9 Different Proposed Android Malware Computer Science
Mobile devices as we know them are no longer used merely for facilitating wireless communication in the form of phone calls, or sending brief text messages using the Short Message Service (SMS), they have come a long way from that and now have become much more advanced devices commonly known as smart phones. These are devices that can connect to a wide range of networks including the internet via 3G or Wireless Fidelity (Wi-Fi), and have numerous applications that are developed to entertain and enhance the experience of the user. But because these devices have the ability to browse the internet and can exchange information with various devices and networks they become susceptible to attacks and threats by malware, and are the primary target these days. Previously one would find instances of malware only on personal computers, but since people rely on their smart phones ever so often for even sensitive interactions like online banking and these devices are becoming ubiquitous, the risk posed by malware on smart phones is very high. The extent of damage however is variable, a malware might render the victim's phone unusable, steal personal data like the victim's location or other confidential information, or access premium numbers from the victim's phone causing undesired billing.
There are several complexities that arise when it comes to antivirus solutions for smart phones,
Unlike personal computers, mobile devices do not have extensive computational resources, running an antivirus would consume a lot of RAM and CPU resources which would result in a sluggish operation of the phone along with accelerated depletion of the battery charge. And for these anti-virus solutions to be effective they need to have virus signature database that is constantly updated, and for new signatures to be added, we need effective means of detecting previously unknown malware.
Smart Phones are available on several different platforms, but the platform with the most impressive growth and global spread is the Android platform. Being the most popular smartphone platform, and with the number of devices out their public. Android has become the breeding ground for new mobile malware, and it is spreading through the smart phone applications at a rapid rate even though the platform itself is developing and releasing newer versions at quite a fast pace. [1] Describes how the currently existent security features of the Android platform are largely insufficient, and that even applications that are not malicious, are coded in such a way that a lot of confidential information is collected. There has been a revolution in the services that are being offered via mobile applications, these are so many in number that there exist marketplaces for each mobile OS to centralize the distribution of these applications, and have their own mechanisms to prevent malicious applications from being distributed through the official channels, However, several malicious applications still reside on the Google Play store even after implementing their security layer of the Google 'Bouncer' since the review process is not very stringent, and unsuspecting users download it directly from there, thinking it's a genuine application and can cause no harm to their device. The problem however doesn't stop there since there are various other unofficial application marketplaces too that are capable of similar distribution of genuine smart phone applications and malicious applications alike except these have no review process, and a developer may publish his app directly to these marketplaces. Since there is no certification authority and developers can self-sign their applications and upload then regardless of their nature, through both official and unofficial repositories.
In [2] the author describes how most of the common malware are Trojan horses that usually camouflage themselves a useful applications like task managers, or a game etc. Free applications, on Android markets are made available to users too, these applications are able to sustain themselves via advertising revenues. Users are more inclined to download free version of apps, instead of paying for them, and Malware develops would tend to design their apps as a desirable application which would be downloaded often. While these applications do provide the features and functionality of the legitimate app, they also have a hidden secret feature that performs malicious activities without the user noticing it in the background. These kind of applications are usually spyware, which track the user's personal data like GPS Location and preferences and often sell them to advertisers so that they can generate targeted advertisements, the other benefit for the malware developer lies in his ability to make premium phone calls and send premium SMS silently from the victims phone, which cause unwanted billing for the victims.
Google, tries to prevent these kind of security breaches, by making applications declare what permissions they would require on the phone, and to use only the required permissions for the functioning of the application. By right the victim approves access to the malware and lets the installation continue even though he sees that there are unnecessary permissions being requested in the manifesto. Asking users to only install applications doesn't seem like an effective approach for deterring the users from downloading malicious application. The users rarely know the extent to which a particular permission affects their personal data, and after several application installs they get accustomed to ignoring any such warning that come prior to installation. A similar ineffectiveness is seen in the case of User Account Control that was implemented by Microsoft to prompt the user to allow or deny any change that was being made by a software on the computer, by fading out the screen and only focusing on a dialog box. This approach became annoying, and 69% of the users merely disabled the feature and went on to use the computer normally [2].
In [3] a study of third party Android markets, showed that there was a common practice of repackaging genuine applications acquired Google Play from and uploading them to these third party marketplaces. The purpose of repackaging, could be to replace the current applications revenue mechanism via in-app advertisements and replacing it with their own custom route, which divers the income to them, another more dangerous purpose however is to attach malware to it, plant backdoors or hide malicious payloads. Legitimate App developers are also affected by this repackaging since their reputation becomes impaired, as the word spreads that their app is malicious, even though it was not their intention for it to be so and are victims of intellectual property theft, and theft of their financial capital generated via the apps.
