BarkDroid: Android Malware Detection Using Bark Frequency Cepstral Coefficients

. Since their inaugural releases in 2007, Google’s Android and Apple’s iOS have grown to dominate the mobile OS market share. Currently, they jointly possess over 99% of the global market share with Android being the leading mobile Operating System of choice worldwide, controlling close to 70% of the market share. Mobile devices have enabled the exponential growth of a plethora of mobile applications that play key roles in enabling many use cases that are pivotal in our daily lives. On the other hand, access to a large pool of potential end users is available to both legitimate and nefarious applications, thus making mobile devices a burgeoning target of malicious applications. Current malware detection solutions rely on tedious, time-consuming, knowledge-based, and manual processes to identify malware. This paper introduces BarkDroid, a novel Android malware detection technique that uses the low-level Bark Frequency Cepstral Coefficients audio features to detect malware. The initial results obtained show that Bark Frequency Cepstral Coefficients have high discriminative capabilities to achieve accurate preditions. BarkDroid achieved 97.9% accuracy, 98.5% precision, an F1 score of 98.6%, and shorter execution times.


Introduction
Mobile devices have become an indispensable part of our daily lives.They have caused a paradigm shift in the way people used to live, learn, communicate, collaborate, and conduct business.Despite the fact that they only started in 1973, their proliferation has been so rapid that it was estimated that the number of people using mobile devices had reached 6.3 billion by 2021.This number is projected to rise to 7.7 billion in 2027 [1].
Since their advent in the early 70's, mobile devices have taken enormous leaps and bounds to introduce feature sets and functionalities that puts them on par with, if not exceeding, handheld computers.Advances in electronics, cutting-edge technologies, and the maturity of operating system ecosystems have led to mobile devices incorporating many advanced functionalities that were previously thought to be only possible with computers.Additionally, the rapid evolution of mobile devices from the Tarwireyi, Terzoli, Adigun (BarkDroid: Android Malware Detection Using Bark Frequency Cepstral Coefficients) initially bulky and expensive device which could only make calls, to the present-day smartphone that has been miniaturised and is jam-packed with advanced features, has been partly due to the ever-growing use cases and user expectations [2].At the core of the mobile device sits the operating system (OS), which acts as an intermediary between the mobile device hardware and users.Its main responsibilities include managing device hardware, and software and providing utilities and interfaces that enable users to interact with mobile devices.As far as mobile operating systems are concerned, Google's Android and Apple's iOS are the most successful operating systems [1].
Since their inaugural releases in 2007, Google's Android and Apple's iOS have grown to dominate the mobile OS market share.Currently, they jointly possess over 99% of the global market share with Android being the leading mobile Operating System of choice worldwide, controlling close to 70% of the market share [2].Mobile devices have enabled the exponential growth of a plethora of mobile applications that play key roles in enabling many use cases which are pivotal in our daily lives.This means mobile applications have become a forte of the mobile phone ecosystem.On the other hand, mobile applications have also become the Achilles heel because the ability to access a large pool of potential end users is not only available to legitimate applications, but also to malicious ones.The term malware refers to any software that deliberately infects and causes harm to computing systems.
If we can track the historical malware patterns, it can be noted that attackers have always preferred targeting popular platforms to maximise their chances.This means that in their unprecedented attack campaigns and sophistication, hackers also play the numbers game.They cast their net as wide as possible, hoping to compromise as many as possible.Consequently, it is unsurprising that although all mobile operating systems have been attacked by malware, Android has been the lucrative primary target for malware attacks.Android is reported to host roughly 99% of known mobile malware and is the focus of most research efforts in mobile malware detection [1], [2].It used to be the Microsoft Windows operating system on personal computers; now, it is Android.Unfortunately, the permission system meant to be the first line of defence in the Android system has been ineffective.The assumption was that users will scrutinise the permissions that an app will request at installation and only allow them when necessary.However, this was never due to the users' naivety, lack of knowledge, and unsuspecting nature [3].
Android malware can steal, corrupt, or delete user data causing stress and financial loss.According to Symantec 2019 [4], even though around 24000 malicious mobile apps are blocked daily, a sizeable number still managed to find ways to bypass detection.Malware developers have been generating new malware using techniques such as module reuse and automated generation tools.For several decades, antivirus solutions have been the defacto malware mitigation strategy.Traditionally, such solutions have primarily been reactive.They rely on known fixed string patterns or signatures to detect malware [5].With signature-based malware detection solutions, applications are scanned while searching a database for predefined matching patterns.The sheer number of applications that have successfully bypassed such systems is testimony that this countermeasure is ineffective.Not only because it does not give zero-day insurance, but it also does not scale very well in the face of the astronomical rate of malware generation per day.
Malicious applications pose an enormous security threat to mobile devices.Current malware detection solutions generally rely on time-consuming, knowledge-based, and manual processes to identify malware.This has serious shortcomings, especially against new and unknown malware.Signature-based malware solutions are not able to detect modern malware that uses packing and smart coding techniques such as polymorphism, metamorphism, and other evasive techniques that quickly change the malware behaviours and generate a large number of new variants which are predominantly variants of existing malware.
Tarwireyi, Terzoli, Adigun (BarkDroid: Android Malware Detection Using Bark Frequency Cepstral Coefficients) As we more and more rely on mobile devices that have become hosts for our sensitive data and applications, there is a need to develop new intelligent malware detection systems that besides detecting known attacks also have the ability to provide zero-day insurance.Such systems should be able to cope with the scale and complexity of malware applications being generated every day.

