executingkaspersky.com

(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016463|Pagewww.
ijacsa.
thesai.
orgAndroidMalwareDetection&Protection:ASurveySabaArshadDepartmentofComputerScienceCOMSATSInstituteofInformationTechnologyIslamabad,PakistanMunamAliShahDepartmentofComputerScienceCOMSATSInstituteofInformationTechnologyIslamabad,PakistanAbidKhanDepartmentofComputerScienceCOMSATSInstituteofInformationTechnologyIslamabad,PakistanMansoorAhmedDepartmentofComputerScienceCOMSATSInstituteofInformationTechnologyIslamabad,PakistanAbstract—Androidhasbecomethemostpopularsmartphoneoperatingsystem.
ThisrapidlyincreasingadoptionofAndroidhasresultedinsignificantincreaseinthenumberofmalwareswhencomparedwithpreviousyears.
Thereexistlotsofantimalwareprogramswhicharedesignedtoeffectivelyprotecttheusers'sensitivedatainmobilesystemsfromsuchattacks.
Inthispaper,ourcontributionistwofold.
Firstly,wehaveanalyzedtheAndroidmalwaresandtheirpenetrationtechniquesusedforattackingthesystemsandantivirusprogramsthatactagainstmalwarestoprotectAndroidsystems.
Wecategorizemanyofthemostrecentantimalwaretechniquesonthebasisoftheirdetectionmethods.
Weaimtoprovideaneasyandconciseviewofthemalwaredetectionandprotectionmechanismsanddeducetheirbenefitsandlimitations.
Secondly,wehaveforecastAndroidmarkettrendsfortheyearupto2018andprovideauniquehybridsecuritysolutionandtakeintoaccountboththestaticanddynamicanalysisanandroidapplication.
Keywords—Android;Permissions;SignatureI.
INTRODUCTIONSince2008,therateofsmartphoneadoptionhasincreasedtremendously.
SmartphonesprovidedifferentconnectivityoptionssuchasWi-Fi,GSM,GPS,CDMAandBluetoothetc.
whichmakethemaubiquitousdevice.
Googlesays,1.
3millionAndroiddevicesarebeingactivatedeachday[1].
Androidoperatingsystemleftitscompetitorsfarbehindbycapturingmorethan78%oftotalmarketsharein2013[2].
Gartnerreport2013ofsmartphonesalesshowsthatthereis42.
3%increaseinsalesofsmartphonesincomparisonwith2012.
AccordingtoInternationaldatacorporationIDC,AndroidOSdominateswith82.
8%oftotalmarketsharesin2Q2015[3].
Figure1showsthemarketsharesofAndroidoperatingsystemonyearlybasis.
ItcouldbeobservedthatAndroidhasbecomethemostwidelyusedoperatingsystemovertheyears.
Androidplatformofferssophisticatedfunctionalitiesatverylowcostandhasbecomethemostpopularoperatingsystemforhandhelddevices.
ApartfromtheAndroidpopularity,ithasbecomethemaintargetforattackersandmalwaredevelopers.
TheofficialAndroidmarkethostsmillionsofapplicationsthatarebeingdownloadedbytheusersinalargenumbereveryday[4].
AndroidoffersanopenmarketmodelwherenoanyapplicationisverifiedbyanysecurityexpertandthismakesAndroidaneasytargetfordeveloperstoembedmaliciouscontentintotheirapplications.
Theuserssensitivedatacanbeeasilycompromisedandcanbetransferredtootherservers.
Furthermore,theexistenceofthirdpartyapplicationstorescontributeinspreadingmalwaresforAndroidbecauseGooglePlayalsohoststheapplicationsofthird-partydevelopers.
AndroidofficialmarketusesBouncerforprotectionofmarketplaceagainstmalwares[5].
However,Bouncerdoesnotanalyzethevulnerabilitiesoftheuploadedapps.
MalwaredeveloperstakeadvantageofvulnerabilitiesamongappsbyrepackagingthepopularappsofGooglePlayanddistributingthemonotherthird-partyapp-stores.
Thisdegradesthereputationoftheapp-storeandofthereputationofthedeveloper.
Malwaresincludescomputerviruses,Trojanhorses,adware,backdoors,spywaresandothermaliciousprogramswhicharedesignedtodisruptordamagetheoperatingsystemandtostealpersonal,financial,orbusinessinformation.
Malwaredevelopersusecodeobfuscationmethods,dynamicexecution,stealthtechniques,encryptionandrepackagingtobypasstheexistingantimalwaretechniquesprovidedbyAndroidplatform.
Fig.
1.
AndroidMarketSharesInordertopreventsuchmalwares,itisimportanttohaveaccurateanddeepunderstandingofthemsothatsecuritymeasurestoprotectusersdatacouldbetakenaccordingly.
TherearelargenumbersofattackscenarioswhereanattackercancompromiseausersdatabytakingadvantageofthevulnerabilitiesofAndroidoperatingsystem.
Forexample,a(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016464|Pagewww.
ijacsa.
thesai.
orgTrojanappdownloadssomeHDwallpaperswithuserspermissionbutthispermissionmayallowthisapptoaccesstheuserscontactsorotherpersonalinformationanditleaksusersconfidentialdatatosomeotherserverfromthedevicesecretly.
Insuchacase,thewallpapersappwillhaveInternetpermissionsfordownloadpurpose.
TheusermightnotgivemuchattentiontowardsotherrequestedaccesspermissionsandmightgrantREAD_CONTATCSpermissionaccidentally.
Asaresult,theappmaymodifythedevicesettings,corrupttheusersdataandcantransferprivatedatatosomeunknownremoteservers.
Thisresultsinusersbusinessdatalossandotherpersonalinformation.
Theattackerscanusethestolendataforkidnapping,blackmailingorbusinesslosspurposes.
Inananotherattackscenario,attackersdistributethemaliciousappsasarepackagedversionofsomepopularappswhichmayofferlocation-basedservicessointhatscenariomaliciousappkillthevictimdevicebydrainingitsbatterywiththeexcessiveuseofGPSandradioetc.
SomeofthemaliciousprogramsgettheusersdeviceIMEInumbersandsendittoremoteserver.
TheseIMEInumbershavesignificantworthinblackmarketswhereIMEInumbersofstolendevicescanbealteredwithusersIMEI[6].
TherearehundredsofmalwaretechniquesidentifiedwhichattacktheAndroidplatformsinseveralwayssuchassendingmessageswithoutthevictimsknowledgeanddeletingthembyitself,sendingusersprivateinformationtosomeotherserverandmanymore.
Sothereisagreatneedtoprotectusersdatafromthesemalwares.
ThiseverincreasingmalwarethreatshaveforcedtheAndroidantimalwareindustrytodevelopthesolutionsformitigatingmaliciousappthreatonAndroidsmartphonesandotherAndroiddevices.
Twomainapproachesareusedforthispurpose:StaticapproachandDynamicapproach.
Antivirusprogramsuseanyoftheseapproachestoprotectthemobilesystemsfromthemalwareattacks.
Theydetectthemaliciousappsandnotifytheuseraboutsuchappsandtakemeasurestoremovethesemalwares.
Withtheincreasingnumberofthreatlevel,theantivirusdetectionratehasalsoincreased.
Asaresultofthreat&malware,andprotectionmechanismofferedbyAndroidantimalwareprograms,theoverallrisksituationofAndroidusersisdifficulttoassess[7].
Inthispaper,wehaveanalyzeddifferentmalwares,theirbehaviorsandtechniquesusedbydifferentmalwaretypestoattackAndroiddevices.
Furthermore,thepaperprovidesdetailedreviewondifferentantimalwaretechniques,theiradvantagesandlimitations.
Onthebasisofthisreview,ahybridsolutionforAndroidsecurityhasbeenproposed.
Therestofthepaperisorganizedasfollow.
SectionIIclassifiestheexistingmalwaresonthebasisoftheirbehavior.
SectionIIIconsistsofmalwarepenetrationtechniquesemployedbytheattackers.
InSectionIV,adetailedanalysisonthemalwaredetectionandremovalmethodsfortheprotectionofAndroiddeviceshasbeenperformed.
SectionVconsistsofperformanceevaluationofantimalwaremechanisms.
ThefuturetrendsforAndroidmarketsharesandmalwaregrowthandlimitationsforexistingantimalwareapproachesareprovidedinSectionVI.
Asolutionhasalsobeenproposedinthissectionwhichisaimedatprovidingbettersecuritymechanism.
ThepaperisconcludedinSectionVII.
Fig.
2.
AndroidMalwareGrowthII.
ANDROIDMALWAREANALYSISWiderangeofmalwareshasbeendetectedandthenumberofmalwaresareincreasingeveryyear.
AccordingtoTrendMicro,malwareshaveincreasedto7.