This serious situation calls for an effective manner to detect malware on the Android platform, this paper will review few of the newer Android malware detection techniques that have surfaced.
Background on Android PlatformThe Android platform has developed a great deal from its inception, and with the advances in mobile technologies, the higher memory and processing power capabilities and larger than life screen sizes, smart phones provide the perfect platform for app developers to build apps that can portray a lot of innovation, and can boast excellent Human Computer Interaction (HCI). Android platform is the first fully featured open source mobile operating system that was created to serve the consumer market. The open nature of Android and its attractive features has led to its global acceptance, and due to this it has a rapid growth which has given a huge boost to the market of Android applications.
There are four layers in the Android architecture layer stack, the uppermost layer is the Android Application layer, and the three layers below it are the application framework, Android runtime and the Linux Kernel. The Linux Kernel is what acts as an abstraction layer between the software stack of Android and the remaining hardware of the device. And since Android is open source it has allowed security researchers to focus on interactions at the kernel level and obtain useful information. Android applications are developed using the Java programming language along with the tools and API's provided by the Android Software Development Kit (SDK).
The security model on Android relies on the operating system, and is enforced by making application developers declare permissions in the "Android Manifest.xml" file in their application, which are hard coded and identify what data and interfaces the application has access to, but not on how they can be used. The user is asked before installation whether he would like to grant the permissions requested by the applications, and has no control over micromanaging which permissions can be allowed and which cannot since according to the developer all those permissions would be required to ensure the proper functionality of the application. But often we see permissions which are unnecessary being requested by applications, the users must be wary of this, but sadly the only choice the user has is to install the applications, or not install it if the permissions seems to infringing to the users data and it is against his interest. The developer cannot remotely modify the permissions, unless he releases a new version which upon installation would prompt the user to once again review and accept the permissions being requested by the application.
Current Developments in Android Malware Detection Techniques.There have been various different approaches towards detecting Android Malware and there have been several publications documenting them but not particular technique has prevailed over the other, this section will review current developments and contributions in the field of Android malware detection.
[4] Proposed a behavioral framework to detect malware on the Android platform called "Andromaly", the proposed framework is able to perform as a malware detection system by continuously monitoring the events and features of the mobile device and passing the data through anomaly detectors that use Machine Learning, the data that is collected can then either be classified as safe or malicious. The framework is implemented using small application which once installed samples various pieces of system data like CPU usage, the bandwidth of data being used, the intensity of packets sent via cellular or Wi-Fi networks, total number of processes running, battery consumption etc. and then analyses if the phone is functioning normally, or there are some anomalies in the collected data. The framework utilizes the idea that malware that have not yet been encountered can be detected by analyzing the similarities shown in the fluctuation of above mentioned system data with the introduction of already known malware. This would help users detect any suspicious activity on their devices. The framework is modular and can utilize various malware detection techniques using rules and algorithms besides its behavioral approach. In order to improve the performance of the framework and make it less resource intensive they utilize a small number of features for the purpose of detection. The framework to be effective however requires a certain amount of training over a wide range of malware induced environments and safe environments to improve its rate of detection and reduce false positives. This however might put the user at a disadvantage should he not have ample malicious samples to train the framework to perform in a favorable manner.
In [5] they discuss how one of the effective methods of detecting hidden threats in applications is by using some means to dynamically analyze them and the technique utilized to detect malware in their system is behavior based and their detection system consists of log analysis application on a server machine which would be used for analysis and at the Kernel layer they have a log collector which would record all the system calls that were made since most applications have to go through the kernel layer, however since the logs generated would be huge and contain data from all applications , it would make the detection mechanism less efficient due to all the additional data, hence it implements a feature that allows it to filter the events with the perspective of a target application. The log analyzer in turn is able to pick up the process tree of the target application's activity and compares the activities with signatures created using regular expressions and is able to detect malicious activity if anything out of the ordinary takes place. Signatures of information leakage are also automatically generated using the data stored on the phone like Google account details and credentials, phone number, SIM info and IMEI numbers. And by using this technique they are able to identify and successfully detect the malicious behavior of applications and malware that have not been identified yet. This technique shows a lot of promise, and it can be greatly improved with a more sophisticated set of signatures to detect malicious activity which would help reduce error rates of false positive and false negative in the detection phase, also the efficiency can be improved by implementing techniques that would lessen the clutter in the logs being collected, and using more efficient means to reduce the log size.
