Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1109/sp.2012.16

2012-01-01

Abstract:The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Qing Yang,Xiaoliang Wang,Jing Zheng,Wenqi Ge,Ming Bai,Frank Jiang

DOI: https://doi.org/10.3837/tiis.2021.06.014

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid development of mobile Internet, smart phones have been widely popularized, among which Android platform dominates. Due to it is open source, malware on the Android platform is rampant. In order to improve the efficiency of malware detection, this paper proposes deep learning Android malicious detection system based on behavior features. First of all, the detection system adopts the static analysis method to extract different types of behavior features from Android applications, and extract sensitive behavior features through Term frequency-inverse Document Frequency algorithm for each extracted behavior feature to construct detection features through unified abstract expression. Secondly, Long Short-Term Memory neural network model is established to select and learn from the extracted attributes and the learned attributes are used to detect Android malicious applications, Analysis and further optimization of the application behavior parameters, so as to build a deep learning Android malicious detection method based on feature analysis. We use different types of features to evaluate our method and compare it with various machine learning-based methods. Study shows that it outperforms most existing machine learning based approaches and detects 95.31% of the malware.

Michael C. Grace,Yajin Zhou,Qiang Zhang,Shihong Zou,Xuxian Jiang

DOI: https://doi.org/10.1145/2307636.2307663

2012-01-01

Abstract:ABSTRACTSmartphone sales have recently experienced explosive growth. Their popularity also encourages malware authors to penetrate various mobile marketplaces with malicious applications (or apps). These malicious apps hide in the sheer number of other normal apps, which makes their detection challenging. Existing mobile anti-virus software are inadequate in their reactive nature by relying on known malware samples for signature extraction. In this paper, we propose a proactive scheme to spot zero-day Android malware. Without relying on malware samples and their signatures, our scheme is motivated to assess potential security risks posed by these untrusted apps. Specifically, we have developed an automated system called RiskRanker to scalably analyze whether a particular app exhibits dangerous behavior (e.g., launching a root exploit or sending background SMS messages). The output is then used to produce a prioritized list of reduced apps that merit further investigation. When applied to examine 118,318 total apps collected from various Android markets over September and October 2011, our system takes less than four days to process all of them and effectively reports 3281 risky apps. Among these reported apps, we successfully uncovered 718 malware samples (in 29 families) and 322 of them are zero-day (in 11 families). These results demonstrate the efficacy and scalability of RiskRanker to police Android markets of all stripes.

Chiachih Wu,Yajin Zhou,Kunal Patel,Zhenkai Liang,Xuxian Jiang

DOI: https://doi.org/10.14722/ndss.2014.23164

2014-01-01

Abstract:Recent years have experienced explosive growth of smartphone sales. Inevitably, the rise in the popularity of smartphones also makes them an attractive target for attacks. In light of these threats, current mobile platform providers have developed various server-side vetting processes to block malicious applications (“apps”). While helpful, they are still far from ideal in achieving their goals. To make matters worse, the presence of alternative (less-regulated) mobile marketplaces also opens up new attack vectors, which necessitate client-side solutions (e.g., mobile anti-virus software) to run on mobile devices. However, existing client-side solutions still exhibit limitations in their capability or deployability. In this paper, we present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost our defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel and the fact that untrusted apps will be eventually installed onto users’ phones, AirBag is designed to isolate and prevent them from infecting our normal systems (e.g., corrupting the phone firmware) or stealthily leaking private information. More specifically, by dynamically creating an isolated runtime environment with its own dedicated namespace and virtualized system resources, AirBag not only allows for transparent execution of untrusted apps, but also effectively mediates their access to various system resources or phone functionalities (e.g., SMSs or phone calls). We have implemented a proof-of-concept prototype on three representative mobile devices, i.e., Google Nexus One, Nexus 7, and Samsung Galaxy S III. The evaluation results with a number of untrusted apps, including real-world mobile malware, demonstrate its practicality and effectiveness.