10millioninfirsthalf(1H)of2015[8][9].
Figure2showstheincreasednumberofAndroidmalwaresovertheyears.
Thebehaviorofdifferentmalwarefamiliesisprovidedinsubsequentsections.
A.
TrojansTrojansappeartoauserasaBenignapp[5].
Infact,theyactuallystealtheusersconfidentialinformationwithouttheusersknowledge.
Suchappscaneasilygetaccesstothebrowsinghistory,messages,contactsanddeviceIMEInumbersetc.
ofvictimsdeviceandstealthisinformationwithouttheconsentofuser.
FakeNetflix[10]isanexampleofsuchmalwaresthatprovideuserinterfaceidenticaltooriginalNetflixappandcollecttheuserslogincredentials.
SMSTrojansexploitthepremiumservicestoincurfinanciallosstothevictim.
Fakeplayerisawell-knownSMSTrojanthatsendsmessagestopremiumratenumberswithoutuserawareness[11].
Zsone[12]andAndroid.
foneyarealsotheexamplesofsuchSMSTrojanapps.
Malwaresalsocapturetheusersbankinginformationsuchasaccountnumberandpassword.
ZitmoandSpitmoTrojansaredesignedtostealtheusersmTANs(MobileTransactionAuthenticationNumber)whichthencompletethetransactionssilently[13].
B.
BackdoorsBackdoorsemploytherootexploitstograntrootprivilegestothemalwaresandfacilitatethemtohidefromantiviruses.
Exploid,Rageagainstthecage(RATC)andZimperlicharethetopthreerootexploitswhichgainfull-controlofdevice[14].
DroidKungFu[15]usesrootexploits,ExploidandRageagainstthecage,inanencryptedform.
WhenDroidKungFuexecutes,itfirstdecryptsandlaunchestherootexploits.
Iftherootexploitsucceedtogaincontroloverdeviceandrootprivilege,themalwarebecomeabletoperformanyoperationonthedeviceeventheinstallationofapplicationskeepingtheuserunawareofthisact[16].
C.
WormsSuchmalwarescreatecopiesofitanddistributethemoverthenetwork.
Forexample,BluetoothwormsspreadmalwarethroughtheBluetoothnetworkbysendingcopiesofittothe(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016465|Pagewww.
ijacsa.
thesai.
orgpaireddevices.
Android.
Obad.
OSistheexampleofBluetoothworm[17].
D.
SpywareNickspy[11]andGPSSpy[18]aretheexamplesofspywareappswhichappearasbenignapp,butitactuallymonitorstheusersconfidentialinformationsuchasmessages,contacts,bankmTANs,locationetc.
forsomeundesirableconsequences.
Personalspywarescaninstallthemaliciouspayloadwithoutthevictimsknowledge.
Itsendstheusersinformationsuchastextmessages,contactsetc.
totheattackerwhoinstalledthatsoftwareonvictimsdevice[6].
E.
BotnetsBotnetisanetworkofcompromisedAndroiddevices.
Botmaster,aremoteserver,controlsthebotnetthroughtheC&Cnetwork.
Geinimi[11]isoneoftheAndroidbotnets.
F.
RansomwaresRansomwarepreventtheuserfromaccessingtheirdataondevicebylockingthedevice,untilransomamountispaid.
FakeDefender.
B[19]isamalwarethatmasqueradesitselfasavast!
,anantivirus.
Itlocksthevictimsdeviceandforcetheusertopayransomamounttounlockthedevice.
G.
RiskwaresRiskwaresarethelegitimatesoftwareexploitedbythemaliciousauthorstoreducetheperformanceofdeviceorharmthedatae.
g.
,delete,copyormodifyetc.
[20].
Table1belowshowsthetopmalwaretypesdetectedin2015byTrendMicro[21].
TABLEI.
TOPANDROIDMALWARETYPESIN2015Thestatisticaldataobtainedfrom[21]hasbeencomputedandplottedinFigure3whichpresentsthetopAndroidmalwarefamiliesrecordedbyTrendMicroinsecondquarter(2Q)of2015.
Accordingtothereport,24%ofthetotalmalwareswereguidedvariants,whichdonothaveanyGUIsandsilentlyrunatthebackgroundwithouttheusersknowledge.
III.
MALWAREPENETRATIONTECHNIQUESA.
RepackagingMalwareauthorsrepackagethepopularapplicationsofAndroidofficialmarket,GooglePlay,anddistributethemonotherlessmonitoredthirdpartyapp-store.
Repackagingincludesthedisassemblingofthepopularbenignapps,bothfreeandpaid;appendthemaliciouscontentandreassemblingofapp.
Thisprocessofrepackagingisdonebyreverse-engineeringtools.
Duringrepackaging,maliciousauthorschangethesignatureofrepackagedappandsotheappseemsnewtotheantimalware.
TrendMicroreporthaveshownthat77%ofthetop50freeappsavailableinGooglePlayarerepackaged[22].
B.
DriveByDownloadItreferstoanunintentionaldownloadofmalwareinthebackground.
Drivebydownloadattacksoccurwhenauservisitawebsitethatcontainsmaliciouscontentandinjectsmalwareintothevictimsdevicewithouttheusersknowledge.
MalwaredevelopersuseAndroid/NotCompatible[23]whichisoneofthedrive-bydownloadapp.
C.
DynamicPayloadsMalwaresalsopenetrateintoAndroiddevicesthroughdynamicpayloadtechnique.
TheyencryptthemaliciouscontentandembeditwithinAPKresources.
Afterinstallation,theappdecryptstheencryptedmaliciouspayloadandexecutesthemaliciouscode.
Somemalwares,insteadofembeddingpayloadasresource,downloadthemaliciouscontentfromremoteserversdynamicallyandarenotdetectedbystaticanalysisapproach[24].
D.
StealthMalwareTechniquesOnAndroiddevicemalwarescannerscannotperformdeepanalysisbecauseoftheavailabilityoflimitedresourcessuchasbattery.
Malwaredevelopersexploitthesehardwarevulnerabilitiesandobfuscatethemaliciouscodetoeasilybypasstheantimalware.
Differentstealthtechniquessuchaskeypermutation,dynamicloading,nativecodeexecution,codeencryptionandjavareflectionareusedtoattackthevictimsdevice.
Fig.
3.
Malwarefamiliesseenin2015IV.
ANDROIDMALWAREDETECTIONTherearemainlytwoapproachestoanalyzetheAndroidmalwares:StaticandDynamicApproach.
Wehavefurthercategorizedtheantimalwareusingstaticanddynamicapproaches.
Figure4showsthetaxonomyofexistingantimalwaretechniquesbasedonourstudy.
(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016466|Pagewww.
ijacsa.
thesai.
orgFig.
4.
TaxonomyofExistingAndroidAntimalwaresA.
StaticApproachStaticapproachisawaytocheckfunctionalitiesandmaliciousnessofanapplicationbydisassemblingandanalyzingitssourcecode,withoutexecutingtheapplication.
Itisusefulforfindingmaliciousbehaviorsthatmaynotoperateuntiltheparticularconditionoccurs.
1)SignatureBasedApproachSignaturebasedmalwaredetectionmethodsarecommonlyusedbycommercialantimalwareproducts.
Thismethodextractsthesemanticpatternsandcreatesauniquesignature[25].
Aprogramisclassifiedasamalwareifitssignaturematcheswithexistingmalwarefamiliessignatures.
Themajordrawbackofsignaturebaseddetectionisthatitcanbeeasilycircumventedbycodeobfuscationbecauseitcanonlyidentifytheexistingmalwaresandfailsagainsttheunseenvariantsofmalwares.
Itneedsimmediateupdateofmalwarevariantsastheyaredetected.
Farukietal.
[26]proposedAndroSimilar,arobuststatisticalsignaturemethodtodetecttheunknownvariantsofexistingmalwaresthatareusuallygeneratedbyusingrepackagingandcodeobfuscationtechniques.
ItgeneratesthevariablelengthsignaturefortheapplicationundertestandcomparesitwiththesignaturesinAndroSimilarmalwaredatabaseandidentifytheappasmalwareandbenignonthebasisofsimilaritypercentage.
AuthorstestedtheAndroSimilaragainst1260appsamongwhich6779appswereGooglePlayappsand545appswerefromthirdpartyappstore.
Theyalsousedcodeobfuscationtechniquessuchasmethodrenaming,stringencryption,controlflowobfuscationandjunkmethodinsertiontechniquestochangethesignatureofthecodeandtestedtheeffectivenessofAndroSimilaragainst426samples.
Thesolutiondetectedmorethan60%samplescorrectly.
AndroSimilarcomparesthesignaturesoftheapplicationsinordertodistinctbetweenthemalwaresandbenignappsbutithaslimitedsignaturedatabaseascomparedtotheotherantivirussolutions.
