Figure 4 - uploaded by Aristide Fattori
Content may be subject to copyright.
Source publication
Popularity and complexity of malicious mobile applications are rising, making
their analysis difficult and labor intensive. Mobile application analysis is
indeed inherently different from desktop application analysis: In the latter,
the interaction of the user (i.e., victim) is crucial for the malware to
correctly expose all its malicious behaviors...
Context in source publication
Context 1
... if it is not able to consume the event it sends back to the parent. Figure 4 shows two examples of touch events management: In the former, the event flows down through the hierarchy, and since it is not consumed by any view, it goes back to the Activity. In the latter, the event is consumed by the second View child of the ViewGroup object. ...
Similar publications
XML configuration files are widely used in Android to define an app's user interface and essential runtime information such as system permissions. As Android evolves, it might introduce functional changes in the configuration environment, thus causing compatibility issues that manifest as inconsistent app behaviors at different API levels. Such iss...
Citations
... PuppetDroid [12] uses a perceptual hash to identify similar screens, courtesy of the pHash library 1 . Hashes were used to identify similar screens of known good apps in suspected malware apps as part of a method to detect malware. ...
... • User Interaction-The possible solution for the detection of malware is to examine the user's interaction with apps. PuppetDroid [25] and Dynodroid [26] are the systems developed for the analysis of user interaction. ...
Purpose
This paper provides the basics of Android malware, its evolution and tools and techniques for malware analysis. Its main aim is to present a review of the literature on Android malware detection using machine learning and deep learning and identify the research gaps. It provides the insights obtained through literature and future research directions which could help researchers to come up with robust and accurate techniques for classification of Android malware.
Design/Methodology/Approach
This paper provides a review of the basics of Android malware, its evolution timeline and detection techniques. It includes the tools and techniques for analyzing the Android malware statically and dynamically for extracting features and finally classifying these using machine learning and deep learning algorithms.
Findings
The number of Android users is expanding very fast due to the popularity of Android devices. As a result, there are more risks to Android users due to the exponential growth of Android malware. On-going research aims to overcome the constraints of earlier approaches for malware detection. As the evolving malware are complex and sophisticated, earlier approaches like signature based and machine learning based are not able to identify these timely and accurately. The findings from the review shows various limitations of earlier techniques i.e. requires more detection time, high false positive and false negative rate, low accuracy in detecting sophisticated malware and less flexible.
Originality/value
This paper provides a systematic and comprehensive review on the tools and techniques being employed for analysis, classification and identification of Android malicious applications. It includes the timeline of Android malware evolution, tools and techniques for analyzing these statically and dynamically for the purpose of extracting features and finally using these features for their detection and classification using machine learning and deep learning algorithms. On the basis of the detailed literature review, various research gaps are listed. The paper also provides future research directions and insights which could help researchers to come up with innovative and robust techniques for detecting and classifying the Android malware.
... Among the relevant work on application analysis of Android applications, we can cite Babelview [31], Androguard [14], MalloDroid [18], FlowDroid [6], Apposcopy [19], and Dexpler [7] as examples of static analysis. On the other hand, DroidScope [45], CopperDroid [38], PuppetDroid [20], TaintDroid [16], DroidTrace [47], Andlantis [10], and IntelliDroid [44] mainly employ dynamic analysis. There have been attempts to bridge the two families of approaches, such as SMV-HUNTER [35], Andrubis [25], and Andrototal [26]. ...
MagnetDroid is a novel artificial intelligence framework that integrates a security ontology, a multi-agent organisation, and a logical reasoning procedure to help build a bridge between the worlds of Android application analysis and law, with respect to privacy. Our contribution helps identify violations of the law by Android applications, as well as predict legal consequences. The resulting implementation of MagnetDroid can be useful to privacy-concerned users in order to acknowledge problems with the privacy of the applications they use, to application developers/publishers to help them identify which problems to fix, and to lawyers in order to provide an additional level of interpretation for any court when considering the privacy of Android applications.
... To deal with UI-related evasions, dynamic scanners could adapt ideas used in PuppetDroid [27] and PyTrigger [26]. These approaches record an interaction trace from a human and play it back when loading the file under analysis to get through possible checks that guard the attack. ...
