Aggregated Machine Learning on Indicators of Compromise in Android Devices

Malware mitigation for mobile technology is a long-standing problem for which there is not yet a good solution. In this paper, we focus on identifying malicious applications, and verifying the absence of malicious or vulnerable code in applications that agencies seek to utilize. Our analysis toolbox includes static analysis and permissions risk scoring as pre-installation vetting techniques designed to prevent malware from being installed on devices on an enterprise network. However, dynamic code-loading techniques and changing security requirements mean that applications which previously passed the static analysis verification process, and have been installed on devices, may no longer meet security standards, and may be malicious. To identify these apps, and prevent their future malfeasance, we propose a crowd-sourced behavioral analysis (CSBA) technique, using machine learning to identify anomalous activity by examining patterns in power consumption, network behavior, and sequences of system calls. These techniques apply effectively to a single user's device over time, as well as to individual devices within an enterprise network.