A Survey on Android Malware Detection Techniques ...

2 downloads 0 Views 427KB Size Report
Chong WANG. 1. ,. Abdul Hannan SADIQ. 3 ..... [26] Liu Y., Z.Y., Li H., Chen X., A hybrid malware detecting scheme for mobile Android applications, In IEEE ...
2016 International Conference on Wireless Communication and Network Engineering (WCNE 2016) ISBN: 978-1-60595-403-5

A Survey on Android Malware Detection Techniques Rubata RIASAT1, Muntaha SAKEENA2, Chong WANG1, Abdul Hannan SADIQ3 and Yong-ji WANG1,* 1

Institute of Software, Chinese Academy of Sciences, Beijing, China 2

EME, NUST, Islamabad, Pakistan

3

Comsats Institute of Technology, Islamabad, Pakistan *Corresponding author

Keywords: Android malware, Malware detection, Smartphone security, Anti-malware.

Abstract. Now-a-days widely applicable smart phone application adoption and rapid growth of contextually sensitive nature of smartphone devices has led to a renaissance in mobile application services and increased concerns over smartphone malware. Most of the smart phone users are connected to internet for various purposes. Even after the advanced technology used in the smartphones still the users are remaining unprotected from malware attacks. To overcome these issues and to keep the smartphones safe a number of malicious applications, malware threat and adwares for mobile phones is expected to increase with the functionality enhancement of smart mobile phone. Android Operating Systems are most commonly used systems in the smartphones. Many applications are available in android play store and it is very difficult to distinguish and to discriminate between clean and malicious applications. We have briefly discussed different methods for detecting android malwares in this review and present a clear picture about these detection tools in the smartphone applications. Introduction Simple mobile devices have been replaced by sophisticated mobile computing devices such as smart phones and tablets. The market of smartphone will grow four times faster than mobile phone market. The demand of smartphones will increase until the customers will replace their old mobile phones with smartphones. These devices are used to assist users in browsing the Internet, receive and send emails, SMSs, and MMSs with other devices by activating various applications, thus making these devices potential attack targets [1]. Unluckily, this popularity also attracts malware authors. Many unknown developers are creating number of applications which are leading to cause malware and these application are exposing personal and critical private information i.e. phone identifiers and location while other legitimate applications are designed as open, programmable, networked devices, for which smart phones are vulnerable to various malware threats like viruses, Trojan horses, and worms. A compromised smartphone can be harmful for users as well as the cellular service provider [2]. A smart-phone can be partially or fully unusable because of malware which may cause unwanted billing, stealing of private information. Cellular networks, Internet connections (via Wi-Fi, GPRS/EDGE or 3G network), USB and other peripherals are the most likely to be attacked in smart phones. A study made by International Data Corporation, stated that in 2011 shipping of smartphone more than 450 million devices as compared to the year 2010, in which 303.4 million devices shipped. The applications are self-signed by developers rather than certification authority. Moreover, developers can also upload applications without testing their trustworthiness, including cracked applications or Trojan horses which not only allow malicious attackers to upload malware to the Market but also packed and spread malware by unofficial repositories. Juniper Networks reported that since summer 2010, a 400% increase in Android malware has been found in Global Threat Center. Android’s market has been targeted with more than fifty infected applications in March 2011, where all of the applications were infected with “DroidDream” trojan application. The growth of malware, lead to an evolution of

anti-malware tools, in which free and paid offerings are available in the official Android app market and in Google Play. In order to deal with this case, the operating system have been designed by Symbian and Google which will run applications only in specialized sandboxes and thus minimizing the ability of malware to spread [3, 4]. Furthermore, common desktop-security solutions are being economized to mobile devices. (Botha et al. 2009), examined common desktop security solutions and assessed their applicability to mobile devices. All applications in Apple are also required to pass a review process which will check for malwares. Though, it is possible for malware writers to dodge manual code inspection. Therefore, current research is focusing on the various alternatives to capture application semantics for smarter security decisions without manual code inspection. An important step for addressing this problem is the “android permission system”[5]. These limitations help to conclude that permissions are the wrong abstractions for understanding the application behavior. Thus, there is a real need for tools in response to Android malware that have the ability to automatically detect malicious applications which steal private user information.

