Tweet analysis for Android malware detection in Google Play Store

Abstract

There are many approaches to detect if an app is malware or benign, for example, using static or dynamic analysis. Static analysis can be used to look for APIs that are indicative of malware. Alternatively, emulating the app’s behavior using dynamic analysis can also help in detecting malware. Each type of approach has advantages and disadvantages. To complement existing approaches, in this report, I studied the use of Twitter data to identify malware. The dataset that I used consists of a large set of Android apps made available by AndroZoo. For each app, AndroZoo provides information on vt detection, which records number of anti-virus programs in VirusTotal that label the app as malware. As an additional source of information about apps, I crawled a large set of tweets and analyzed them to identify patterns of malware and benign apps in Twitter. Tweets were crawled based on keywords related to Google Play Store app links. A Google Play Store app link contains the corresponding app’s ID, which makes it easy to link tweets to apps. Certain fields of the tweets were analyzed by comparing patterns in malware versus benign apps, with the goal of identifying fields that are indicative of malware behavior. The classification label from AndroZoo was considered as ground truth.