Min Huang,Kai Bu,Hanlin Wang,Kaiwen Zhu

DOI: https://doi.org/10.1109/cyberc.2016.14

2016-01-01

Abstract:Malware has started grabbing its undeserved share long before the blossom of Android ecosystem. Injected with malware, malicious applications (apps) may threat users in various ways like financial charges and information stealing. When the severity of a deluge of malware was first noticed, malware detectors delivered unsatisfactory detection accuracy, which further degenerated upon simple transformation of malicious apps. Now years later, we are eager to re-examine the robustness of malware detectors. A surprisingly disappointed finding is that even known malicious apps can evade quite a few detectors. We also find that repackaging with extracted exploitable code instead of readily available malware samples can evade more signature-based detectors. Furthermore, we find Android OS features of Service and Broadcast exploitable to enable malicious apps stealthily active on phones. We implement all these findings through DroidRide, a framework toward making Android malware less catchable to detectors and more active on phones. Our prototype based on two example apps-AndroRAT and MIUI Notes-demonstrates DroidRide's effectiveness in malware evasion. Toward defending against DroidRide alike evasion, we further suggest feasible design enhancements of malware detectors and Android OS.

FAN Ming,LIU Ting,LIU Jun,LUO Xiapu,YU Le,GUAN Xiaohong,Le YU,Xiaohong GUAN,Ming FAN,Xiapu LUO,Ting LIU,Jun LIU

DOI: https://doi.org/10.1360/ssi-2019-0149

2020-07-31

Scientia Sinica Informationis

Abstract:Android has become the most popular mobile operating system in the past ten years due to its three main advantages, namely, the openness of source code, richness of hardware selection, and millions of applications (apps). It is of no surprise that Android has become the major target of malware. The rapid increase in the number of Android malware poses big threats to smart phone users such as financial charges, information collection, and remote control. Thus, the in-depth study of the security issues of mobile apps is of great importance to the sound development of the smart phone ecosystem. We first introduce the existing problems and challenges of malware analysis, and then summarize the widely-used benchmark datasets. After that, we divide the existing malware analysis methods into three categories, including signature-based methods, machine learning-based methods, and behavior-based methods. We further summarize the techniques used in each method, and compare and analyze the advantages and disadvantages of different techniques. Finally, combined with our own research foundation in malware analysis, we explore and discuss future research directions and challenges.

ZHANG Wen,YAN Han-bing,WEN Wei-ping

DOI: https://doi.org/10.3969/j.issn.1671-1122.2013.01.008

2013-01-01

Abstract:At present, malware is mainly detected through static-based approach, but the recognition rate is low. Based on the mechanism of static detection, this paper gave a behavior-based approach which analysis the behavior of sensitive function in the application. In this way, using the traces of variables and equivalent function matching to determine whether an Android package have malicious behavior. The behavior-based approach improves the accuracy of the static detection. This paper implement a detect tool aim at SMS Trojan and is proved its effectiveness in testing.

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Helei Cui,Yajin Zhou,Cong Wang,Qi Li,Kui Ren

DOI: https://doi.org/10.1109/padsw.2018.8644924

2018-01-01

Abstract:Android is the primary target for mobile malware. To protect users, phone vendors (e.g., Samsung and Huawei) usually leverage third-party security service providers (e.g., VirusTotal and Qihoo 360) to detect malicious apps in app stores and collect apps' runtime behaviors on users' phones to further spot malware missed in the previous step. However, this practice could cause privacy concerns to phone vendors, users and security service providers. Specifically, phone vendors do not want to share apps (including the paid ones) with security service providers, while the latter do not want to share the malware signatures with the former. Moreover, users do not want to expose apps' runtime behaviors to third parties. These concerns would cause a real dilemma for each involved party. In this paper, we propose a privacy-preserving malware detection system for Android, in which the privacy (or assets) of phone vendors, users, and security service providers are protected. It detects malicious apps in phone vendor's app stores and on users' phones, without directly sharing apps, apps' runtime behaviors, and malware signatures to other parties. We implement a prototype system called PPMDroid and apply several optimizations to save bandwidth and speed up the process. Extensive evaluation results with real malware samples demonstrate the effectiveness and efficiency of our system.