Figure 1. An overview of an android attack.

Overview of Android System Security An in-house malicious application detection system called Bouncer is used by Google Play Store. It has been proved through many researchers that Bouncer’s ability to detect the malicious application is minimum thus could successfully publish a prototype malicious application in play-store. Application’s meta data is used by Android Play-Store uses like user’s rating and user’s comments to flag a malicious application. The detected malicious application could harm the affected mobile system. Malware authors dodge the detection in different ways such as code obfuscation technique, encryption, adding unnecessary permissions in the application, requesting for unwanted hardware, download or update attacks in which an application updates itself or with malicious payload considerend the most difficult parameters for detection. These techniques used by Malware authors encourage the need for new researches on the detection techniques, in which machine learning based techniques are included and used tobe more useful with high accuracy[6, 7].

Malware Detection Modern computer and communication infrastructures are highly prone to several types of attacks. The most common attacks use means of mischievous software (malware) like worms, viruses, and Trojan horses and high speed internet bring severe destruction for private users, commercial companies and governments. Static and dynamic techniques have been suggested for the such malware detection [1, 8]. Implementation of Static and dynamic analysis solutions are primarily done by using two methods; signature-based and heuristic-based method. The method of signature-based depends on the identification of unique signatures defining the malware and used by Antivirus vendors [8, 9]. Malware detection can be categorized into analysis, classification, detection and eventual containment of malware. A signature based technique is used by commercial antivirus in which the database is regularly updated so that the latest virus data detection mechanisms can be possessed. However, it is not possible to detect the zero-day malicious exploit malware through antivirus, based on signature-based scanner. The statistical binary content analysis of file is used to detect anomalous file segments [6]. Malware Detection in Mobile Devices The related literature points out that main focus of the research on protection of mobile devices is dynamic analysis approaches. The majority of the studies have proposed and assessed Host-based Intrusion Detection Systems (HIDS) which use anomaly- or rule-based detection methods, (GarciaTeodoro et al. 2009) these system extract and investigate a set of features that indicates the state of the device at runtime [10]. Artificial Neural Networks (ANNs) used to detect the anomalous behavior that indicates a fake use of the operator services. The Intrusion Detection Architecture for Mobile Networks (IDAMN) system uses both rule-based and anomaly detection methods where the method of IDAMN offers three levels of detection. (Yap and Ewe, 2005) used a behavior checker solution in their study in order to detect malicious activities in a mobile system used for proof-ofconcept scenario using a Nokia Mobile phone running a Symbian OS [8, 11]. (Cheng et al. 2007) offered a collaborative proxy-based virus detection and alert system for smartphones called SmartSiren. The joint analyses of communication activity of monitored smartphones are used to detect Single device and system-wide abnormal behaviors [11]. The study of (Schmidt et al. 2009) observed a smartphone running a Symbian OS for extracting features to describe the state of the device as well as used for anomaly detection where the collected features by a Symbian monitoring client are forwarded to a remote anomaly detection system (RADS) [12]. (Schmidt et al. 2008) revealed the ability of differentiating applications by using the collected features, Hey focused on the identification of critical kernel, log file, file system and network activity events, and development of the efficient mechanisms in order to monitor them in a resource limited environment [13]. The behavioral detection framework suggested by (Bose et al. 2008) detects mobile worms, viruses and Trojans by employing a temporal logic approach in order to detect malicious activity over time [14]. Intrusion Detection Systems (IDS) analyze generic battery power consumption patterns in order to detect malicious activity through power depletion. For example, a power-aware, malware-detection framework was considered that monitors, detects, and analyzes previously unknown energydepletion threats [15]. B-SIPS and [16] was offered to monitors the device’s electrical current and evaluates its correlation [17]. Network-based monitoring alone is unable to encounter the future threats for this reason host-based approaches are essential whereas a hybrid network/host-based approach on back-end server filters the received alarms according to correlation rules and forwards to a security monitoring GUI to be scrutinized by security-monitoring administrators [18]. Effectiveness of Keystroke Dynamics-based Authentication (KDA) on mobile devices was focused on short PIN numbers, yielded a 4% misclassification rate [19]. Static Analysis The static analysis deals with the features which are extracted from the application file without executing. The most popular dodging technique is known as Update Attack in which the malicious content is downloaded and installed as part of the update. This is not possible to detect by static