Soanyunseenmalwareswillremainundetected.
Alsothesimilaritypercentagecreatesthefalsepositivesasitmayclassifythecleanappsasmaliciousonthebasisofpercentage.
DroidAnalytics[27]isasignaturebasedanalyticsystemwhichextractandanalyzetheappsatop-codelevel.
Itnotonlygeneratesthesignaturebutalsoassociatethemalwarewithexistingmalwaresafteridentifyingthemaliciouscontent.
Itgenerates3levelsignatures.
FirstitgeneratessignatureatmethodlevelbyAPIcalltracingthencombiningallthesignaturesofmethodsinaclassitgeneratestheclasslevelsignaturesandatthirdlevelitgeneratestheapplicationsignaturebycombiningthesignaturesoftheclassesintheapplication.
AuthorshaveusedDroidAnalyticstodetect2,494malwaresamplesfrom102malwarefamiliesand342repackagedmalwaresfromothersixmalwarefamilies.
Thelimitationsofthismethodincludes,itclassifiestheappsasmalwareonthebasisofclassesmostlyusedbymalwarefamiliesbutduringexperimenttheyfoundsomesignaturesthatareusedbyboththelegitimateappsandmalwares.
Alsothesimilarityscoreusedfordetectionofrepackagedmalwaresdonotprovide100%solutionoritmayalsoprovidefalsepositive,classifythelegitimateappasmalware.
LimitationofSignatureBasedDetection:Althoughsignaturebaseddetectionisveryefficientforknownmalwaresbutitcannotdetecttheunknownmalwaretypes.
Alsobecauseoflimitedsignaturedatabasemostofthemalwaresremainundetected.
2)PermissionBasedAnalysis:InAndroidsystem,permissionsrequestedbytheappplaysavitalroleingoverningtheaccessrights.
Bydefault,appshavenopermissiontoaccesstheuserdataandeffectthesystemsecurity.
Duringinstallation,usermustallowtheapptoaccessalltheresourcesrequestedbytheapp.
DevelopersmustmentionthepermissionsrequestedfortheresourcesintheAndroidManifest.
xmlfile.
Butalldeclaredpermissionsarenotnecessarilytherequiredpermissionsforthatspecificapplication.
(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016467|Pagewww.
ijacsa.
thesai.
orgRef.
[28]hasshownthatmostofthetimedevelopershavedeclaredthepermissionsthatarenotactuallyrequiredbytheapplicationwhichmakesitdifficulttodetectthemaliciousbehaviorofapplication.
AntimalwareanalyzestheAndroidManifest.
xmlfilewhereallthepermissionsfortheresourcesrequiredbytheapparementioned.
Stowaway[28]exposesthepermissionoverprivilegeprobleminAndroidwhereanapprequestsmorepermissionsthanitactuallyuses.
StowawayperformsstaticanalysistodeterminetheAPIcallsinvokedbytheapplicationandthenitmapsthepermissionsrequiredbytheAPIcalls.
Theyfoundthatonethirdapplicationsareoverprivilegedamong940Androidapplicationsamples.
ItcannotresolvetheAPIcallsinvokedbyapplicationswiththeuseofjavareflections.
In[29],authorshaveproposedalightweightmalwaredetectionmechanismwhichonlyanalyzethemanifestfileandextracttheinformationsuchaspermissions,intentfilters(action,categoryandpriority),processnameandnumberofredefinedpermissionstodetectthemaliciousbehaviorofanapplication.
Afterextractingsuchinformation,theycompareitwiththekeywordlistprovideintheproposedmethodandthencalculatethemalignancyscore.
TheyusedWeka[30]whichisadataminingtoolforcalculationofthresholdvalue.
Atlasttheycomparethemalignancyscorewiththresholdvalueandclassifytheappasmalwareifmalignancyscoreexceedsthresholdvalue.
Theyhaveused365samplestotesttheefficiencyofproposedsolutionandthesolutionprovides90%accuratedetection.
Itiscostsavingmechanismasitonlyincludestheanalysisofmanifestfileandcanbeimplementedinotherdetectionarchitectureseasilytodetectmalwaresefficiently.
Alsoitcandetecteventhosemalwaresthatremainundetectedbysignaturebaseddetectionmethod.
Thisproposedsolutionislimitedtomanifestfileinformation.
Alsoitcannotdetecttheadwaresamples.
C.
Y.
Haungetal.
[31]proposedamethodforbetterdetectionofpermissionbasedmalwaredetectionwhichincludestheanalysisofbothrequestedandrequiredpermissionsasmostofthetimemalwareauthorsdeclaremorepermissionsinthemanifestfilethantheyactuallyrequirefortheapplication.
Alsoitanalysestheeasytoretrievefeaturesandthenlabelstheapplicationasbenignormalware.
Threedifferentlabelingtypesareusedforthispurposewhichincludessitebasedlabeling;scannerbasedlabelingandmixedlabeling.
InsitebasedlabelingitlabelstheappasbenignifitisdownloadedfromGoogleofficialappmarketandifitisdownloadedfromsomemalicioussourcethentheappislabeledasmalicious.
Inthesecondlabelingscheme,iftheantivirusscannerdeclarestheappasbenigntheappislabelasbenignandsameforthemalwarecase.
Inthemixedlabelingtheappislabeledonthebasisofbothsitebasedandscannerbasedlabels.
AfterlabelingallthesamplesaredividedintothreedatasetsandrequestedpermissionsofthesedatasetsareanalyzedbythemachinelearningalgorithmssuchasNaiveBayes,AdaBoost,SupportVectorMachineandDecisionTree[32].
Onthebasisofresultsgeneratedbytheseclassifierswecanevaluatetheperformanceofpermissionbaseddetectionmethod.
in[31]authorshaveperformedexperimentondatasetof124,769benignand480maliciousapps.
Theyanalyzedtheperformanceofpermissionbaseddetectionofmalwareandshowedthatmorethan81%ofmaliciousappssamplescanbedetectedbythepermissionbaseddetectionmethod.
Proposedmethodprovidesthequickfilterformalwaredetectionbuttheperformancevaluesgeneratedbytheclassifiersarenotperfectandwecannotcompletelyrelyonthoseresults.
SanzBorjaetal.
[33]presentedPUMAfordetectionofmaliciousappsbyanalyzingtherequestedpermissionsforapplication.
TheyusedpermissiontagssuchasandpresentinAndroidManifest.
xmlfiletoanalyzethemaliciousbehaviorofappsandapplieddifferentclassifieralgorithmsondatasetof357benignappsand249maliciousapps.
Thesolutionprovideshighdetectionratebutresultsgeneratedhavehighfalsepositivesratealsoitisnotadequateforefficientdetectionofmalwareitstillrequiresinformationrelatedtootherfeaturesanddynamicanalysis.
Shinetal.
[34]usedastatemachinebasedapproachandformallyanalyzethepermissionbasedAndroidsecuritymodel.
Theyalsoverifiedthatthespecifiedsystemsatisfythesecurityproperty.
Tang,Weietal.
[35]proposedaSecurityDistanceModelformitigationofAndroidmalware.
SecurityDistanceModelisbasedontheconceptthatnotasinglepermissionisenoughforanapplicationtothreatenthesecurityofAndroiddevices.
ForexampleanapplicationrequestingpermissionREAD_PHONE_STATEcanaccessthephonenumberandIMEIbutitcannotmovedataoutofthedevice.
TheremustbeacombinationofpermissionstoaffectthesecuritymodelofdevicesuchasINTERNETpermissionallowstoconceptthedevicewiththenetworkandwillbeneededtomovedatatosomeremoteserver.
TheSDmeasurethedangerouslevelofapplicationonthebasisofpermissionsrequestedbytheapp.
Authorsclassifythecombinationsofpermissionsintofourgroupsandassignedthreatpoints(TP)toeachgroupsuchasTP-0,1,5and25toSafeSD,NormalSD,DangerousSDandSevereSD.
Beforetheinstallationofnewapplicationitcalculatesthethreatpointfromthecombinationofpermissionsrequestedbytheapplication.
Thathelpstheusertogetawareofmoredangerouspermissionswhileinstallationofapp.
Itcaneasilydetecttheunknownmalwareswithveryhighthreatpoints.
Theyfound500threatpointsfortheGeinimimalwarewhichisaveryclearvariationfrombenignapps.
Alimitationofthissolutionincludesthatapplicationswiththreatpointsbetween50and100arenoteasytoidentifyasbenignandmalware.
Theycouldbethebenignappswithsuchpermissioncombinationsormalwares.
Encketal.
[36]developedKIRIN,atoolthatprovideslightweightcertificationatinstallationtime.
Itdefinesthesecurityrulesandsimplycomparestherequestedpermissionsofappwithitssecurityrulesandcertifiestheappasmalwareifitfailstopassallthesecurityrules.