Long Chen,Chunhe Xia,Shengwei Lei,Tianbo Wang

DOI: https://doi.org/10.1109/access.2021.3049819

IF: 3.9

2021-01-01

IEEE Access

Abstract:In recent years, the application of smartphones, Android operating systems and mobile applications have become more prevalent worldwide. To study the traceability, propagation, and detection of the threats, we perform research on all aspects of the end-to-end environment. With machine learning based on the mobile malware detection algorithms that integrate the dynamic and static research of the identification algorithm, application software samples are collected to study sentences. Through knowledge labeling and knowledge construction, the association relationship of knowledge is extracted to realize the research of knowledge map construction. Flooding is closely correlated with the complexity of the Android mobile version of the kernel and malicious programs. A static dynamic analysis of the mobile malicious program is carried out, and the social network social diagram is constructed to model the propagation of the mobile malicious program. We extended the approach of deriving common malware behavior through graph clustering. On this basis, Android behavior analysis is performed through our virtual machine execution engine. We extend the family characteristics to the concept of DNA race genes. By studying SMS/MMS, Bluetooth, 5G base station networks, metropolitan area networks, social networks, homogeneous communities, telecommunication networks, and application market ecosystem propagation scenarios, we discovered the law of propagation. In addition, we studied the construction of the mobile Internet big data knowledge graph. Quantitative data for the main family chronology of mobile malware are obtained. We conducted detailed research and comprehensive analysis of Android application package (APK) details and behavior, relationship, resource-centric, and syntactic aspects. Furthermore, we summarized the architecture of mobile malware security analysis. We also discuss encryption of malware traffic discrimination. These precise modeling and quantified research re-ults constitute the architecture of mobile malware analysis.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xi Xiao,Peng Fu,Xianni Xiao,Yong Jiang,Qing Li,Runiu Lu

DOI: https://doi.org/10.1109/iccsnt.2015.7490915

2015-01-01

Abstract:Malware in Android has enjoyed a prevalence as Android has taken up a primary market in the mobile devices. In this paper, Adaptive Regularization Of Weights (AROW) and Support Vector Machine (SVM) are used to identify malware with both the static and dynamic analysis. Permissions, control flow graphs and system calls are taken as the application's classification features. Single features, the combination of permissions and control flow graphs, and the combination of the three features are all analyzed thoroughly. Compared with the previous work, AROW and SVM with the combination of the features could increase the TPR and decrease the FPR. Furthermore, the results of AROW and SVM are profoundly evaluated in this paper. As regard to the single features, SVM could perform better with the feature of permissions or system calls, while AROW provides a better result with control flow graphs. For the combination of the features, AROW gives a better result than SVM.

Chun-Yi Wang,Chi-Yu You,Fu-Hau Hsu,Chia-Hao Lee,Che-Hao Liu,YungYu Zhuang

DOI: https://doi.org/10.1016/j.jpdc.2021.05.004

IF: 4.542

2021-10-01

Journal of Parallel and Distributed Computing

Abstract:<p>Nowadays smartphones become an indispensable tool in many people's everyday life that makes themselves attractive targets for attackers. Among various malware targeting at smartphones, SMS-based malware is one of the most notorious ones. Though a number of Android dynamic analysis frameworks have been proposed to analyze SMS-based malware, most of these frameworks or some Android tools, such as Google Android Emulator, do not support an app or malware to send SMS messages to a real smartphone; hence, security researchers cannot use them directly to analyze the behavior of SMS-based malware. In our previous work, <em>SMS Helper</em>, we designed an application layer tool to allow an app or malware in an Android emulator to send and receive SMS messages to or from a real smartphone. Based on SMS Helper, this paper proposes an Android dynamic analysis framework, called <em>SMS Observer</em>, to assist security researchers to analyze SMS-based malware. SMS Observer integrates SMS Helper into it as a client agent, meanwhile, and it maintains the integrity of system logs. This paper also figures out a way to detect whether an app is executed in an emulator and describes how to use SMS Observer to prevent such evasion. Experimental results using real-world malware samples show SMS Observer is much more effective in detecting SMS-related behavior of SMS-based malware than existing frameworks, such as Google Android Emulator, Andrubis, CopperDroid, and DroidBox. SMS Observer can analyze sophisticated SMS-based malware samples and provide a comprehensive view of malicious behavior.</p>

computer science, theory & methods

Junaid Akram,Majid Mumtaz,Gul Jabeen,Ping Luo

DOI: https://doi.org/10.1504/ijics.2021.116310

2021-01-01

International Journal of Information and Computer Security

Abstract:Security researchers and anti-virus industries have speckled stress on an Android malware, which can actually damage your phones and threatens the Android markets. In this paper, we propose and develop DroidMD, a scalable self-improvement based tool, based on auto optimisation of signature set, which detect malicious apps in the market at source code level. A prototype has been developed tested and implemented to detect malware in applications. We implement and evaluate our approach on almost 30,000 applications including 27,000 benign and 3,670 malware applications. DroidMD detects malware in different applications at partial level and full level. It analyses only the applications code, which increase its reliability. Our evaluation of DroidMD demonstrates that our approach is very efficient in detecting malware at large scale with high accuracy of 95.5%.