analysis techniques. Permission and API calls are the most common features of static analysis as extracted from AndroidManifest.xml, thus can influence the malware detection rate to a high level studied by various reseachers especially on meta-data available in Google PlayStore [20, 21]. Detection of a misuse of loading new untrusted code loaded from untrusted Websites like Java binary code. [22]. Static detection framework is beneficial in efficiency, granularity, layers, as well as correctness [23]. Sandbox an emulator records and analyzes the app’s behavior used to modify the short message (SM) sending function of the emulator, in order to record the SM content and receiver when the function is performed [24]. Dynamic Analysis (Wei et al. 2012) used a tool called Droidbox for monitoring the application so that the dynamic behavior of android applications can be analyzed. Application usually run in a sandbox environment. ICA. Weka and Fast ICA was used as total of 310 malware samples were used and achieved about 93% accuracy rate [19]. The study of (Alam and Vuong, 2013) embedded the mobile device in order to get the details like sent data by applications, IP address being communicated, number of active communications, the system calls and used Random forest with an accuracy of 99%. MLP not only achieves a highest accuracy but also True Positive rate for one feature set whereas J48 Decision Tree attains high performance rate for another feature set [25]. Linux based features are extracted from the Android OS gives high accuracy of about 85.6% [21]. In 2013, Ham and Choi [15] proposed an approach which was based either on several features extracted dynamically or the detection of new Android malware using machine learning algorithms. [22]. Hybrid Analysis The hybrid analysis combines the static and dynamic features [6]. A hybrid malware detecting scheme is shown by the experiment results that up to 93.33% to 99.28% accuracy can be achieved through SVM classifier and combination feature [26]. Malware Types, Propagation, Detection and Attacks on Android A. Types of malwares depending upon current trends are, Private Information Extraction, Spontaneous Calls and SMS, Root Exploits, search optimization, Dynamically Downloaded code, Covert channel, Botnets. B. Malware Attacks Technique on Android OS are Entry point obfuscation, code integration, code insertion, register renaming, memory access reordering and session hijacking are included in the infection strategies of malware. [27]. C. Propagation of malware Malware uses self-propagation or user interaction as basic methods of propagation does not entail intervention by any user but has ability to copy itself and initiating occasional execution without any intervention from its user [28]. D. Signature-Based malware detection In Signature-based detection the contents of computer files and cross-referencing their contents with the “code signatures” belonging to known viruses are scanned [27]. E. Specification-based malware detection Specification based detection use a rule set in order to decide the maliciousness of the program which violates the predefined rule set known as malicious program. A detection algorithm to addresses the deficiency of pattern-matching was proposed in specification-based malware detection [7]. F. Behavioral-based malware Detection The compromise of several applications makes the behavior-based malware detection system. The Android data mining scripts and applications collect the data from Android applications while the script running on the server stores all the collected data. [29].

Static Analysis Behavior Based Malware Detection Dynamic Analysis Figure 2. Static and Dynamic Analysis.

