SCANNER: Sequence clustering of android resource accesses

The average Android OS user has on average 95 applications (apps) installed on his mobile device. On installation or at runtime, Android applications request various permissions that the users have to agree to in order to use the core functionalities of the apps. This can represent a security or privacy risk that the users are often unaware of when they simply accept the request. To better understand the behavior of these apps, there exist several static or dynamic analysis tools to extract information such as permission requirement or ratings. However most of them do not examine the sequential resource accesses of the applications which can be critical. This work presents SCANNER, a system to characterize the behavior of Android applications by examining their sequential resource access which complements the existing static and dynamic frameworks. SCANNER uses the Longest Common Subsequence (LCS) to describe ordered sequences and contrasts it with the use of statistical access rates for characterizing application behaviors. Using these features we are able to cluster similarly behaving applications based on their resource access over time. Our results showed that the use of LCS features can help identify similarly behaving applications with resource access patterns that cannot always be represented through the use of access rates alone.