Theinstallationofappisabortediftheappisattributedasmalware.
Authorshavetested311applicationsdownloadedfromofficialAndroidmarketandfoundthat5applicationsfailedtopassthespecifiedrules.
ProposedsolutionislightweightasitonlyanalyzestheMenifest.
xmlfile.
ThelimitationofKIRINincludesthatitmay(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016468|Pagewww.
ijacsa.
thesai.
orgalsodeclaresomelegitimateapplicationsasmalwarebecausetheinformationprovidedforapplicationcertificationisnotadequatefordetectionofmalware.
DroidMat[37]isatoolthatextractstheinformationfrommanifestfilesuchaspermissions,messagepassingthroughintentsandAPIcalltracingtoanalyzethebehaviorofapplication.
ItappliesK-meansclusteringthatincreasesthemalwaredetectioncapabilityandclassifytheapplicationsasbenignormalwarebyusingKNNalgorithm[38].
ItismoreefficientthanAndrogaurd[39]asittakeslessertimetoidentifythe1,738appsasmalwareorbenign.
Alsoitiscostsavingasitdoesntrequiredynamicsimulationandmanualefforts.
ButasastaticbaseddetectionmethoditcannotdetectthemalwareswhichdynamicallyloadthemaliciouscontentsuchasDroidKngFuandBaseBridge.
LimitationofPermissionBasedDetection:Permissionbaseddetectionisaquickfilterfortheapplicationscanningandidentifyingthatwhethertheapplicationisbenignormalwarebutitonlyanalysesthemanifestfileitdonotanalyzeotherfileswhichcontainthemaliciouscode.
Alsothereisverysmalldifferenceinpermissionsusedbythemaliciousandbenignapps.
Permissionbasedmethodsrequiresecondpasstoprovideefficientmalwaredetection.
3)DalvikBytecodeAnalysis:InAndroid,Dalvikisaregister-basedVM.
Androidappsaredevelopedinjavalanguage,compiledinjavabytecodeandthentranslatedtodalvikbytecode.
Bytecodeanalysishelpsustoanalyzetheappbehavior.
Controlanddataflowanalysisdetectthedangerousfunctionalitiesperformedbymaliciousapps.
JinyungKimetal.
[40]developedSCANDAL,astaticanalyzerthatanalyzethedalvikbytecodeofapplicationsanddetectstheprivacyleakageinapplications.
Itdeterminesthedataflowfrominformationsourcetoanyremoteserver.
Dalvikbytecodecontainsbranch,methodinvocationandjumpinstructionswhichalterstheorderofexecutionofcodeandobfuscatesthecode.
Duringexecution,thepossiblepathsthatanapplicationcantakecanbeidentifiedbytheBytecodeanalysis.
In[40]Authorshaveexamined90applicationsfromAndroidofficialmarketand8maliciousapplicationsfromthirdpartymarketplace.
Theyfoundprivacyleakagein11Googlemarketapplicationsand8thirdpartymarketapplications.
ThereisaneedofperformanceoptimizationtechniquestoimplementasSCANDALconsumesmoretimeandmemoryforanalysisofapplication.
Alsoitdoesnotsupporttheapplicationswhichusereflectionsfordataleakage.
IntheSCANDALauthorshaveimplementedreflectionsemanticsmanuallytodetecttheprivacyleakageinmaliciousappstakenfromblackmarket.
Karlsenetal.
[41]presentedthefirstformalizationofDalvikBytecodealongwithjavareflectivefeatures.
Theyexamined1700popularAndroidAppstodeterminewhatDalvikBytecodeinstructionsandfeaturesaremostlyusedbytheAndroidApps.
SuchformalizationhelpstoperformcontrolanddataflowanalysisinordertodetectthemaliciousappsortoidentifythesensitiveAPIcallsinvokedduringexecution.
Itsupportsthedynamicdispatchandreflectivefeatures.
Butitrequiresextensioninanalysisofconcurrencyandreflectionhandling.
Zhouetal.
[42]implementedDroidMOSSthatextracttheDalvikBytecodesequenceanddeveloperinformationofapplicationbyusingbaksmalitool[43]andgeneratefingerprintsforeachappbyusingfuzzyhashingtechniquestocreatethefixedsized80bytesignaturetodetecttherepackagedapplications.
Onthebasisofsimilarityscoreitidentifiestherepackagedapps.
AuthorshaveappliedDroidMOSStotest200samplesfromsixdifferentthirdpartymarketplacesanddetectedthat5%to13%appswererepackaged.
Theproposedsolutioncannotdetecttherepackagedappsiftheoriginalappisnotpresentindatabase.
Alsobecauseoflimiteddatabasemostofthemalwaresremainsundetected.
Googleplaystoremayalsocontainmalwares.
ThelimitationofthissolutionalsoincludesthattheyhaveassumedalltheGooglePlayappsaslegitimateappsandthenmatchedthesignatureoftheappstakenfromotherappstoretodetecttherepackedapps.
DroidAPIMiner[44],builduponAndrogaurd[39],identifiesthemalwarebytrackingthesensitiveAPIcalls,dangerousparametersinvokedandpackagelevelinformationwithinthebytecode.
ToclassifytheapplicationasbenignormalwareitimplementsKNNalgorithm[38]anddetectedupto99%accuracyand2.
2%falsepositiverate.
Fuchsetal.
[45]presentedSCandroidwhichanalyzetheAndroidapplicationstaticallyastheyareinstalledandperformsdataflowanalysistocheckswhetherthedataflowthroughtheapplicationsisconsistentornot.
Onthebasisofdataflowsitdeclarestheapplicationassafetoberunwithrequestedpermissions.
AuthorsuseitasasecuritycertificationtoolforAndroidapps.
ManyresearchersworkedonconversionofDalvikbytecodetoJavabytecodeandthenperformedstaticanalysisonjavacodetodetectthemaliciousbehavioroftheapp.
ded[46]andDare[47]arethetoolsusedforconversionofdalvikbytecodeintojavabytecode.
Thesetoolsarealsousefulwhendevelopersdontdistributethejavasourcecode,insuchcaseonemustanalyzethesourcecodetodetectthemalwarethroughstaticanalysis.
Dexplertool[48]convertstheDalvikbytecodeintoJimplecodewhichisusedbystaticanalysisframeworknamedSoot[49].
ItmakestheSoottoreadtheDalvikBytecodedirectlyandperformthestaticanalysiswithoutconvertingDalvikbytecodeintojavabytecode.
WellknownstaticanalysisframeworkusedbyresearchersisWALAwhichperformstaticanalysisonjavabytecodetodetectprivacyleakagewithinmaliciousapps[50].
Chinetal.
[51]presentedatoolnamedComDroidthatdetectthecommunicationbasedvulnerabilitiesamongAndroidapps.
Theyhaveanalyzed20samplesanddetected34exploitablevulnerabilitiesamong12applications.
ItusesDedexertool[52]todisassemblethedexfilesintheapp.
ItperformsthestaticanalysisonDalvikfiles,analyzesthepermissionslistedinthemanifest.
xmlfileoftheapp,performsintraproceduralanalysisandexaminestheIntentsoftheappstodetectthecommunicationvulnerabilitiesLimitationsofDalvikBytecodeDetection:Inthismethodanalysisisperformedatinstructionleveland(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016469|Pagewww.
ijacsa.
thesai.
orgconsumesmorepowerandstoragespace.
Astheandroiddevicesareresourcepoorsotheylimitsthisdetectionapproach.
B.
DynamicApproachDynamicanalysisexaminestheapplicationduringexecution.
Itmaymisssomeofthecodesectionsthatarenotexecutedbutitcaneasilyidentifythemaliciousbehaviorsthatarenotdetectedbystaticanalysismethods.
Althoughstaticanalysismethodsarefastertomalwaredetectionbuttheyfailagainstthecodeobfuscationandencryptionmalwares.
In[53],Egeleprovidedadetailedoverviewofdifferentdynamicanalysismethodsusedfordiscriminationbetweenmalwareandbenignapps.
Dynamicanalysisapproachiseffectiveagainstpolymorphicandmetamorphiccodeobfuscationtechniquesemployedbythemalwares[54]butitrequiresmoreresources.
1)AnomalyBasedDetectionIkeretal.
[55]proposedCrowDroidtodetectthebehaviorofapplicationsdynamically.
DetailsofsystemcallsinvokedbytheapparecollectedbytheStracetool[56]andthencrowdsourcingapp,whichisinstalledonthedevice,createsalogfileandsendsittoremoteserver.
Logfilemayincludethefollowinginformation:Deviceinformation,appsinstalledondeviceandsystemcalls.
2-meanclusteringalgorithmisappliedatserversidetoclassifytheapplicationasmalwareorbenign.