Literature review
Several previous works have investigated different android malware detection techniques [5].Static and dynamic analysis techniques have been used in literature to ascertain whether an android app is malicious or not [6].

Static analysis
Several static features have been proposed in literature.These include: • Requested permissionsis the first line of defence provided by the Android operating system to restrict access to data and actions that the app can perform [6]- [10].Permissions are a major source of malware infection [11], [12] [13], [14].Studies that use permissions for malware detection generate attribute feature vectors from the AndroidManifest.xmlfile where a one is assigned if the permission is present; otherwise, a zero is assigned [15], [16][17]- [19].Other studies use text classification techniques such as Term Frequency-Inverse Document Frequency [6].Researchers have noted that malicious applications tend to request many dangerous permissions [15], [18].• Hardware componentsaccess to the hardware is explicitly declared in the manifest file.Some hardware components are red flag signs, for instance, GPS, mic, and Internet should be viewed with scrutiny [20], [21] • API calls and Intentsunnecessary access to sensitive resources can be a sign of malevolent intentions, for example getDeviceId() -IMEI [12], [14] [21], [22].• Opcode sequences -Android applications are generally developed in Java and then compiled and converted to the optimised Dalvik bytecode, an executable format for Android applications.Dalvik bytecode of compiled applications can be used to distinguish malware from benign applications.Most works have disassembled the Dex to extract the opcodes and then use the ngrams of opcodes in machine learning analysis [22]- [24].

Dynamic analysis
Dynamic malware analysis techniques that have been used in literature include: • Resource utilisation -Resource usage is monitored whilst the installed app is being tested.This includes CPU, memory, network usage, API calls, and energy consumption [25], [26].• System callsresearchers have used agent-based systems to collect system calls and generate unique signatures or text sequences that can be used for malware detection [27], [28].
While there exists some prior work that utilises static features such as acoustic signals and images [4], [29], [30] to analyse and detect malware, there remain a number of issues that should be explored in future research [31].This work is still very limited quantity-wise and in its infancy stage, but it should be noted that no negative result have been reported up to now, to suggest that there is no value in further exploration.As an illustration of current limitations related to this use of static features, the researchers that have looked at using APKs to detect malware, in most instances, have only used the dex file for their analysis.This neglects the other files that offer opportunities for generating more discriminative features that can be used to improve overall detection accuracy.Moreover, they only utilise the typical audio Tarwireyi, Terzoli, Adigun (BarkDroid: Android Malware Detection Using Bark Frequency Cepstral Coefficients) features, Mel-frequency cepstral coefficients (MFCC), which represent the short-term power spectrum of the generated malware audio signal [31].
Evidence from recent studies suggests that machine learning can be used as a viable solution for malware classification [33], [34].Android malware detection using machine learning is a complex task due to the ever-changing malware evasion techniques and the lack of well-defined features which can be used to distinguish the various android applications with high fidelity [29].Despite there being a body of work that has been used to find the best way of classifying android malware, it remains unknown which feature set is the best.It is generally agreed that malware detection is an undecidable problem which warrants ongoing research efforts.

