Android malware is becoming very effective in evading detection techniques, and traditional malware detection techniques are demonstrating their weaknesses.Signature based detection shows at least two drawbacks: first, the detection is possible only after the malware has been identified, and the time necessary to produce and distribute the signature provides attackers a window of opportunities for spreading the malware in the wild. For solving this problem, different approaches that try to characterize the malicious behavior through the invoked system and API calls emerged. The main limit of this kind of solution is that techniques for evading this mechanism have been discovered.
In this paper, we propose an approach for capturing the malicious behavior in terms of device resource consumption (using a thorough set of features), which is much more difficult to camouflage. Moreover, we describe a procedure, and the corresponding practical setting, for extracting those features with the aim of maximizing their discriminative power. Finally, we describe the promising results we obtained experimenting on more than 2000 applications, on which our approach exhibited an accuracy greater than 99%.