Andro-profiler detects by comparing the behavior profile of malicious application and then categorizes each malware corresponding to ist malware family.The results were scalable and excecutable with greater then 98% accuracy [30].The results from system call based approach can detect malwares with an accuracy of 87% [31]. Moreover, the WxShall-extend algorithm has been developed with results showing accurate, precise, and recall of 73%–93%, 71%–99%, and 42%– 92%, respectively [32]. Application Permission Analysis Applications run in a sandbox environment and required permissions in order to access certain data. When an app is installed, the user is asked for permission by Android platform based on the activities the application can perform. In 2009 Kirin security service for Android platform was introduced by Enck et al. for authorization so that application can perform sensitive activities so limitation in android platform can be overcome as android application developers used to deliberately keep secret the permission label [4].

Figure 3. Verification App process.

Cloud Based Malware Detection Google Play applications are scanned automatically for malware by using a service named Bouncer. When an application is uploaded, Bouncer checks and matches it to other known malware, Trojans, and spyware. Google is capable to remotely uninstall this application from mobile phone when it’s pulled from Google Play. "Application verification service" in Google for protecting against harmful [27].

Figure 4. Verification APP Process using Cloud.

Social Collaboration By using the concept of hot set, new malware detection architecture was introduced by Yang et al. which was based on social collaboration. According to the concept of hot set not all malware signatures are equally important. The hot-set is kept in the phone memory in order to improve the performance. Collaboration based approach improved the efficiency by 55% when likened with existing antivirus systems [33]. Conclusion We have discussed a systematic study based on recent developments in android malware detection in official and unofficial Android Markets through detecting the malicious application. This study not only highlights the various detection techniques and systems through static, dynamic and hybrid approaches but also discuss the different techniques that may have potential to counteract the update attack based on attack tree, permissions, contrasting permission patterns and network traffic monitoring. In the next stage, the Crowdroid lightweight client is not only deployed Google's Android market but also distributed to as many as possible users. In this case any User, running this application will be able to see the behavior of their smartphone. In case of any abnormal trace after the detection of any malicious applications, this application not only can alert the users but also can make the system to perform as an early warning system in the early stages of propagation. Acknowledgement This research was financially supported by the National Natural Science Foundation of China (61170072) and the National Science Foundation for Young Scientists of China under Grant (61303057) and the CAS/SAFEA international Partnership Program for Creative Research Teams, and especially CAS-TWAS President Fellowship Program for the overall study support. References [1] Sawle M. P. D. and Gadicha A. B, Analysis of Malware Detection Techniques in Android, IJCSMC, 3 (2014) 176-182.