Yingbo Li,Jing Fang,Cheng Liu,Mengrong Liu,ShaoHua Wu

DOI: https://doi.org/10.1109/iceiec.2015.7284546

2015-01-01

Abstract:With the increasing popularization of smart phones in life, malicious software targeting smart phones is emerging in an endless stream. As the phone system possessing the highest current market share, Android is facing a full-scale security challenge. This article focuses on analyzing the application of Dalvik injection technique in the detection of Android malware. Modify the system API (Application Program Interface) through Dalvik injection technique can detect the programs on an Android phone directly. Through the list of sensitive API called by malicious programs, eventually judge the target program as malicious or not.

Xi Xiao,Xianni Xiao,Yong Jiang,Xuejiao Liu,Runguo Ye

DOI: https://doi.org/10.1002/ett.3016

IF: 3.6

2016-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:With the popularity of Android devices, mobile malware in Android has became more prevalent. Malware causes lots of harm to users, such as stealing personal information and using too much battery or CPU. Detecting mobile malware is the main task in Android security. In this work, we use a dynamic analysis method to distinguish malware with system call sequences. At first, we track the system calls of applications under different events. Then two different feature models, the frequency vector and the co‐occurrence matrix, are employed to extract features from the system call sequence. Finally, we apply Adaptive Regularization Of Weight Vectors and other machine learning algorithms to identify Android malware based on the aforementioned two models, respectively. We evaluate our method with 1189 benign applications and 1227 malicious applications. The experiment results show that the co‐occurrence matrix can achieve a much better detection rate than the frequency vector. Our best detection rate is 97.7per cent with false positive rate being 1.34per cent, which is better than those of the existing methods. Copyright © 2016 John Wiley & Sons, Ltd.

Suleiman Y. Yerima,Sakir Sezer,Gavin McWilliams,Igor Muttik

DOI: https://doi.org/10.1109/AINA.2013.88

2016-08-02

Abstract:Mobile malware has been growing in scale and complexity as smartphone usage continues to rise. Android has surpassed other mobile platforms as the most popular whilst also witnessing a dramatic increase in malware targeting the platform. A worrying trend that is emerging is the increasing sophistication of Android malware to evade detection by traditional signature-based scanners. As such, Android app marketplaces remain at risk of hosting malicious apps that could evade detection before being downloaded by unsuspecting users. Hence, in this paper we present an effective approach to alleviate this problem based on Bayesian classification models obtained from static code analysis. The models are built from a collection of code and app characteristics that provide indicators of potential malicious activities. The models are evaluated with real malware samples in the wild and results of experiments are presented to demonstrate the effectiveness of the proposed approach.

Cryptography and Security,Machine Learning

Xiaolei Wang,Yuexiang Yang,Yingzhi Zeng

DOI: https://doi.org/10.1186/s40064-015-1356-1

2015-10-07

SpringerPlus

Abstract:As the dominator of the Smartphone operating system market, consequently android has attracted the attention of s malware authors and researcher alike. The number of types of android malware is increasing rapidly regardless of the considerable number of proposed malware analysis systems. In this paper, by taking advantages of low false-positive rate of misuse detection and the ability of anomaly detection to detect zero-day malware, we propose a novel hybrid detection system based on a new open-source framework CuckooDroid, which enables the use of Cuckoo Sandbox's features to analyze Android malware through dynamic and static analysis. Our proposed system mainly consists of two parts: anomaly detection engine performing abnormal apps detection through dynamic analysis; signature detection engine performing known malware detection and classification with the combination of static and dynamic analysis. We evaluate our system using 5560 malware samples and 6000 benign samples. Experiments show that our anomaly detection engine with dynamic analysis is capable of detecting zero-day malware with a low false negative rate (1.16 %) and acceptable false positive rate (1.30 %); it is worth noting that our signature detection engine with hybrid analysis can accurately classify malware samples with an average positive rate 98.94 %. Considering the intensive computing resources required by the static and dynamic analysis, our proposed detection system should be deployed off-device, such as in the Cloud. The app store markets and the ordinary users can access our detection system for malware detection through cloud service.

