Dynamic Android Malware Analysis with De-Identification of Personal Identifiable Information

The rapid performance improvement and versatility of Android smartphone make people's lives more and more dependent on it. Not only making smartphone carry more personal privacy information, but also making it a target for hackers. Many security-prevent tools collect application information from smartphones for application analysis, but this information may cause privacy concerns. This paper proposes a system called ShadowDroid, which uses dynamic analysis technology for Android applications. ShadowDroid establishes a VPN on the smartphone to intercept all the network traffic to collect the data needed for analysis. At the same time, through the method of string matching to find out the private information from the data, and then de-identify it to make sure that the uploaded analysis data does not contain any personal identifiable information. ShadowDroid classifies malicious applications into three types: spyware, botware, and ransomware. Knowing the type of malicious application allows users to find the right response strategy. In addition, for malicious applications that mix multiple malicious behaviors, ShadowDroid calculates the similarity between the uploaded analytical data and the standard feature set of each type, thereby helping the user to determine which malicious behaviors the malicious application may contain. The experiment confirmed that the accuracy of the classification result of ShadowDroid without the privacy information leakage of smartphone users is 90%, only slightly lower than the accuracy of 92% of [1].