Database of Case Studies Achieved Using CADP

Detection of Android Malware using Model Checking and Machine Learning

Organisation: Laval University, Québec, CANADA

Method: LNT

Tools used: CADP (Construction and Analysis of Distributed Processes)

Domain: Security.

Period: 2020

Size: Android applications of 2 Mbytes

Description: The ever-increasing presence of Android malware is accompanied by a deep concern about security issues in the mobile ecosystem. The proliferation of Android malware increases with its sophistication and complexity. Elaborated malware, such as polymorphic or metamorphic malware, uses code obfuscation techniques to build new variants that preserve the semantics of the original code but modify its syntax and thus escape the usual detection methods.

This work proposes a malware detection approach based on model checking combined with static analysis and machine learning. From a given Android application, an abstract model in LNT is extracted. This model is then checked against security related Android properties (virtualization by elusive applications, blocking of incoming SMSs, ransomware and spyware, usage of native code, presence of obfuscated code, checking IP addresses, DNS lookups) specified as MCL formulas. The satisfaction of a specific formula is considered as a feature. Finally, machine learning algorithms are used to classify the application as malicious or not. It is shown that the use of temporal properties as features for the classifier enables to detect 95% of malicious Android applications.

Conclusions: The use of formal models and model checking techniques is an important phase in the malware detection process proposed. The LNT encoding can be further extended to capture additional synchronization mechanisms (e.g., barriers) so as to improve the precision of the classifier. Also, the set of MCL formulas can be extended to characterize other suspicious behaviours, thus improving the prediction performance.

Publications: [ElHatib-Ricaud-Desharnais-Tawbi-20] Souad El Hatib, Loïc Ricaud, Josée Desharnais, and Nadia Tawbi. "Toward Semantic-Based Android Malware Detection Using Model Checking". Proceedings of the 15th International Conference on Risks and Security of Internet and Systems (CRISIS'2020), Lecture Notes in Computer Science vol. 12528, pp. 289-307. Springer Verlag, November 2020.
Available on-line at:

[ElHatib-20] Souad El Hatib. "Une approche sémantique de détection de maliciel Android basée sur la vérification de modèles et l'apprentissage automatique". MSc thesis, Laval University, Québec, Canada, 2020.
Available on-line at:
or from the CADP Web site in PDF or PostScript

Nadia Tawbi
Département d'informatique et de génie logiciel
Faculté des sciences et de génie
1065, avenue de la Médecine
Université Laval
Québec, (Qc), G1V 0A6

Last modified: Wed Oct 27 12:16:19 2021.

Back to the CADP case studies page