Research Method
The raw Android Application Package is an archive that contains various components of the android application and is not suitable to be directly fed to machine learning algorithms for automatic analysis and prediction.Each Android Application Package carries components such as libraries, methods, classes, certificates, assets, resources, and configuration files that make it functional.The variances in the content, nature, and compositions of these components make the unique characteristics of each android application.Selecting appropriate distinguishable characteristics from the raw Android Application Package is an open area of research.In order to improve accuracy and reduce the number of false positives in android malware detection, strategies are needed for discarding irrelevant details and only selecting relevant information.Such relevant features should possess stable and effective discriminative characteristics that will enable machine learning algorithms to distinguish between various types of android applications.
The research reported in this study is inspired by similar work in the audio engineering field [35], [36].Our work treats an android application as a signal modeled so that it carries unique characteristics that can be analysed using Automated Signal Recognition techniques.At the low level, an android application is simply translated into a series of ones and zeros.This has similar characteristics to signals such as audio which is a sequence of sounds translated to a series of ones and zeros to represent the oscillating longitudinal waves.Such waveform representation renders itself nicely for automatic analysis and processing in digital systems.
From a high-level point of view, this study employed a simple two-phase machine learning life cycle that uses data engineering as the first phase, followed by model engineering.Data engineering is concerned with building systems and processes for raw data ingestion, storage, wrangling, feature creation, and transforming into formats useful for analysis.On the other hand, model engineering is an iterative process of writing, executing, and tuning machine learning models.A graphical description of the procedure is presented in Figure 1.
• Step 1: Dataset is collected and unzipped into respective folders • Step 2: The dataset is cleaned to de-duplicate and remove corrupted APK files • Step 3: Data exploration and validation are performed to ascertain the distribution of the different samples contained in the dataset • Step 4: Using algorithm 1 given below, traverse through all the folders and subfolders in the dataset to convert APK files into WAV files.The output of this step is a novel malware audio dataset that can be used by the research community to carry out further analysis.• Step 5: Like the raw APK file that is not suitable for feeding directly as input into automatic recognition systems, wav files are also unsuitable.There is a need for an intermediary step that will extract relevant information analysable by acoustic models.Because the generated audio signals exhibited characteristics that are similar to those seen in noisy signals, such as the Tarwireyi, Terzoli, Adigun (BarkDroid: Android Malware Detection Using Bark Frequency Cepstral Coefficients) Watkins Marine Mammal Sound Database, there is a need to consider features that exhibit superior noise robustness.This study uses the bark-frequency cepstrum coefficients algorithm highlighted in figure 2 to extract features.This algorithm segments the waveform and uses a combination of low and high pass filters to bark frequency cepstrum.

Figure 1. Proposed methodology architecture diagram
Bark Frequency Cepstrum is the short-time power spectrum representation of a signal based on the linear cosine transform of a log spectrum on a non-linear Bark scale of frequency [35], [36].Figure 2 shows the block diagram for the bark-frequency cepstrum coefficients algorithm.The bark frequency is calculated as shown in equations ( 1) and ( 2) [35]. ( ( Where f is the waveform's linear frequency in hertz and fbark is the resultant frequency in bark.Pre-emphasis is applied to the audio signal as a filter to compensate for the average spectral shape.Windowing is used to split the input signal into short enough temporal segments, which do not allow enough time for the properties of the signal to change in each segment [35].To determine the perceived loudness of frequencies at given sound pressure levels, the outputs of the bark scale filter banks are weighted according to the Fletcher Munson or equal loudness curve.The signal is compressed using the logarithmic function and passed through the discrete cosine transform, a time-frequency transform operation for decorrelating sequentially correlated data [36].
• Step 6: The resultant dataset of extracted features is split into training, validation, and testing sets.• Step 7: Models are created, trained, and validated to learn the intrinsic patterns that can be used to distinguish between malicious and benign android application package files.The train and validation phases are iteratively repeated until optimal performance levels have been obtained.This phase includes hyperparameter optimisation.

• Step 8:
The generalisability of the trained classifier is tested when it is used to make predictions on data it has never seen before.This data comes from the testing set.

