AI Case Study

Tencent detects malware on Android phones in real-time using deep neural networks

Researchers from West Virginia University and Tencent have developed a deep neural network model to detect malware on Android phone apps in real-time. The method is currently used in Tencent's Mobile Security product.


Consumer Goods And Services

Personal And Household Goods

Project Overview

The Tencent Security Lab has developed a malware detection system called AiDroid that uses machine learning to identify potentially malicious apps on Android phones. It is currently being used in Tencent's Mobile Security product, with millions of users globally. It does so after analysing semantic relationships between apps using API call sequences and then built a deep neural network classifier to predict which apps are malicious.

Reported Results

The research resulted in an ROC curve of "an impressive
0.9914 true positive rate (TPR) at 0.0094 false positive
rate (FPR). We can conclude that AiDroid is indeed feasible
in practical use for real-time Android malware detection." AiDroid has "been incorporated into Tencent Mobile Security product that serves millions of users worldwide".


The researchers "first extract the API call sequences from runtime
executions of Android apps and further analyze higherlevel
semantic relationships within the ecosystem. To depict
such complex relations, we introduce HIN for modeling
and use meta-path based approach to build up relatednesses
over apps. To efficiently classify nodes (i.e., apps) in
HIN, we propose the HinLearning method to first gain insample
node embeddings and then learn representations of
out-of-sample nodes without rerunning/adjusting HIN embeddings
for the first time. Afterwards, we design a DNN
classifier leveraging the advantages of CNNs and Inception
for Android malware detection".


Information Technology



"Due to the mobility and ever expanding capabilities, smart
phones have become increasingly ubiquitous in people’s everyday
life performing tasks such as social networking, online
banking, and entertainment. Android, as an open source
and customizable operating system (OS) for smart phones,
is currently dominating the smart phone market by 77.32%
(Statcounter 2018). However, due to its large market share
and open source ecosystem of development, Android attracts
not only the developers for producing legitimate Android applications (apps), but also attackers to disseminate malware
(malicious software) that deliberately fulfills the harmful intent
to the smart phone users (e.g., stealing user credentials,
pushing unwanted apps or advertisements). Because of lacking
trustworthiness review methods, developers can easily
upload their Android apps including repackaged apps and
malware to the official marketplace (i.e., Google Play)".



The data used was "large-scale real sample collection from Tencent Security Lab, which contains 190,696 training app (i.e.,
83,784 benign and 106,912 malicious). After feature extraction
and based on the designed network schema, the constructed
HIN has 286,421 nodes (i.e., 190,696 nodes with type of app, 331 nodes with type of API, 70,187 nodes with type of IMEI, 8,499 nodes with type of signature, and 16,708 with type of affiliation) and 4,170,047 edges including relations of R1-R6. The new coming 17,746 unknown apps are used as testing data (to obtain the ground truth, they are further analyzed by the anti-malware experts, 13,313 of which are labeled as benign and 4,433 are malicious)."