Kashif Ali Dahri,Muhammad Saleem Vighio,Baqar Ali Zardari

DOI: https://doi.org/10.22581/muet1982.2104.14

2021-10-01

Mehran University Research Journal of Engineering and Technology

Abstract:The Internet is not safe anymore, malware can be discovered anywhere on the Internet. The risk of malware has increased also due to the increasing popularity and use of Smartphones and their underlying cost-free applications. With its great market share, the Android operating system has become a prime target for malware developers. When an Android phone is injected with a malware, it may result in compromising the privacy of the user by stealing sensitive and private information like contacts, ids, passwords, photos, call records, and so on. Compared to any other Android-based application category, games are the most preferred zone for attackers, due to the high interest of users in game applications. When an end user downloads a game, which is injected with malicious code, user data is infected without bringing in the knowledge of the user. Though, there still are not sufficient protection mechanisms or guidelines stated for end user against Android malware, this study offers a novel approach to detect Android malware in order to ensure the safe usage of Android applications. The advantage of this approach is its ability to utilize Android manifest files for the detection of malware. The availability of manifest file in every Android application makes this approach applicable to all Android applications. It can also be considered as a lightweight method for malware detection, and its efficiency is experimentally confirmed by testing and comparing the results of 50 Android games samples. Experiments are carried out using the Android Package Kit (APK) tools, and based on the experiments, different kinds of malware identification and prevention guidelines have been proposed for the safe and secure usage of the Android operating system.

Suhaib Jasim Hamdi,Naaman Omar,Adel AL-zebari,Karwan Jameel Merceedi,Abdulraheem Jamil Ahmed,Nareen O. M. Salim,Sheren Sadiq Hasan,Shakir Fattah Kak,Ibrahim Mahmood Ibrahim,Hajar Maseeh Yasin,Azar Abid Salih

DOI: https://doi.org/10.9734/ajrcos/2021/v11i330266

2021-09-07

Asian Journal of Research in Computer Science

Abstract:Mobile malware is malicious software that targets mobile phones or wireless-enabled Personal digital assistants (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware. Android is now the world's most popular OS. More and more malware assaults are taking place in Android applications. Many security detection techniques based on Android Apps are now available. Android applications are developing rapidly across the mobile ecosystem, but Android malware is also emerging in an endless stream. Many researchers have studied the problem of Android malware detection and have put forward theories and methods from different perspectives. Existing research suggests that machine learning is an effective and promising way to detect Android malware. Notwithstanding, there exist reviews that have surveyed different issues related to Android malware detection based on machine learning. The open environmental feature of the Android environment has given Android an extensive appeal in recent years. The growing number of mobile devices, they are incorporated in many aspects of our everyday lives. In today’s digital world most of the anti-malware tools are signature based which is ineffective to detect advanced unknown malware viz. Android OS, which is the most prevalent operating system (OS), has enjoyed immense popularity for smart phones over the past few years. Seizing this opportunity, cybercrime will occur in the form of piracy and malware. Traditional detection does not suffice to combat newly created advanced malware. So, there is a need for smart malware detection systems to reduce malicious activities risk. The present paper includes a thorough comparison that summarizes and analyses the various detection techniques.

Mingshen Sun,Xiaolei Li,John C.S. Lui,Richard T.B. Ma,Zhenkai Liang

DOI: https://doi.org/10.48550/arXiv.1612.03312

2016-12-11

Abstract:Android, the most popular mobile OS, has around 78% of the mobile market share. Due to its popularity, it attracts many malware attacks. In fact, people have discovered around one million new malware samples per quarter, and it was reported that over 98% of these new malware samples are in fact "derivatives" (or variants) from existing malware families. In this paper, we first show that runtime behaviors of malware's core functionalities are in fact similar within a malware family. Hence, we propose a framework to combine "runtime behavior" with "static structures" to detect malware variants. We present the design and implementation of MONET, which has a client and a backend server module. The client module is a lightweight, in-device app for behavior monitoring and signature generation, and we realize this using two novel interception techniques. The backend server is responsible for large scale malware detection. We collect 3723 malware samples and top 500 benign apps to carry out extensive experiments of detecting malware variants and defending against malware transformation. Our experiments show that MONET can achieve around 99% accuracy in detecting malware variants. Furthermore, it can defend against 10 different obfuscation and transformation techniques, while only incurs around 7% performance overhead and about 3% battery overhead. More importantly, MONET will automatically alert users with intrusion details so to prevent further malicious behaviors.

Cryptography and Security