Resultsarestoredatserverdatabase.
Thesolutionprovidesdeepanalysisandthusrequirelargeamountofresources.
Thesolutionrequiresclientapptobeinstalledontheuserdeviceandmayclassifythelegitimateappasmalwareifitinvokemoresystemcalls.
Shabtaietal.
[57]proposedAndromly,abehaviorbasedAndroidmalwaredetectionsystem.
Inordertoclassifytheapplicationasbenignormalwareitcontinuouslymonitorthedifferentfeaturesandpatternsthatindicatethedevicestatesuchasbatterylevel,CPUconsumptionetc.
whileitisrunningandthenapplythemachinelearningalgorithmstodiscriminatebetweenmaliciousandBenignapps.
thesolutioncandetectcontinuousattacksandcannotifytheuserabouttheseattacks.
AntiMalDroid[58],amalwaredetectionframeworkusingSVMalgorithmisproposedbyZhao,canidentifythemaliciousappsandtheirvariantsduringexecution.
Firstitmonitorsthebehaviorofapplicationsandtheircharacteristicsthenitcategorizethesecharacteristicsasnormalandmaliciousbehavior.
Thenitputsthetwotypesofcharacteristicsintolearningmoduleandgeneratesthesignaturesforthebehaviorcharacteristics,producedbylearningmodule.
Thenitstorethesignatureindatabaseandcompareitwiththealreadyexistingmalwareandbenignappsignatures.
Itclassifytheappasbenignifthesignaturematcheswithalreadyexistingbenignappsignatures.
Thesolutioncanextendthesignaturedatabasedynamicallyandcanprovidehighdetectionrate.
Butitconsumesmoretimewhiledetectionprocess.
2)TaintAnalysisEncketal.
[59]proposedTaintDroidwhichprovidessystem-wideinformationflowtrackingforAndroid.
Itcansimultaneouslytrackmultiplesourcesofsensitivedatasuchascamera,GPSandmicrophoneetc.
andidentifythedataleakageinthirdpartydeveloperapps.
Itlabelsthesensitivedataandkeepstrackofthatdataandappwhentainteddataleavesmovesfromthedevice.
Itprovidesefficienttrackingofsensitiveinformationbutitdonotperformcontrolflowtracking.
Alsoitcannottrackinformationthatleavesdeiceandreturnsinnetworkreply.
3)EmulationBasedDetectionYanetal.
[60]presentAndroiddynamicanalysisplatformDroidScope,basedonVirtualMachineIntrospection.
Astheantimalwaredetectthepresenceofmalwaresbecausebothofthemresideinthesameexecutionenvironmentsothemalwaresalsocandetectthepresenceofantimalware.
DroidScopemonitorsthewholeoperatingsystembystayingoutoftheexecutionenvironmentandthushavemoreprivilegesthanthemalwareprograms.
ItalsomonitorstheDalviksemanticsthustheprivilegeescalationattacksonkernelcanalsobedetected.
ItisbuiltuponQEMU.
DroidDreamandDroidKungFu[61]weredetectedwiththistechnique.
Blaisingetal.
[62]proposedAndroidApplicationSandbox(AASandbox)whichdetectthesuspiciousapplicationsbyperformingbothstaticanddynamicanalysisonthem.
Itfirstextractsthe.
dexfileintohumanreadableformandthenperformsstaticanalysisonapplication.
Thenitanalyzesthelowlevelinteractionswithsystembyexecutionofapplicationinisolatedsandboxenvironment.
Actionsofapplicationarelimitedtosandboxduetosecuritypolicyanddonotaffectthedataondevice.
ItusesMoneytooltodynamicallyanalyzetheapplicationbehaviorwhichrandomlygeneratestheusereventsliketouches,clicksandgesturesetc.
itcannotdetectthenewmalwaretypes.
V.
PERFORMANCEEVALUATION&ANALYSISInthissection,weevaluatetheperformanceofdifferentparametersandprovideacomprehensivecomparisonofdifferentattributes.
Table2providesthelimitationsofthestaticanddynamicapproachofthemalwaredetection.
ThemalwaredetectionthroughstaticanalysisanddynamicanalysisisprovidedinTable3andTable4respectively.
TABLEII.
LIMITATIONSOFSTATICANDDYNAMICAPPROACHESMechanismLimitationsStaticSignaturebaseddetectionCannotdetectunknownmalwaretypes.
PermissionbaseddetectionMayconsiderbenignappasmaliciousbecauseofverysmalldifferencebetweenpermissionsrequestedbybothtypes.
DalvikbytecodedetectionMorepowerandmemoryconsumption.
DynamicAnomalydetectionIncorrectifabenignappshowssamebehaviorse.
g.
,invokemoreAPIcallsorconsumesmorebatteryandmemory.
TaintAnalysisNotsuitableforrealtimeanalysisReduceperformance.
20timesslowdownsystemEmulationbaseddetectionMoreresourceconsumption.
(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016470|Pagewww.
ijacsa.
thesai.
orgOnthebasisoftheirworkingtechniqueswehavededucedmajorlimitationsandbenefitsforeachdetectionmechanism.
TABLEIII.
MALWAREDETECTIONTHROUGHSTATICANALYSISApproachNameGoalMethodYearLimitationsBenefitsSignatureBasedDetectionAndroSimilar[26]Detectunseenandzerodaysamplesofknownmalwares.
Createsvariablelengthsignatureandcompareswithsignaturedatabase.
UsefuzzyhashingtechniqueDifferentiatesbetweenbenignandmaliciousappsonthebasisofsimilaritypercentage.
2013LimitedsignaturedatabaseSimilaritypercentagemayclassifybenignappsasmalicious.
CanonlydetectknownmalwarevariantsEffectiveagainstcodeobfuscationandrepackaging.
DroidAnalytics[27]Automaticcollection,extraction,analysisandassociationofAndroidmalwares.
Create3levelsignaturesforapponthebasisofAPIcalls.
PerformOp-codelevelanalysis(method,class,application).
Correlateapplicationwithexistingmalwaresindatabaseviasimilarityscorebasedonclasslevelsignature.
2013Similarityscoremayclassifylegitimateappsasmalicious.
Somelevel2signaturesclassifiedasmalwaresarealsousedbylegitimateapps.
Cannotdetectunknownmalwaretypes.
Effectiveagainstmutationsandrepackagedapps.
Associatesmalwareatop-codelevelEasymalwareanddynamicpayloadtracking.
Alsodetectdynamicmalwarepayloads.
PermissionBasedDetectionStowaway[28]ApplicationoverprivilegedetectionAPIcalltracingthroughstaticanalysistool.
PermissionmaptoidentifythepermissionsrequiredbyeachAPIcal.
2011CannotresolvecomplexreflectivecallsNotifyabouttheoverprivilegedapplications.
R.
Sato[29]Malwaredetectionbymanifestfileanalysis.
AnalyzemanifestfileCompareextractedinformationwithkeywordlist.
CalculatemalignancyscoreComparemalignancyscorewiththresholdvaluesClassifytheappasmalwareifmalignancyscoreexceedsthresholdvalues.
2013CannotdetectadwaresamplesGeneratesresultsonlyonthebasisofmanifestfile.
LightweightapproachLowcostCandetecttheunknownmalwares.
Candetectthemalwaresthatremainundetectablebysignaturebaseddetection.
Canbeimplementedinothersecuritysystemsforbettermalwaredetection.
C.
Y.
Haung[31]Performanceevaluationonpermissionbasedmalwaredetection.
AnalyzetherequiredandrequestedpermissionsforapplicationAnalyzeeasytoretrievefeaturesLabelsappsasbenignormalwareusingsitebased,scannerbasedandmixedlabelingUsemachinelearningalgorithmsonthreedatasets(onthebasisoflabels)Evaluatethepermissionbasedmalwaredetectionperformance.
2013Performancenumbersgeneratedbyclassifiersarenotperfect.
Cannotcompletelyrelyonresultsgeneratedbyclassifiers.
AdaBoostidentifiesallappsaslegitimate.
NaveBayesalsodonotgiveprécisedresults.
Canusedifferentclassifiersfordifferentscenarios.
Quickfilterformalwaredetection.
PUMA[32]MalwaredetectionAnalyzeextractedpermissionsUsetheandtags.
Classifyappsbyusingmachinelearningalgorithms.
Evaluatetheperformancebyk-foldcrossvalidationwithk=10.
2013HighfalsepositiverateNotadequateforefficientmalwaredetectionHighdetectionrateTangWei[34]ApplicationassessmentandanalysistoextendandroidsecurityUsesSecurityDistanceModeltomeasuredangerouslevelduetocombinationofrequestedpermissions.
2011Applicationswiththreatpointbetween50and100aredifficulttoidentifyasmalwareorbenignapps.