[6] Focuses on detecting a particular kind of malicious Android application, the kind that attempts steal money and cause unintended purchases from an unsuspecting user by pretending to be a legitimate application, but instead dialing premium numbers or sending premium SMS, from the victim's phone. They propose a system called "MoneyGuard" which follows a systematic approach towards detecting these malicious Android applications that steal money. Their technique also uses a behavioral approach to detect malware. They have identified two main behavioral patterns that seem to present in most of the money stealing malicious Android apps. The particular application behaviors they mention are the suppression of notifications, which allows the app to continue stealing money and charge the victim's by not letting the notifications surface and keeping the victim in the dark, and then the second behavior is hardcoded exfiltration, which makes the app send messages to hardcoded third party premium numbers or dialing to premium numbers in the background. [6] Present a light weight detection approach that will help in identifying this behavioral pattern. The system contains three components, the "Billing Permission Extractor", "Billing Behavior Identifier" and "Notification Suppression Detector". The first component extracts the permissions from the "Android Manifest.xml" file of the applications and analyses it for any permissions that allows the application to perform actions that are billable, like sending and receiving SMS, making phone calls and access the Internet. The second component decompiles the APK file of the application, and examines the Dalvik byte code for each activity performed by the application along with the system calls that are made, additionally it also searches for any hard-coded phone numbers that the application might try to communicate with. Lastly the third component, is used to detect if the application is utilizing any form of notification suppression, and if it already had certain suspicious billing behavior detected in the first two components, it is considered a money stealing application if in the third component it is found to have notification suppression features in it. This technique seems rather useful and relevant to mitigate the practical threat of money stealing apps that many Android users are a victim to, but are not yet aware of it. This platform can perhaps be extended to include other kinds of Android malware in a modular fashion to improve the usability of this system, in day to day Android malware detection.
[3] Claims that commercially available techniques to counter malware on smartphones is largely inadequate, and that since these techniques rely on malware signatures alone, the users relying on these malware detection solutions are left exposed to new malware until the new signature is developed and the system is updated with the latest malware signatures. The extent of damage that can be done till then and the amount of other phones the malware can spread to during that time is tremendous. Their proposed system contains three main components, analysis on the device itself, collaboration module and a client-server feature for remote analysis. To communicate between the kernel layer and the software stack they wrote a tool called "Interconnect Daemon" which is a Linux server daemon that contains modules that perform various functions such as monitoring the system, scanning the files and creating hashes for the important ones, waiting for specific system signals that trigger certain events, one specific module is used to extract all Executable and Linking Format (ELF) object files excluding the shared library, and inspected them for a number of system commands, they performed similar analysis for malicious samples that were acquired from the internet and identified the static list of function calls made by them. This findings from the static analysis of system commands and malicious applications forms the training set for the system to help determine safe and malicious applications. The server component is utilized here to analyze the interdependencies between attributes of executable to help in classifying them better, rules are synthesized after this stage and pushed to the mobile devices, this helps in reduce false positives. The actual performance of the malware intrusion detection of the system on the mobile device would be possible after acquiring the rules. When a mobile device notices an anomaly if properly implemented, it should be able to utilize the other mobile devices around it running the system through collaboration and obtain computational resources for faster detection, if the computation cannot be performed on the device itself then it is sent to a remote server, and the results are obtained. Experimentation using real devices and malware is yet to be done using this technique, but it still seems like a viable and interesting solution to malware detection.
In [7] the proposed method for detecting Android malware is by implementing a market wide scanner, their system is devised in such a way that it crawls the entire Google Play store using a combination of parameters based on various classifiers such as country, genre, language etc. This way their method is able to acquire all existing applications on the market and not merely those which are displayed as available to the particular device that the market is being accessed from. Once the application samples are collected from the market, a heuristics engine is run in order to pre-process the samples in order to gauge which samples possess malicious characteristics and prioritize the analysis on them. The heuristics engine used in this method is a kind of static analysis tool that would check for 39 different preset properties, which are broadly categorized as the permissions requested by the app, peculiar calls to Java classes or methods, code size, geodata indicators, executable files, URL's present in code etc. This technique was used to minimize the time consumed in doing a large scale scan and also appropriate filtering mechanisms were implemented where required to ignore legitimate applications, which host a guest application to facilitate in app advertising. Each attribute was assigned a particular risk score, and the risk would incremented for the application as the scan progresses and give a final risk score that would help deduce it's malicious or benign nature if the score is beyond a particular limit. The main objective of this technique is to sift out and prioritize which samples should be subjected to further analysis give the number of samples being scanned. An added benefit to this approach is that it serves as a repository of metadata which can be used to compare, any rogue apps in the market that are pretending to be popular legitimate applications but have their code altered to perform malicious functions.