Result and Discussion
In this section, we present the experimental results of the proposed method.It should be noted that the discussion will be preliminary and focused on assessing how promising our method is.A more detailed interpretation of every single result will be the focus of future papers.After downloading the CICMaldroid2020 and CICMalAnal2017 datasets, 97.3% and 97.6% of the samples were successfully converted to the .wavaudio format, respectively.The remaining samples were discarded because they were either corrupted or duplicates.On average, converting CICMaldroid2020 apks to audio took 21 minutes, whereas CICMalAnal2017 took 5 minutes and 34 seconds.Barkfrequency cepstrum coefficient features were generated from the audio files for analysis.The sample data in Figure 3 shows the generated audio files and their corresponding extracted bark frequency features.
We implemented the proposed strategy on a 1.80GHz Intel(R) Core (TM) i7-8565U CPU laptop with 24 GB RAM.The code to implement the machine learning pipeline discussed above was developed using TensorFlow and Python.In the experiment, 23 machine learning classifiers were implemented for performance evaluation.These include extra trees, Gaussian Process, Multi-Layer Perceptron, Bayesian Tarwireyi, Terzoli, Adigun (BarkDroid: Android Malware Detection Using Bark Frequency Cepstral Coefficients) Network, Passive Aggressive, Support Vector Machine, AdaBoost, Random Forest, KNeighbors, and Decision Tree.To comprehensively measure how accurately bark-frequency cepstral coefficients can be used to classify android applications, classification accuracy, precision, recall, and area under the curve are calculated.Moreover, the train and test times are also calculated to estimate the complexity of the algorithms.The following table shows the results of the malware detection and classification experiments on the CICMalAnal2017 dataset using an 80 -20 % split.

CICMaldroid2020
The following table shows the results of the malware detection and classification experiments on the CICMaldroid2020 dataset using an 80 -20 % split.The tables 3 and 4 above show the performance statistics of the various models that were evaluated in this study.The tables are sorted by the testing accuracy column.A summary of the relevant top performing algorithms is given below: • Accuracy: Random Forest, extra trees and catboost algorithms achieved the top 3 test accuracy scores in both datasets.The highest scores achieved are 97.9%,97.8%, and 97.4%, respectively.
• Precision: Extra Trees achieved the highest score of 98.5%, followed by random forest which had 98.4%.
• Recall: Random forest accomplished the highest recall rate of 98.9 whereas extra trees was second with 98.7%.
• F1 Score: Random forest was the best with an f1 score of 98.62%, followed by extra trees which had 98.6%.
• ROC Score: Extra trees achieved the best score of 96.8%, followed by random forest, which had 96.7%.
• Generally, it was observed that ensemble algorithms performed well in the malware classification task while the GaussianNB was the worst performing in all experiments.Furthermore, most fast algorithms in terms of processing speed, did not have good results to warranty consideration.
The figure below shows highlights of the top 3 performing algorithms over the two experimental datasets.
Tarwireyi, Terzoli, Adigun (BarkDroid: Android Malware Detection Using Bark Frequency Cepstral Coefficients) The table 5 below ranks the models column-wise by identifying the best model according to each performance metric.Tarwireyi, Terzoli, Adigun (BarkDroid: Android Malware Detection Using Bark Frequency Cepstral Coefficients) Based on the highest test accuracy results, the top five models are Random Forest, Extra Trees, CatBoost, KNeighbors, and XGBClassifier.In the precision-recall graphs shown in figure 5, these algorithms have high precision and recall rates, meaning they returned many correctly labelled results.While the differences between the performance metrics of random forest and extra trees are minimal, if one considers the resource limitations of mobile devices, the extra trees algorithm is probably the better choice because of shorter train and test times.Furthermore, it also has a better precision score, meaning it has the highest ratio of malicious applications that are correctly classified.By looking at the two datasets that were used for experimentation, it can also be observed that the highest accuracy achieved improved by around 4.62% by utilising a slightly bigger dataset.It should be noted that the dataset used is substantially smaller than the bigger datasets used in the research field.The achieved results evidently show that bark-frequency cepstral coefficients are promising static features for malware detection.

Conclusion
This paper proposes an android malware detection system that uses acoustic signals and Bark Frequency Cepstral Coefficients as malware features.To the best of our knowledge, this is the first study to introduce such features for malware detection.Twenty three machine learning algorithms were used to evaluate the efficiency of the proposed system.As this research has shown, bark frequency cepstral coefficients proved highly discriminative in android malware detection reaching an average precision of 99%.

Figure 4 .
Figure 4. Performance results of the top 3 algorithms

Figure 5 .
Figure 5. Precision-Recall Graphs of the top algorithms

Table 1 .
[34]datasets provided by the Canadian Institute for Cybersecurity.The CICMalDroid 2020 dataset consists of 17341 android application packages collected from several sources such as Contagio blog, AMD, Maldozer, and other recent and sophisticated datasets collected until 2018.The dataset covers five broad categories of android malware.Details of the datasets are given in tables 1 and 2. CICMalAnal2017 dataset.
Classifier used Test Accuracy Precision F1 Score AUC Train Time [s] Test Time [s]