[2] Shabtai A., K.U., Elovici Y., Glezer C., Weiss Y., , ”Andromaly”: a behavioral malware detection framework for android devices, JIIS.38 (2012)161-190. [3] Samra A.A.A., Y.K., Ghanem O. A, Analysis of clustering technique in android malware detection, In 7th Int Conf on IMIS. (2013) 729-733. [4] Sarma B. P., L.N., Gates C., Potharaju R., Nita-Rotaru C., Molloy I, Android Permissions: a perspective combining risks and benefits, In Proc of the 17th ACM SACMAT. (2012)13-22. [5] You I., Y.K., Malware Obfuscation Techniques: A Brief Survey, In Int Conf on BWCCA. (2010) 297-300. [6] Baskaran B., R.A., A Study of Android Malware Detection Techniques and Machine Learning, MAICS2016. (2016)15-23. [7] Jiang X., W.X., Xu D., Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. In Procs of the 14th ACM Conf on CCS. (2007)28-138. [8] Moreau Y., S.-t.P.B.J., Stoermann C., Vodafone C. C, Novel techniques for fraud detection in mobile telecommunication networks. (1996). [9] Yang Z., Y.M., Zhang Y., Gu G., Ning P., Wang X. S., Appintent: Analyzing sensitive data transmission in android for privacy leakage detection, In CCS'13. (2013)1043-1054. [10] Fuchs A. P., C.A., Foster J. S., Scandroid: Automated security certification of android. (2009). [11] Cheng J., W.S.H., Yang H., Lu, S., Smartsiren: virus detection and alert for smartphones. In Proc of the 5th Int Conf on Mobile systems, applications and services. (2007) 258-271. [12] Schmidt A. D., P.F., Lamour F., Scheel C., Çamtepe S. A., Albayrak Ş., Monitoring smartphones for anomaly detection, Mobile Netw Appl. 14 (2009) 92-106. [13] Schmidt A. D., S.H.G., Clausen J., Yuksel K. A., Kiraz O., Camtepe A., Albayrak S., Enhancing security of linux-based android devices, In Proc of 15th Int Linux Kongress Lehmann. (2008). [14] Bose A., H.X., Shin K. G., Park T., Behavioral detection of malware on mobile handsets, In 6th int Conf on Mobisys '08. (2008) 225-238. [15] Kim H., S.J., Shin K. G., Detecting energy-greedy anomalies and mobile malware variants. In 6th int Conf on Mobisys '08. (2008) 239-252. [16] Buennemeyer T. K., N.T.M., Clagett L. M., Dunning J. P., Marchany R. C., Tront J. G., Mobile device profiling and intrusion detection using smart batteries, In Hawaii Int Conf on System Sciences. (2008) 296-297. [17] Nash D. C., M.T.L., Ha D. S., Hsiao M. S., Towards an intrusion detection system for battery exhaustion attacks on mobile computing devices, In IEEE PerCom. (2005)141-145. [18] Miettinen M., H.P., Host-based intrusion detection for advanced mobile devices, In 20th Int Conf on AINA'06. 1(2) (2006)72-76. [19] Hwang S. S., C.S., Park S., Keystroke dynamics-based authentication for mobile devices, Computers & Security. 28 (2009) 85-93. [20] Christodorescu M., J.S., Static analysis of executables to detect malicious patterns. In 12th UNENIX Security Symposium. 3 (2003)169-186. [21] Willems C., H.T., Freiling F., Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy. 5(2) (2007)32-39.

[22] Nissim N., M.R., BarAd O., Rokach L., Elovici Y., ALDROID: efficient update of Android anti-virus software using designated active learning methods, in knowl Inf Syst. 49 (2016) 795-833. [23] Song J., H.C., Wang K., Zhao J., Ranjan R., Wang L., An integrated static detection and analysis framework for android, Pervasive and Mobile Computing. (2016). [24] Somarriba O., Z.U., Uribeetxeberria R., Delosières L., Nadjm-Tehrani S., Detection and Visualization of Android Malware Behavior, In JECE. (2016) 1-17. [25] Reina A., F.A., Cavallaro L., A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors, EuroSec. (2013). [26] Liu Y., Z.Y., Li H., Chen X., A hybrid malware detecting scheme for mobile Android applications, In IEEE, (2016)155-156. [27] Burguera I., Z.U., Nadjm-Tehrani S., Crowdroid: behavior-based malware detection system for android. SPSM'11. (2011) 15-26. [28] Cheng S. M., A.W.C., Chen P. Y., Chen K. C., On modeling malware propagation in generalized social networks, IEEE Communications Letters. 15 (2011) 25-27. [29] Shabtai A., Elovic.Y., Applying behavioral detection on android-based devices, In International Conference on Mobile Wireless Middleware, Operating Systems, and Applications. (2010) 235-249. [30] Jang J. W., Y.J., Mohaisen A., Woo J., Kim H. K., Andro-profiler: Detecting and Classifying Android Malware based on Behavioral Profiles. (2016). [31] Amin M. R., Z.M., Hossain M. S., Atiquzzaman M., Behavioral malware detection approaches for Android. IEEE ICC. (2016) 1-6. [32] Wang Z., L.C., Yuan Z., Guan Y., Xue, Y., DroidChain: A novel Android malware detection method based on behavior chains, Pervasive and Mobile Computing. (2016). [33] Yang L., G.V., Iftode L., Enhancing mobile malware detection with social collaboration, PASSAT-SOCIALCOM. (2011) 572-576.