[2] Presents another systematic approach to detect malicious Android applications on both official and unofficial Android marketplaces, unlike [11-22] that crawled only the official market. They attempt to detect both known malware variants as well the ones that are yet to be detected. They developed a prototype, tool called "DroidRanger" in order to implement this detection approach. After the market crawler collects the apps from various markets it stores them in repository. "DroidRanger" then extracts the basic properties of the app like information about the author and the permissions requested, and then stores this information besides the actual application in a database for the purpose of efficiency. Two separate malware detection engines are utilized, to use the first type of detection engine, a behavioral and permission oriented footprint is generated of the known malware samples, this helps in detecting malicious applications that have footprints similar to the known malware by seeing which permissions are being abused for malicious purposes. The second detection engine utilizes a heuristics based filtering mechanism that helps detect zero day malware samples. They use two kinds of heuristic approaches the first analyzes if any binary code is being loaded dynamically from a remote sure, and the second analyzes if there is any native code being loaded dynamically, this is usually the case when it comes to kernel level exploits, and this method aims at finding malware that try to "root" the device.
[8] Also take a proactive stance towards detecting zero-day Android malware by analyzing a large number of applications from both official and unofficial Android marketplaces. Their technique does not rely on malware samples and signatures, and categorizes the potential risk an application can pose as high, medium and low risks. Applications classified as high risk are the ones that exploit platform vulnerabilities and get unauthorized access to the devices, those classified as medium do not perform any exploits but are capable of causing financial damages to the user or steal personal information, those classified as low also steal information but cause less impact, as it is only device specific information like IMEI number etc. They developed an automated system called "RiskRanker" to assess and assign this risk classifications. The analysis happens in two fold, for the first phase to detect high risk apps that contain attack code, the code of the well-known exploits is distilled and signatures are created to compare the common characteristics between the exploits and the application being analyzed. To detect medium risk apps, certain permissions that can potentially harm the user of if abused like "android.permission-group.COST_MONEY" along with certain system calls which indicate the functioning of the application silently without notifying the user are searched for by performing static analysis. The first phase would typically work with non-obfuscated applications. The second phase was designed malware that might be designed to be hidden from the analysis performed in the first phase or might be encrypted. The first part of this phase includes capturing certain behavior which can be commonly abused but is usually legitimate, like a child application inside a host application, utilization of Java encryption APIs to encrypt communication, dynamic code being loaded in the background, native code execution and hard coded access to internal directories of the device.
[9] Chose to use dynamic analysis of an application's behavior as the basis of detecting malicious apps in their framework. The framework itself is comprised of many components which are able to complement one another and provide the mechanism and the resources to detect Android Malware. The first component is a client application called "Crowdroid", which is an application that can be downloaded by Android users from the Google Play store. This application allows the system calls made at the kernel level to be monitored. Users can aid in malware detection by providing certain data that is related to the behavior of the applications they use regardless of where they acquired their applications from, this method of crowdsourcing data does not collect any personal information from the users. The output logs of the application behavior which are created using a tool called "Strace" which enables the collection of system calls are then forwarded to the remote server which is in charge of parsing the data and creating vectors that correspond to various system calls which also represent the number of times each system call was used, this helps in generating a dataset of benign application behavior. For the success of this technique it requires multiple users to use the "Crowdroid" application which will increase the quality of the dataset and help detect anomalies in the application behavior to alert all users of a malicious application. The detection component works by using K-means clustering algorithm over the system call vector dataset to detect any anomalous behavior.
[10] Proposes a similar technique of a feature based static analysis to detect malicious Android applications, it utilizes the static information like API calls, components being deployed and permissions to obtain characteristic features of the Android applications. They developed a proof of concept framework called "DroidMat" , that extracts this information from the application's manifest file, the disassembled code is then further analyzed using "apktool" , this approach also makes use of vectors for each application that indicates whether a not a malicious element is present in the application. The application's functional behavior is further classified using K-means and EM algorithm using the Singular Value Decomposition method, this analyzes the behavior of the application and its functionalities. Finally K-Nearest Neighbor (K-NN) algorithm is utilized to identify the application as benign or malicious.
