MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention

MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention


Android users are constantly threatened by an increasing number of malicious applications (apps), generically called malware. Malware constitutes a serious threat to user privacy, money, device and file integrity. In this paper we note that, by studying their actions, we can classify malware into a small number of behavioral classes, each of which performs a limited set of misbehaviors that characterize them. These misbehaviors can be defined by monitoring features belonging to different Android levels. In this paper we present MADAM, a novel host-based malware detection system for Android devices which simultaneously analyzes and correlates features at four levels: kernel, application, user and package, to detect and stop malicious behaviors. MADAM has been designed to take into account those behaviors characteristics of almost every real malware which can be found in the wild. MADAM detects and effectively blocks more than 96% of malicious apps, which come from three large datasets with about 2,800 apps, by exploiting the cooperation of two parallel classifiers and a behavioral signature-based detector. Extensive experiments, which also includes the analysis of a testbed of 9,804 genuine apps, have been conducted to show the low false alarm rate, the negligible performance overhead and limited battery consumption.



  • Along with the vast increase of Android malware, several security solutions have been proposed by the research community, spanning from static or dynamic analysis of apps, to applying security policies enforcing data security, to run-time enforcement. However, these solutions still present significant drawbacks.
  • TaintDroid is a security framework for Android devices which tracks information flow to avoid malicious stealing of sensitive information.
  • Alterdroid is a tool that compares the differences in behavior between an original app and automatically generated version that contain modifications (faults) to detect hidden malware, such as in pictures.


  • They are attack-specific, i.e. they usually focus on and tackle a single kind of security attack, e.g. privacy leaking, or privilege escalation (jail-breaking).
  • Moreover, these frameworks generally require a custom OS.
  • Apart from these ad hoc security solutions, in an attempt to limit the set of (dangerous) operations that an app can perform.


  • In this paper we present a novel multi-level and behavior based, malware detector for Android devices called MADAM (Multi-Level Anomaly Detector for Android Malware). In particular, to detect app misbehaviors, MADAM monitors the device actions, its interaction with the user and the running apps, by retrieving five groups of features at four different levels of abstraction, namely the kernel level, application-level, user-level and package-level.
  • For some groups of features MADAM applies an anomaly based approach, for other groups it implements a signature based approach that considers behavioral patterns that we have derived from known malware misbehaviors.
  • In fact, MADAM has been designed to detect malicious behavioral patterns extracted from several categories of malware. This multi-level behavioral analysis allows MADAM to detect misbehaviors typical of almost all malware which can be found in the wild.
  • MADAM also has shown efficient detection capabilities as it introduces an 1.4% performance overhead and a 4% battery depletion.
  • Finally, MADAM is usable because it both requires little-to-none user interaction and does not impact the user experience due to its efficiency.


  • The proposed system monitors five groups of Android features, among which system calls (type and amount) globally issued on the device, the security relevant API calls, and the user activity, to detect unusual user and device behavioral patterns; to this end, it exploits two cooperating proximity-based classifiers to detect and alert anomalies.
  • The proposed system intercepts and blocks dangerous actions by detecting specific behavioral patterns which take into account a set of known security hazard for the user and the device.
  • When every time a new app is installed, MADAM assesses its security risk by analyzing the requested permissions and reputation metadata, such as user scores and download number, and it inserts the app in a suspicious list if evaluated as risky.


