RiskInDroid

RiskInDroid (Risk Index for Android) is a tool for quantitative risk analysis of Android applications written in Java (used to check the permissions of the apps) and Python (used to compute a risk value based on apps' permissions). The tool uses classification techniques through scikit-learn, a machine learning library for Python, in order to generate a numeric risk value between 0 and 100 for a given app. In particular, the following classifiers of scikit-learn are used in RiskInDroid (this list is chosen after extensive empirical assessments):

• Support Vector Machines (SVM)
• Multinomial Naive Bayes (MNB)
• Gradient Boosting (GB)
• Logistic Regression (LR)

Unlike other tools, RiskInDroid does not take into consideration only the permissions declared into the app manifest, but carries out reverse engineering on the apps to retrieve the bytecode and then infers (through static analysis) which permissions are actually used and which not, extracting in this way 4 sets of permissions for every analyzed app:

• Declared permissions - extracted from the app manifest
• Exploited permissions - declared and actually used in the bytecode
• Ghost permissions - not declared but with usages in the bytecode
• Useless permissions - declared but never used in the bytecode

From the above sets of permissions (and considering only the official list of Android permissions), feature vectors (made by 0s and 1s) are built and given to the classifiers, which then compute a risk value. The precision and the reliability of RiskInDroid have been empirically tested on a dataset made of more than 6K malware samples and 112K apps.