Challenges Encountered in Malware Detection ResearchOne of the most common challenges when it comes to malware detection techniques is the occurrence of false negatives and false positives in the report. Which causes malicious applications to be classified as safe, and legitimate applications that seem to need access to particular features in order to perform its function seems similar to a malware and is classified as one.
[1] identified various challenges that they faced in utilizing their technique of anomaly detection,
Like the fact that the activities that malware perform are often very short and do not provide enough data for their framework to learn from the behavior or even detect it. Also that there was a shortage of a training set of malicious applications that can be used to improve the detection framework, and lastly the behavior of malware can be variable between each attack and be polymorphic in nature, which causes additional challenges to the researcher.
[5] uses a dynamic analysis technique and relies heavily on the log data and the signature set the system contains, to be comprehensive it stores all the communication of applications with the kernel layer via system calls but the drawback with using this technique, is the constant monitoring of processes generates a large amount of log entries, and one would have to sift through a lot of log data to get to the relevant information , unless an efficient means of filtering the logs is used and also an efficient means of collecting the logs so that the log size is reduced.
The quality of the results would also depend on how well the signature set is developed to reduce errors in detection.
[8] also faces similar challenges whereby their technique relies on known exploit signatures, if the exploit is encrypted or obfuscated the analysis technique used might give a false negative, the techniques utilized to curb the flow of malwares into the markets as well the techniques used to identify them might be studied by malware authors and countered, making the next generation of malware even harder to detect.
Techniques like in [7] where markets are crawled to download application to add to the repository might be banned from the markets for excessive downloading.
[2] states that the current model of the Google Play store where users need to rate and alert if a particular application is malicious is not effective and doesn't work, the analysis they performed was done only on free applications and they are of the opinion that paid apps might have certain obvious differences which might not let their technique work the same way. Only five marketplaces were utilized for the experiment, and only two behavioral characteristics were utilized for the identification of zero day malware using the heuristic search, a much more effective analysis can be performed by adding more parameters to the heuristic search like checking for a behavior where an SMS is being sent to a premium number etc.
For the adoption of the crowd sourced technique proposed by [9], they face a challenge in convincing Android users to download and install the "Crowdroid" application, and moreover to not feel like it is a loss of privacy when they support the researchers with behavioral information of their application since this only benefits them by providing updated statistics of malwares being detected.
Future Prospects of Android Malware Detection.The security model of the Android platform might change steeply, and the developers contributing to the Android Operating System probably will start taking security seriously making it less easy for malware to reside on their app stores, or the mobile devices running the Android OS. Until then however malware developers would start developing malware and packing them in such a way that they evade the existing techniques of detecting malware. Be it static, dynamic or intrusion detection based, Android malware techniques seem to be greatly improving upon the work of the predecessors, with more malware samples available in the future, it would be easier to conduct research and build more efficient detection techniques that would keep Android users safe. With well-established techniques, the next step would be to run comparisons between them side by side, to see which technique would be best suited for today's generation of Android users, and if a single technique is insufficient, then perhaps a combination of more than one techniques would be the way to go. In the future, when phones with higher specifications become more readily available and more widely used, the capability of the malware detection techniques can also be greatly increased by leveraging the higher computational capacities and memory modules of the future devices. It would be in the best interest for Android security if the future frameworks developed for malware detection, are open and modular, this way the community can contribute as a whole to help make it better, and the ability to crowd source statistical data would be much beneficial to the research towards developing better malware detection techniques.
ConclusionIn this review paper, we analyzed various Android Malware detection techniques that have been proposed, and observed the trends in the research geared towards finding better detection techniques. We were able analyze and understand the various challenges that were faced in building efficient techniques and implementing them. Just like the computer counterpart there isn't yet an All-in-one solution, that can be a remedy for all malware and detect the ones yet to be discovered, but considerable progress has been made. A common obstacle when most of the research in this field was conducted, was the lack of malware samples to experiment with. But today that is not the case there are ample sample's that are available and have been studied and well documented and this study of Android malware can greatly aid in the development of better Android Malware detection techniques, by knowing how the known malware behave and affect Android devices.
Article name: 9 Different Proposed Android Malware Computer Science essay, research paper, dissertation