While app marketplace operators such as Apple or Google already screen the apps submitted to their stores, malware programmers have learned how to bury their code within an app so it doesn't execute until after the program has been downloaded, Gu said.
The researchers chose Android over Apple's iOS because the Android kernel, which is Linux, is open source, whereas Apple keeps the kernel for iOS under wraps. They built PREC as a module that can be compiled into the kernel.
PREC is not the only Android malware detector based on anomaly detection that researchers have created. Crowdroid uses a crowd-sourcing model of determining routine app behavior, and Paranoid Android offloads some of the detection duties to servers.
Both of those detectors require far more processing power on the portable device, compare to PREC, according to the NCSU researchers. Running PREC typically incurs about 3 percent overhead on the system, compared to the 15 to 30 percent overhead incurred by Crowdroid and Android.
IBM, Google, the U.S. National Science Foundation and the U.S. Army funded the research.