Providemalwareidentificationduringinstallations.
Candetectunknownmalwares(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016471|Pagewww.
ijacsa.
thesai.
orgKirin[35]Riskassessmentandcertificationofapplicationsatinstalltime.
UsessecurityrulesComparesthesecurityconfigurationofapplicationwithsecurityrulesCertifiestheappasmalwareifappfailstosatisfyallthesecurityrules.
2009Maydeclarebenignappasmalwarebecausemostlysimilarpermissionsarerequestedbybenignandmaliciousapps.
Lightweightcertificationofapplicationatinstallationtime.
Lowcost.
Blockthemaliciousapplications.
DalvikBytecodeDetectionSCANDAL[38]PrivacyleakdetectionExtractsbytecodeofapplicationasadalvikexecutablefileTranslatesdalvikexecutableintodalvikcore,anintermediatelanguageforefficientanalysis2012MoretimeandmemoryconsumptionNeedsperformanceimprovementtechniquestoimplement.
DoesnotsupportapplicationsthatusereflectionsforprivacyleakageDoesnotsupportjavanativeinterfacelibrariesSavesthedatafromprivacyleakage.
Dalvikbytecodeisalwaysavailable.
DoesnotneedreverseengineeringtoolsKarlsen[39]DalvikbytecodeformalizationandcontrolflowanalysisProvidesformalcontrolflowanalysis.
Formalizesdalvikbytecodelanguagewithreflectionfeatures.
2013Requiresextensioninanalysisofreflectionandconcurrencyhandling.
Supportsreflectionanddynamicdispatchfeatures.
FormalcontrolflowanalysiseasilytracestheAPIcalls.
DroidMOSS[40]RepackagedmaliciousappdetectionExtractinstructionsinappanddeveloperinformation.
Usesbaksmalitoolfordalvikbytecodeextraction.
GeneratesfingerprintforeachappbyapplyingfuzzyhashingtechniquesMeasuressimilaritybetweenappstodetectrepackagedapps2012ItassumesalltheGooglePlayappsaslegitimateapps.
Limiteddatabase.
Cannotdetectrepackagedappsiforiginalappisnotpresentindatabase.
Effectivedetectionofrepackagedapps.
DroidAPIMiner[42]APIlevelMalwaredetectionExtractAPIlevelfeaturesApplyclassifiersforevaluation2013MoreoccurrencesoffalsepositivesMaygenerateincorrectclassification.
Betteraccuracy.
SCanDroid[43]ApplicationdataflowanalysisandsecuritycertificationAnalyzedataflowsinapp.
Makedecisiontoclassifyappasbenignormalwareonthebasisofdataflow.
2009Cannotbeappliedtopackagedapplications.
Providesecurityatinstalltime.
ComDroid[49]ApplicationcommunicationvulnerabilitydetectionExtractdalvikexecutablefilesDisassembleDEXfilesusingdedexertool.
Keeplogsofthecommunicationvulnerabilities2011DoesnotverifytheexistenceofmalwareRequireuserstomanuallyinvestigatethewarningsIssuewarningsaboutthreats.
(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016472|Pagewww.
ijacsa.
thesai.
orgTABLEIV.
MALWAREDETECTIONTHROUGHDYNAMICANALYSISApproachNameGoalMethodYearLimitationsBenefitsAnomalyDetectionCrowDroid[53]DetectanomalouslybehavingmaliciousapplicationsCrowDroidclientappinstalledonuserdevice.
Stracetoolperformsystemcallstracing.
Createsalogfileandsendtoremoteserver.
Dynamicanalysisisperformedonthedataatserverside.
Considerthatmaliciousappsinvokemoresystemcalls.
2011RequirestheinstallationofCrowDroidclientapplicationtoperformdetection.
Resultsincorrectiflegitimateappinvokesmoresystemcalls.
Providesdeepanalysis.
Andromly[55]MalwaredetectionContinuouslymonitorthefeaturesandeventse.
g.
,batterylevel,datapacketstransferredthroughInternet,CPUconsumptionandrunningprocesses.
Applymachinelearningclassifierstodiscriminatebetweenbenignandmaliciousapplications.
2012OnlyfourartificiallycreatedmalwareinstanceswereusedfortestingthesystemBatterydrainageissue.
Candetectthecontinuousattacks.
Alertstheuseraboutdetectedanomaly.
AntiMalDroid[56]Malwaredetectionthroughcharacteristiclearningandsignaturegeneration.
MonitorthebehaviorofapplicationsandtheircharacteristicsCategorizethecharacteristicsintonormalbehaviorandmaliciousbehaviorPutthesecharacteristictypesintolearningmoduleGeneratebehavioralcharacteristics.
GeneratethesignaturesforthesebehavioralcharacteristicsStorethesesignaturestodatabase.
Comparesasignaturewiththesignaturesinthedatabase.
Declaresasamalwareifsignaturematcheswithmalwaresignatureindatabase.
2011Moretimeconsumption.
Candetectunknownmalwaresandtheirvariantsinruntime.
Extendsmalwaredatabasedynamically.
HigherdetectionrateLowcostandbetterperformance.
TaintAnalysisTaintDroid[57]DataflowanalysisandleakagedetectionAutomaticallylabelsthedata.
Keepstrackofthedata.
Recordsthelabelofthedata,sourceanddestinationdeviceifthedatamovesoutofthedevice.
2010Onlytrackdataflowsanddonottrackcontrolflows.
Cannottrackinformationthatleavesthedeviceandreturninnetworkreply.
EfficienttrackingofsensitiveinformationEmulationBasedDetectionDroidScope[58]AndroidmalwareanalysisSystemcallstrackingBuiltuponQEMU(quickemulator)MonitorstheOSandDalviksemanticsPerformvirtualmachineintrospectionbaseddynamicanalysis2012LimitedcodecoverageCandetectprivilegeescalationattacksonthekernel.
AASandbox[60]MalwaredetectionExtractsaclass.
dexfileanddecompilesitintohumanreadableform.
Performsstaticanalysisonapplication.
ExecutestheapplicationinsandboxandperformdynamicanalysisUsesMonkeytooltoanalyzethemaliciousbehaviorofapp.
2010CannotdetectnewmalwaresCanbeusedtoimprovetheefficiencyoftheantimalwareprogramsforAndroidOS(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016473|Pagewww.
ijacsa.
thesai.
orgFigure6:FutureTrendsofAndroidMalwareGrowthFig.
5.
ExpectedfuturetrendsofandroidOSmarketshareVI.
DISCUSSIONThepopularityofAndroidoperatingsystemisincreasingtremendously.
Theyearlyrecords,presentedbyIDC[3],showthatAndroidOSmarketsharesinsecondquarter(2Q)of2015are82.
8%,whichis2%decreasefromthe2Q2014.
Ifthevalueremainsthesametilltheendofyearandkeepondecreasingeveryyearwiththesameratethenwecanexpectthatin2018,theAndroidmarketshareswilldropto76.
8%.
Accordingtosamerecord,theAndroidshareshaveincreased5%in2014frompreviousyear.
Ifitkeeponincreasingwiththesamerateandincreasesupto89.
8%tilltheendof2016thenwecansaythattheAndroidshareswillgrowupto99.
9%in2018.
Furthermore,itispredictedthatthemarketsharesoftheAndroidwillbeonaverage88.
4%in2018.
TheestimationsandfuturepredictionsoftheAndroidmarketarecomputedandplottedinFigure5.
ItshouldbenotedthatwiththeincreasedusageoftheAndroidbaseddevices,thenumberofmalwaresattackingAndroidisincreasingatanexponentialrate.
In2015,numberofAndroidmalwaresspikedto7.
10million.
Thisfigureis2.
84millionmorethanthepreviousyear[8][9].
Ifthemalwaregrowthkeepsonincreasingwiththesameratio,itisexpectedthatthisnumberwillbeincreasedupto15.
8millionin2018.
ThemalwaregrowthtrendsarepredictedandestimatedvaluesareprovidedinFigure6.
Incontrasttomalwares,theantimalwarehavebeendesignedanddevelopedinawiderangeinordertoprotectthedevices.
Itisinferredthatanantimalwareusingstaticapproachislessefficientindetectingthemaliciouscontentsthatareloadeddynamicallyfromremoteservers.
Although,thedynamicapproachisefficientasitkeepsonmonitoringtheapplicationandabletodetectthemaliciouscontentatexecutiontime.
However,theportionsofmaliciouscodethatarenotexecutedremainundetected.
ItisbelievedthatanysinglesecuritysolutioninAndroidcannotprovidefullprotectionagainstthevulnerabilitiesandmalwares.
Itisbettertodeploymorethanonesolutionsimultaneouslyforexample,ahybridoftwoapproaches,i.
e.
staticanddynamic.
