstructured":"Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. 2013. Catch me if you can: Evaluating android anti-malware against transformation attacks. IEEE Trans. Info. Forensics Secur. (2013)."},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.14"},{"key":"e_1_2_1_49_1","volume-title":"Madam: Effective and efficient behavior-based android malware detection and prevention","author":"Saracino Andrea","year":"2018","unstructured":"Andrea Saracino, Daniele Sgandurra, Gianluca Dini, and Fabio Martinelli. 2018. Madam: Effective and efficient behavior-based android malware detection and prevention. IEEE Trans. Depend. Secure Comput. (2018)."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2295136.2295141"},{"key":"e_1_2_1_51_1","volume-title":"Wilk","author":"Shapiro Samuel Sanford","year":"1965","unstructured":"Samuel Sanford Shapiro and Martin B. Wilk. 1965. An analysis of variance test for normality (complete samples). Biometrika (1965)."},{"key":"e_1_2_1_52_1","unstructured":"Guillermo Suarez-Tangil and Gianluca Stringhini. 2018. Eight years of rider measurement in the android malware ecosystem: Evolution and lessons learned. Retrieved from https:\/\/arXiv:1801.08115."},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2014.2353996"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2019.00023"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.40"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180223"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.5555\/2818754.2818793"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660359"},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-24177-7_15"},{"key":"e_1_2_1_60_1","volume-title":"Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS\u201912)","author":"Zhou Yajin","year":"2012","unstructured":"Yajin Zhou, Zhi Wang, Wu Zhou, and Xuxian Jiang. 2012. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In Proceedings of the Annual Symposium on Network and Distributed System Security (NDSS\u201912)."}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3442588","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3442588","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:03:02Z","timestamp":1750197782000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3442588"}},"subtitle":["Android Malware Detection Based on API Intimacy Analysis"],"short-title":[],"issued":{"date-parts":[[2021,5,8]]},"references-count":60,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2021,7,31]]}},"alternative-id":["10.1145\/3442588"],"URL":"https:\/\/doi.org\/10.1145\/3442588","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,5,8]]},"assertion":[{"value":"2020-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-12-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-05-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}