Welcome to AndroidMalwareCrypto’s documentation!

This tool allows for an analysis of cryptographic API in Android applications. The tool was especially developed to compare cryptographic API usage in benign vs. malicious applications and contains (weak) malware classifier based purely on cryptographic API features. We strive to provide end-to-end solution, automating all steps in the analysis.

This documentation serves as a protocol to allow full replication of our experiments. Use the links in the list above (or table of contents) to navigate to specific step in our research.

Quickstart

To run full-fledged analysis on your own dataset, read below. The following script just pulls the docker image and runs sample experiment on small number of APKs.

1. Run docker image interactively

docker pull adamjanovsky/cryptomlw && docker run -it adamjanovsky/cryptomlw

2. Run the sample experiment script

cd AndroidMalwareCrypto/sample_experiment & ./execute_sample_experiment.sh

Run full analysis

The full analysis has 5 steps, each of which has its own CLI. Please, visit the docs for the instructions for the correspndings steps.

1. Decompilation of APKs, collection of cryptographic API usage in the decompiled binaries (Mining crypto API, APK Dataset) handled with cli_process.py.

2. Data preparation: (Data preparation) handled with cli_prepare.py.

3. Exploratory data analysis of crypto API in your dataset (Exploratory data analysis) handled with cli_automatically_explore.py.

4. Training and evaluation of malware classifier based on crypto API features (Classifier training) handled with cli_train.py.

5. Explanations of the classifier using SHAP (Classifier interpretation) handled with cli_explain.py.

Contents

• Installation
  • Docker image and MyBinder.org notebooks
  • Dependencies
• Mining crypto API
  • Download dataset or load it from disk
  • Decompile the APKs
  • Detect all third-party libraries
  • Assign sample to malware family/category with Euphony
  • Running CLI
• Data preparation
  • Cleaning
  • Feature engineering
  • Records selection
  • Feature scaling
  • Feature selection
  • Configurations
• Exploratory data analysis
  • Evaluator
  • Automatic exploratory analysis
• Classifier training
  • Supported classifiers
  • Correct input format
  • Classifier training
  • Training for multiple objective and in parallel
• Classifier interpretation
  • Input format
  • Supported models
  • Configuration options
  • Calculation speed and parallelization
  • Output format
  • Using calculated values
• Classifier Evaluation.
• APK Dataset
  • Load own APKs from disk
  • Download samples from Androzoo