Thehybridapproachwillfirststaticallyanalyzetheapplicationandwillthenperformdynamicanalysis.
Thishybridsolutionmaybeanexpensivemethodtoapplybecauseofthelimitedavailableresourcessuchasbattery,memoryetc.
However,thelimitationofthishybridsolutioncanbeaddressedintwofold.
Firstly,thestaticanalysiscanbeperformedlocallyontheAndroiddevice;andafterwards,thedynamicanalysiscouldbeperformedinadistributedfashionbysendingthemaliciousactivityoreventintheformofalogfiletoaremoteserver.
Theremoteservercanperformthedynamicanalysisquicklyandefficientlyastheserverwillhaveenoughresourcestoperformdynamicanalysisandcangeneraterapidresponsesagainsttheapplicationbehaviorandtheusercanbeinstantlynotified.
However,thishybridsolutionneedsmoreinvestigationandissubjecttothedesigntradeoffs.
Thefutureworkswillfocustodevelopsuchhybridantimalwaretoprovidebettersecurityforandroiddevices.
VII.
CONCLUSIONInthispaper,themalwaresandtheirpenetrationstechniqueshavebeenthoroughlyanalyzed.
Theantimalwarearecategorizedonthebasisofdetectionmethodstheyuse.
Adetailedperformanceevaluationoftheseantimalware2012201320142015201620172018Current6.
9379.
884.
882.
8Increase89.
894.
899.
899.
99Decrease82.
880.
878.
876.
8Average86.
387.
889.
388.
4020406080100120GrowthPercentage(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016474|Pagewww.
ijacsa.
thesai.
orgtechniquesisalsoprovidedandthebenefitsandlimitationsoftheseantimalwarearededucedcomprehensively.
Attheend,aconceptofhybridantimalwareispresentedwhichwilladdressthelimitationsofexistingstaticanddynamicapproaches.
Infuture,itisaimedtoimplementtheproposedhybridsolutionwhichwillbeagenericantimalwarethatwillprovidebettersecurityforAndroiddevicesbyfirstlystaticallyanalyzingtheAndroidapplicationsonlocaldeviceandthenitwillperformdynamicanalysisonaremoteantimalwareserver.
Thiswillconsumeverysmallamountofmemoryspaceonthedeviceandthebatteryconsumptionwillalsobelowasalldynamicanalysiswillbeperformedattheremoteserver.
REFERENCES[1]"EricSchmidt:ThereAreNow1.
3MillionAndroidDeviceActivationsPerDay.
"[Online].
Available:http://techcrunch.
com/2012/09/05/eric-schmidt-there-are-now-1-3-million-android-device-activations-per-day/.
[Accessed:28-Oct-2015].
[2]"GartnerSaysAnnualSmartphoneSalesSurpassedSalesofFeaturePhonesfortheFirstTimein2013.
"[Online].
Available:http://www.
gartner.
com/newsroom/id/2665715.
[Accessed:28-Oct-2015].
[3]"IDC:SmartphoneOSMarketShare2015,2014,2013,and2012.
"[Online].
Available:http://www.
idc.
com/prodserv/smartphone-os-market-share.
jsp.
[Accessed:08-Dec-2015].
[4]"NumberofavailableAndroidapplications-AppBrain.
"[Online].
Available:http://www.
appbrain.
com/stats/number-of-android-apps.
[Accessed:28-Oct-2015].
[5]"AndroidandSecurity-OfficialGoogleMobileBlog.
"[Online].
Available:http://googlemobile.
blogspot.
in/2012/02/android-and-security.
html.
[Accessed:28-Oct-2015].
[6]A.
P.
Felt,M.
Finifter,E.
Chin,S.
Hanna,andD.
Wagner,"Asurveyofmobilemalwareinthewild,"Proc.
1stACMWork.
Secur.
Priv.
smartphonesMob.
devices-SPSM11,pp.
3–14,2011.
[7]R.
Fedler,J.
Schütte,andM.
Kulicke,"OntheEffectivenessofMalwareProtectiononAndroid,"p.
36,2013.
[8]"Mindthe(Security)Gaps:The1H2015MobileThreatLandscape-SecurityNews-TrendMicroUSA.
"[Online].
Available:http://www.
trendmicro.
com/vinfo/us/security/news/mobile-safety/mind-the-security-gaps-1h-2015-mobile-threat-landscape.
[Accessed:08-Dec-2015].
[9]"TheMobileLandscapeRoundup:1H2014-SecurityNews-TrendMicroUSA.
"[Online].
Available:http://www.
trendmicro.
com/vinfo/us/security/news/mobile-safety/the-mobile-landscape-roundup-1h-2014.
[Accessed:08-Dec-2015].
[10]R.
Raveendranath,V.
Rajamani,A.
J.
Babu,andS.
K.
Datta,"Androidmalwareattacksandcountermeasures:Currentandfuturedirections,"2014Int.
Conf.
Control.
Instrumentation,Commun.
Comput.
Technol.
,pp.
137–143,2014.
[11]Y.
ZhouandX.
Jiang,"DissectingAndroidMalware:CharacterizationandEvolution,"2012IEEESymp.
Secur.
Priv.
,no.
4,pp.
95–109,2012.
[12]"SecurityAlert:ZsoneTrojanfoundinAndroidMarket|LookoutBlog.
"[Online].
Available:https://blog.
lookout.
com/blog/2011/05/11/security-alert-zsone-trojan-found-in-android-market/.
[Accessed:15-Dec-2015].
[13]L.
Davi,A.
Dmitrienko,C.
Liebchen,andA.
-R.
Sadeghi,"Over-the-AirCross-platformInfectionforBreakingmTAN-basedOnlineBankingAuthentication,"BlackHatAbuDhabi,pp.
1–12,2012.
[14]"rootexploits.
"[Online].
Available:http://www.
selinuxproject.
org/~jmorris/lss2011_slides/caseforseandroid.
pdf.
[Accessed:15-Dec-2015].
[15]"Trojan:Android/DroidKungFu.
CDescription|F-SecureLabs.
"[Online].
Available:https://www.
f-secure.
com/v-descs/trojan_android_droidkungfu_c.
shtml.
[Accessed:15-Dec-2015].
[16]Y.
Zhou,Z.
Wang,W.
Zhou,andX.
Jiang,"Hey,You,GetOffofMyMarket:DetectingMaliciousAppsinOfficialandAlternativeAndroidMarkets,"Proc.
19thAnnu.
Netw.
Distrib.
Syst.
Secur.
Symp.
,no.
2,pp.
5–8,2012.
[17]"contagiomobile:Backdoor.
AndroidOS.
Obad.
a.
"[Online].
Available:http://contagiominidump.
blogspot.
in/2013/06/backdoorandroidosobada.
html.
[Accessed:28-Oct-2015].
[18]C.
aCastillo,"AndroidMalwarePast,Present,andFuture,"McAfeeWhitePap.
Mob.
Secur.
Work.
Gr.
,pp.
1–28,2011[19]"Android.
Fakedefender.
B|Symantec.
"[Online].
Available:https://www.
symantec.
com/security_response/writeup.
jspdocid=2013-091013-3953-99.
[Accessed:15-Dec-2015].
[20]"Riskware|InternetSecurityThreats.
"[Online].
Available:http://usa.
kaspersky.
com/internet-security-center/threats/riskware#.
Vm-5IUp97IU.
[Accessed:15-Dec-2015].
[21]"TrendMicroQ2SecurityRoundupReport|Androidheadlines.
com.
"[Online].
Available:http://www.
androidheadlines.
com/2015/08/trend-micro-q2-security-roundup-report.
html.
[Accessed:08-Dec-2015].
[22]"ALookatRepackagedAppsandtheirEffectontheMobileThreatLandscape.
"[Online].
Available:http://blog.
trendmicro.
com/trendlabs-security-intelligence/a-look-into-repackaged-apps-and-its-role-in-the-mobile-threat-landscape/.
[Accessed:15-Dec-2015].
[23]"NotCompatibleAndroidTrojan:WhatYouNeedtoKnow|PCWorld.
"[Online].
Available:http://www.
pcworld.
com/article/254918/notcompatible_android_trojan_what_you_need_to_know.
html.
[Accessed:15-Dec-2015].
[24]NewThreatsandCountermeasuresinDigitalCrimeandCyberTerrorism.
IGIGlobal,2015.
[25]A.
Aiken,"Apposcopy:Semantics-BasedDetectionofAndroidMalwareThroughStaticAnalysis,"Fse2014,pp.
576–587,2014.
[26]P.
Faruki,V.
Ganmoor,V.
Laxmi,M.
S.
Gaur,andA.
Bharmal,"AndroSimilar:RobustStatisticalFeatureSignatureforAndroidMalwareDetection,"Proc.
6thInt.