MADAM Effective and Efficient Behavior-based Android


  • App Risk Assessment
  • Global Monitor
  • Per-App Monitor
  • User Interface & Prevention


App Risk Assessment

When a new app is installed on the device (deploy-time), the App Evaluator component intercepts and hijacks the installation event. This component analyzes the metadata of the new app to assess its risk, by retrieving features from the app package, related to critical operations, and from the market, related to app reputation. In detail, these features are: (i) the permissions declared in the manifest, (ii) the market of provenance, (iii) the total number of downloads, (iv) the developer reputation and (v) the user rating. The five parameters are analyzed through a hierarchical algorithm which returns a decision on the riskiness of the app classifying it as safe or risky5. Based on this decision, the user can choose whether to continue the installation (or not) of the new app. If the user chooses to install a risky app, its package name is recorded in the MADAM App Suspicious List and is continuously monitored looking for the known behavioral patterns. Note that MADAM extracts all these pieces of information in a process which is totally transparent to the user. The user can, however, decide whether she prefers to receive a notification of the decision of the App Evaluator, or to keep the process invisible. In the following, we assume that the user chooses the transparent approach (i.e., new apps are always installed, but inserted into the App Suspicious List if risky), as to allow MADAM to enforce security policies on the device. It is worth noting that the App Evaluator is not a detector of malicious apps. Instead, the App Evaluator aims at finding apps which are risky, which should be monitored at run-time by MADAM, improving the overall performance.

Global Monitor

The Global Monitor is at the core of the MADAM framework, since it is responsible of collecting the run-time device behaviors and classifying them as “genuine” or “malicious”. In MADAM, a behavior is represented through a vector of features. For each of them, MADAM records how many times a specific feature has been used in a period of time Tk. The features are extracted from different kinds of dynamic events: User Activity, Critical API (in particular, SMS, i.e. text messages) and System Call (Sys Calls). The Actions Logger is the component that records all these features into a vector, which is then fed to the Classifier. This component is trained to recognize genuine behaviors related to normal device usage, and malicious behavioral patterns deviating from the genuine ones, derived from the seven classes of malware. The classifier correlates features from the three monitored levels, and detects misbehaviors which could pass unnoticed if monitored separately on the single levels. As we will detail in Sect. 5, the Global Monitor is effective in detecting malicious behaviors, especially for SMS Trojan, Rootkit, Installers and Ransomware. For other behavioral classes of malware, MADAM exploits a set of known malicious behavioral pattern.

Per-App Monitor

The Per-App Monitor component is complementary to the Global Monitor since it is aimed at detecting additional, signature-based, known misbehaviors. The Per-App monitor is based on a set of known malicious behavioral patterns which considers the Suspicious App List created by the App Risk Assessment module, the alerts raised by the classifiers and a set of features at application-level not considered by the classifier. The Per-App monitors exploits behavioral patterns which represent suspicious behaviors that have been inferred by analyzing the behavioral classes of malware at API level and kernel level. To consider these behavioral patterns, Per-App Monitor constantly monitors three features, namely: (i) the list of apps with administrator privileges (Admin Apps in Fig. 1), which are those apps that can access a specific set of dangerous security relevant API and that cannot be removed unless the privileges are revoked, (ii) the SMS default app, which is the app that by default handles the operations related to text messages and that can be changed by the user, (iii) the app in foreground, which is the app currently interacting with the user.

User Interface & Prevention

The User Interface & Prevention includes the Prevention module that acts as a security enforcement mechanism by blocking the detected misbehaviors related to behavioral patterns. In such a case, the User Interface (UI) module handles the process for removing the responsible app. The UI conveys to the user all the events which require an active interaction, such as for removing malicious apps, and is also used by the user to select which behaviors should be blocked or allowed. Finally, the UI is exploited by the App Evaluator to communicate to the user the risk score of a new app at deploy-time. In this case, the user can then decide whether to continue the installation (or not) of the app.



  • System : Pentium Dual Core.
  • Hard Disk : 120 GB.
  • Monitor : 15’’ LED
  • Input Devices : Keyboard, Mouse
  • Ram :1 GB


  • Operating system : Windows 7.
  • Coding Language : Android,JAVA
  • Toolkit : Android 2.3 ABOVE
  • IDE :         Eclipse


Andrea Saracino, Daniele Sgandurra, Gianluca Dini and Fabio Martinelli, “MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention”, IEEE Transactions on Dependable and Secure Computing, 2017.

About the Author

Leave a Reply