Malware scanners try to protect users from opening malicious documents by statically or dynamically analyzing documents. However, malware developers may apply evasions that conceal the maliciousness of a document. Given the variety of existing evasions, systematically assessing the impact of evasions on malware scanners remains an open challenge. This paper presents a novel methodology for testing the capability of malware scanners to cope with evasions. We apply the methodology to malicious Portable Document Format (PDF) documents and present an in-depth study of how current PDF evasions affect 41 state-of-the-art malware scanners. The study is based on a framework for creating malicious PDF documents that use one or more evasions. Based on such documents, we measure how effective different evasions are at concealing the maliciousness of a document. We find that many static and dynamic scanners can be easily fooled by relatively simple evasions and that the effectiveness of different evasions varies drastically. Our work not only is a call to arms for improving current malware scanners, but by providing a large-scale corpus of malicious PDF documents with evasions, we directly support the development of improved tools to detect document-based malware. Moreover, our methodology paves the way for a quantitative evaluation of evasions in other kinds of malware.
... Employing dynamic code analysis could be a promising solution to these problems. However, other challenges may include scalability and the creation of test patterns for UI navigations [38], [39]. As we mentioned earlier, we adopted static analysis because our empirical study required analysis of a huge volume of applications. ...
Permission warnings and privacy policy enforcement are widely used to inform mobile app users of privacy threats. These mechanisms disclose information about use of privacy-sensitive resources such as user location or contact list. However, it has been reported that very few users pay attention to these mechanisms during installation. Instead, a user may focus on a more user-friendly source of information: text description, which is written by a developer who has an incentive to attract user attention. When a user searches for an app in a marketplace, his/her query keywords are generally searched on text descriptions of mobile apps. Then, users review the search results, often by reading the text descriptions; i.e., text descriptions are associated with user expectation. Given these observations, this paper aims to address the following research question: What are the primary reasons that text descriptions of mobile apps fail to refer to the use of privacy-sensitive resources? To answer the research question, we performed empirical large-scale study using a huge volume of apps with our ACODE (Analyzing COde and DEscription) framework, which combines static code analysis and text analysis. We developed light-weight techniques so that we can handle hundred of thousands of distinct text descriptions. We note that our text analysis technique does not require manually labeled descriptions; hence, it enables us to conduct a large-scale measurement study without requiring expensive labeling tasks. Our analysis of 210,000 apps, including free and paid, and multilingual text descriptions collected from official and third-party Android marketplaces revealed four primary factors that are associated with the inconsistencies between text descriptions and the use of privacy-sensitive resources: (1) existence of app building services/frameworks that tend to add API permissions/code unnecessarily, (2) existence of prolific developers who publish many applications that unnecessarily install permissions and code, (3) existence of secondary functions that tend to be unmentioned, and (4) existence of third-party libraries that access to the privacy-sensitive resources. We believe that these findings will be useful for improving users' awareness of privacy on mobile software distribution platforms.
... The study revealed a detection rate of 95.97% with the elimination of 23 unnecessary attributes. Further, to precisely capture malicious behavior, authors in [22] simulated human interaction. The proposed system demonstrated an improved performance compared to other automatic analysis methods. ...
... if sum n > 0 then 21: T (s i ) ← sum d sumn 22: ...
The openness of Android framework and the enhancement of users trust have gained the attention of malware writers. The momentum of downloaded applications (app for short) from numerous app stores has stimulated the proliferation of mobile malware. Now the threat is due to the sophistication in malware being written to bypass signature-based detectors. In this paper, we investigate system calls to tackle mobile malware on Android operating system. To do so, we first employed machine learning to extract system calls. We then performed the empirical estimation of system calls derived from diverse datasets employing human interaction and random inputs. After accomplishing intensive experiments on synthesized system calls with two feature selection approach, namely Absolute Difference of Weighted System Calls (ADWSC) and Ranked System Calls using Large Population Test (RSLPT), we validated the results on five datasets. All classifiers generated in Area Under Curve of 1.0 with an accuracy exceeding 99.9% suggest the appropriateness and efficacy of the proposed approach. Finally, we evaluated the effectiveness of classifier against adversarial attacks and found that the classifiers are vulnerable to data poisoning and label flipping attacks. Adversarial examples created by poisoning malware samples resulted in the significant drop of classifier performance on perturbing 12–18 prominent attributes. Moreover, we implemented class label poisoning attacks which brought down the classification accuracy by 50% on altering labels of 50 malicious training instances.