Conf.
Secur.
Inf.
Networks,pp.
152–159,2013.
[27]M.
Zheng,M.
Sun,andJ.
C.
S.
Lui,"DroidAnalytics:ASignatureBasedAnalyticSystemtoCollect,Extract,AnalyzeandAssociateAndroidMalware,"2013.
[28]AndroidPermissionsDemystified.
"[Online].
Available:https://www.
truststc.
org/pubs/848.
html.
[Accessed:06-Nov-2015].
[29]R.
Sato,D.
Chiba,andS.
Goto,"DetectingAndroidMalwarebyAnalyzingManifestFiles,"pp.
23–31,2013.
[30]"Weka3-DataMiningwithOpenSourceMachineLearningSoftwareinJava.
"[Online].
Available:http://www.
cs.
waikato.
ac.
nz/ml/weka/.
[Accessed:16-Dec-2015].
[31]C.
-Y.
Huang,Y.
-T.
Tsai,andC.
-H.
Hsu,"Performanceevaluationonpermission-baseddetectionforandroidmalware,"Adv.
Intell.
Syst.
Appl.
-Vol.
2,vol.
21,pp.
111–120,2013.
[32]S.
Ben-david,UnderstandingMachineLearning:FromTheorytoAlgorithms.
2014.
[33]B.
Sanz,I.
Santos,C.
Laorden,X.
Ugarte-Pedrero,P.
G.
Bringas,andG.
lvarez,"PUMA:Permissionusagetodetectmalwareinandroid,"Adv.
Intell.
Syst.
Comput.
,vol.
189AISC,pp.
289–298,2013.
[34]W.
Shin,S.
Kiyomoto,K.
Fukushima,andT.
Tanaka,"Towardsformalanalysisofthepermission-basedsecuritymodelforAndroid,"5thInt.
Conf.
Wirel.
Mob.
Commun.
ICWMC2009,pp.
87–92,2009.
[35]W.
Tang,G.
Jin,J.
He,andX.
Jiang,"Extendingandroidsecurityenforcementwithasecuritydistancemodel,"2011Int.
Conf.
InternetTechnol.
Appl.
iTAP2011-Proc.
,2011.
[36]W.
Enck,M.
Ongtang,andP.
McDaniel,"Onlightweightmobilephoneapplicationcertification,"Proc.
16thACMConf.
Comput.
Commun.
Secur.
-CCS09,pp.
235–245,2009.
[37]D.
-J.
Wu,C.
-H.
Mao,T.
-E.
Wei,H.
-M.
Lee,andK.
-P.
Wu,"DroidMat:AndroidMalwareDetectionthroughManifestandAPICallsTracing,"2012SeventhAsiaJt.
Conf.
Inf.
Secur.
,pp.
62–69,2012.
[38]L.
Kozma,"kNearestNeighborsalgorithm(kNN),"2008.
[39]"androguard-Reverseengineering,MalwareandgoodwareanalysisofAndroidapplications.
.
.
andmore(ninja!
)-GoogleProjectHosting.
"[Online].
Available:https://code.
google.
com/p/androguard/.
[Accessed:01-Dec-2015].
[40]J.
Kim,Y.
Yoon,andK.
Yi,"SCANDAL:StaticAnalyzerfor(IJACSA)InternationalJournalofAdvancedComputerScienceandApplications,Vol.
7,No.
2,2016475|Pagewww.
ijacsa.
thesai.
orgDetectingPrivacyLeaksinAndroidApplications.
"[41]E.
R.
Wognsen,H.
S.
Karlsen,M.
C.
Olesen,andR.
R.
Hansen,"FormalisationandanalysisofDalvikbytecode,"Sci.
Comput.
Program.
,vol.
92,no.
December2012,pp.
25–55,2014.
[42]W.
Zhou,Y.
Zhou,X.
Jiang,andP.
Ning,"Detectingrepackagedsmartphoneapplicationsinthird-partyandroidmarketplaces,"Proc.
SecondACMConf.
DataAppl.
Secur.
Priv.
-CODASKY12,pp.
317–326,2012.
[43]"[Utility][Tool][Windows]Baksmali/SmaliMa…|AndroidDevelopmentandHacking.
"[Online].
Available:http://forum.
xda-developers.
com/showthread.
phpt=2311766.
[Accessed:22-Dec-2015].
[44]Y.
Aafer,W.
Du,andH.
Yin,"DroidAPIMiner:MiningAPI-LevelFeaturesforRobustMalwareDetectioninAndroid,"Secur.
Priv.
Commun.
Networks,vol.
127,pp.
86–103,2013.
[45]A.
P.
Fuchs,A.
Chaudhuri,andJ.
S.
Foster,"SCanDroid:AutomatedSecurityCertificationofAndroidApplications.
"[46]W.
Enck,D.
Octeau,andP.
Mcdaniel,"AStudyofAndroidApplicationSecurity,"no.
August,2011.
[47]D.
Octeau,S.
Jha,andP.
McDaniel,"RetargetingAndroidapplicationstoJavabytecode,"inProceedingsoftheACMSIGSOFT20thInternationalSymposiumontheFoundationsofSoftwareEngineering-FSE12,2012,p.
1.
[48]A.
Bartel,J.
Klein,M.
Monperrus,andY.
LeTraon,"Dexpler:ConvertingAndroidDalvikBytecodetoJimpleforStaticAnalysiswithSoot,"2012.
[49]"AframeworkforanalyzingandtransformingJavaandAndroidApplications.
"[Online].
Available:http://sable.
github.
io/soot/.
[Accessed:07-Nov-2015].
[50]"MainPage-WalaWiki.
"[Online].
Available:http://wala.
sourceforge.
net/wiki/index.
php/Main_Page.
[Accessed:07-Nov-2015].
[51]E.
Chin,A.
Felt,K.
Greenwood,andD.
Wagner,"Analyzinginter-applicationcommunicationinAndroid,"Proc.
9th…,pp.
239–252,2011.
[52]"Dedexerusersmanual.
"[Online].
Available:http://dedexer.
sourceforge.
net/.
[Accessed:08-Nov-2015].
[53]M.
Egele,T.
Scholte,E.
Kirda,andC.
Kruegel,"Asurveyonautomateddynamicmalware-analysistechniquesandtools,"ACMComput.
Surv.
,vol.
44,no.
2,pp.
1–42,2012.
[54]I.
YouandK.
Yim,"Malwareobfuscationtechniques:Abriefsurvey,"Proc.
-2010Int.
Conf.
Broadband,Wirel.
Comput.
Commun.
Appl.
BWCCA2010,pp.
297–300,2010.
[55]I.
Burguera,U.
Zurutuza,andS.
Nadjm-Tehrani,"Crowdroid:Behavior-BasedMalwareDetectionSystemforAndroid,"Proc.
1stACMWork.
Secur.
Priv.
smartphonesMob.
devices-SPSM11,p.
15,2011.
[56]"stracedownload|SourceForge.
net.
"[Online].
Available:http://sourceforge.
net/projects/strace/.
[Accessed:22-Dec-2015].
[57]A.
Shabtai,U.
Kanonov,Y.
Elovici,C.
Glezer,andY.
Weiss,"Andromaly:abehavioralmalwaredetectionframeworkforandroiddevices,"J.
Intell.
Inf.
Syst.
,vol.
38,no.
1,pp.
161–190,2012.
[58]M.
Zhao,F.
Ge,T.
Zhang,andZ.
Yuan,"AntiMalDroid:AnefficientSVM-basedmalwaredetectionframeworkforandroid,"Commun.
Comput.
Inf.
Sci.
,vol.
243CCIS,pp.
158–166,2011.
[59]W.
Enck,P.
Gilbert,B.
-G.
Chun,L.
P.
Cox,J.
Jung,P.
McDaniel,andA.
N.
Sheth,"TaintDroid:AnInformation-FlowTrackingSystemforRealtimePrivacyMonitoringonSmartphones,"Osdi10,vol.
49,pp.
1–6,2010.
[60]L.
YanandH.
Yin,"Droidscope:seamlesslyreconstructingtheosanddalviksemanticviewsfordynamicandroidmalwareanalysis,"Proc.
21stUSENIXSecur.
Symp.
,p.
29,2012.
[61]F.
Wu,H.
Narang,andD.
Clarke,"AnOverviewofMobileMalwareandSolutions,"J.
Comput.
Commun.
,vol.
2,no.
2,pp.
8–17,2014.
[62]T.
Blsing,L.
Batyuk,A.
D.
Schmidt,S.
A.
Camtepe,andS.
Albayrak,"Anandroidapplicationsandboxsystemforsuspicioussoftwaredetection,"Proc.
5thIEEEInt.
Conf.
MaliciousUnwantedSoftware,Malware2010,pp.
55–62,2010.