Android malware continues to evolve in complexity, often bypassing traditional antivirus solutions through advanced obfuscation, runtime polymorphism, and conditional execution. To address these challenges, this study presents Hybrid Insight, which is a robust two-stage detection framework that integrates static and dynamic analysis for comprehensive and resilient malware identification. In the static phase, structural features such as permissions, API calls, certificate metadata, and obfuscation indicators are extracted using Androguard, along with engineered metrics including permission-risk ratios and SDK-based signals. The dynamic phase complements this by executing applications within an emulated environment to capture real-time behavioral features which includes CPU usage, logcat anomalies, network activity, and runtime permission triggers. Two independent Random Forest classifiers are trained on static and dynamic feature sets, and a weighted decision fusion mechanism integrates their outputs to enhance detection accuracy. Experimental evaluation on a diverse dataset demonstrates a high classification accuracy of 96.16% and an AUC of 0.98. Feature importance analysis further confirms the significance of obfuscation patterns and runtime anomalies. The results validate the effectiveness of hybrid analysis in detecting both structurally and behaviorally evasive Android malware, which supports its applicability for practical deployment in modern mobile security systems.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Hybrid Insight: A Static-Dynamic Random Forest Framework for Detecting Obfuscated Android Malware

  • Pratham Biren Patel,
  • Jizhou Tong,
  • Qing Zhang

摘要

Android malware continues to evolve in complexity, often bypassing traditional antivirus solutions through advanced obfuscation, runtime polymorphism, and conditional execution. To address these challenges, this study presents Hybrid Insight, which is a robust two-stage detection framework that integrates static and dynamic analysis for comprehensive and resilient malware identification. In the static phase, structural features such as permissions, API calls, certificate metadata, and obfuscation indicators are extracted using Androguard, along with engineered metrics including permission-risk ratios and SDK-based signals. The dynamic phase complements this by executing applications within an emulated environment to capture real-time behavioral features which includes CPU usage, logcat anomalies, network activity, and runtime permission triggers. Two independent Random Forest classifiers are trained on static and dynamic feature sets, and a weighted decision fusion mechanism integrates their outputs to enhance detection accuracy. Experimental evaluation on a diverse dataset demonstrates a high classification accuracy of 96.16% and an AUC of 0.98. Feature importance analysis further confirms the significance of obfuscation patterns and runtime anomalies. The results validate the effectiveness of hybrid analysis in detecting both structurally and behaviorally evasive Android malware, which supports its applicability for practical deployment in modern mobile security systems.