... While running applications, there is no guarantee that the execution path in Java code stimulates and triggers malicious behavior of malware, which is defined as code coverage. Some of the recent research works began to address code coverage [37,38], however, they were unable to fully solve the problem. ...
Smartphones, tablets, and other mobile devices have quickly become ubiquitous due to their highly personal and powerful attributes. Android has been the most popular mobile operating system. Such popularity, however, also extends to attackers. The amount of Android malware has risen steeply during the last few years, making it the most targeted mobile operating system. Although there have been numerous studies reviewing the current analysis and detection methods, they are unable to fully cover this research domain. Therefore, in this paper, we group the current analysis and detection methods in mobile malware detection. In addition, we review the Android features available in mobile malware detection, and several trusted and widely used datasets.
... A privilege behaviour is implemented in the literature (Zhou et al., 2012) for judging the new Android malicious software, and a heuristic filter is used to detect unknown Android malicious software (Rangwala et al., 2014). In literature (Gianazza et al., 2014), the suspicious and abnormal application is determined through the extraction of sensitive authority for a semantic search query and the analysis of the relationship among the call permissions. Feizollah et al. (2014) proposes a method based on the required permissions to determine the application category, and summarises the frequently used rights in malicious software. ...
... A privilege behaviour is implemented in the literature (Zhou et al., 2012) for judging the new Android malicious software, and a heuristic filter is used to detect unknown Android malicious software (Rangwala et al., 2014). In literature (Gianazza et al., 2014), the suspicious and abnormal application is determined through the extraction of sensitive authority for a semantic search query and the analysis of the relationship among the call permissions. Feizollah et al. (2014) proposes a method based on the required permissions to determine the application category, and summarises the frequently used rights in malicious software. ...
With the popularity of Android system mobile phones, the security threat brought by its own security mechanism flaws is increasingly severe. Therefore, it is necessary to design a highly efficient and accurate detection scheme for Android malwares. In this paper, an Android malware static detection scheme which is based on cloud security structure is designed. For one thing, the main detection works of the detection scheme are deployed on the cloud servers, which can make the detection work efficient and fast. For another, use a highly efficient classifying algorithm to make a static analysis on the source code of targeted APK (Android Package) file can determine whether the application (app) is safe or malicious more accurately. Finally, in order to estimate the detection efficiency and accuracy, 1143 malware app samples and 2937 normal applied app samples are collected.
... PuppetDroid [46] aims to simulate human interaction for precisely obtaining malicious behaviour. The system employs two phases (a) the first phase logged the stimulation traces and (b) the next phase re-executed the traces. ...
The extensive use of smartphones and increased popularity of Android operating system have proliferated in malware attacks. In order to overcome these malicious attacks, numerous malware detectors are now available and have been described in various literature. A majority of detectors rely on system calls, as these are non-bypassable interface for user applications to system services. In order to defeat the system call-based detectors, an adversary usually deploys mimicry attack (see Section 5.2) through which a sequence of system calls are injected into malicious apps to alter the actual sequence. It is evident that signature-based detectors result in high false alarm rate, due to such mimicry attacks. Therefore, in this paper, we propose a non-signature-based malware detector, that is not vulnerable to mimicry attack, by keeping the false alarm rate very low. In the present work, two different environment settings have been created for monitoring the deviation in the behaviour of synthetic user events, against those of real ones, through application executions. Feature selection was carried out by employing “Scatter Assessment” method on 2100 apps. Extensive experimentation has been carried out to select a concise set of features. The proposed method selects features in such a way, that it minimizes and maximizes the intra- and inter-class variances, respectively. Such a variance optimization allows us to evade mimicry attacks. The method has been validated for effectiveness and applicability, by means of two different datasets comprising of real samples. An area under curve of 1.0 with accuracy in the range of 99.8–100% was obtained, proving the efficacy of the proposed malware scanner.
