See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/330475737 Survey of Mobile Malware Analysis, Detection Techniques and Tool Conference Paper · November 2018 DOI: 10.1109/IEMCON.2018.8614895 CITATIONS READS 0 37 2 authors, including: Nana Kwame Gyamfi 23 PUBLICATIONS   20 CITATIONS    SEE PROFILE Some of the authors of this publication are also working on these related projects: Sentiment Analysis of twitter feeds using Machine Learning, Effect I’d feature Hash Bit Size View project Contextual Anomaly Detection" a frame work for Big Data View project All content following this page was uploaded by Nana Kwame Gyamfi on 22 May 2019. The user has requested enhancement of the downloaded file. Survey of Mobile Malware Analysis, Detection Techniques and Tool Nana Kwame Gyamfi Dr. Ebenezer Owusu Computer Science Dept. Department of Computer Science Kumasi Technical University University of Ghana-Legon Kumasi, Ghana Legon, Ghana *nkgyamfi@st.ug.edu.gh *ebeowusu@ug.edu.gh Abstract The mobile malware program gets itself installed while accessing the internet with mobile device and then perform The rapid increase in the use of smartphones, has contributed to the functions without user’s permission or knowledge. There are increase in mobile attackers. In most situations deceitful applications many ways for which they are distributed among which are are infected with malicious contents to cause harm to both the the internet via a mobile browser, downloads and installation hardware and the software. These malicious programs or malware are via device messaging functions. The mobile malware can be usually designed to disrupt or gather information from the device. By attempts to curtail these problems various techniques are proposed. broadly classified into types [13]. This paper attempts to analyze the most popular and recent The malware is getting more curved with programs that techniques and suggests which is better. worked outside of anyone’s ability to see the client gadgets, covering themselves and lying in sit tight for specific practices Keywords: Mobile phone; mobile malware; static detection; dynamic like a web based saving money session to strike [7]. Covered detection; hybrid detection. strategies can execute absolutely imperceptible to the customer and run executable or contact boot access for new bearings. These actions taken by the reviewing malware lends 1. Introduction itself to three threat classifications namely, financial threat, Smartphone usage has expanded exponentially and it is example spyware and key loggers, the masked threat, example continuously transforming into a cutting edge device [20]. Its trojan and rootkit and the contagious threat such as virus and popularity has made it attractive to attackers. Modern worms. smartphones are more advanced; they are used in businesses There are several mobile malware but they are collectively transactions and for saving individual data [19]. In effect, this grouped into phishing Apps, trojans and viruses and spyware. has made them helpless against malware attacks. Malware Phishing Apps are closer to desktop computing where developers believe that it is easy to transmit attackers to attackers develop applications that resemble genuine mobile devices because mobile users do not usually have time administrations, yet are proposed to take sensitive data and to analyze applications that are downloaded from the app- accreditations to perform money related extortion. One such stores and websites. case is a fake security application of Tagged, Twitter and Mobile malware is a malicious software that is designed with Tango, which guaranteed to secure the client's record, yet steal specific targets for mobile devices [18]. It first emerged as client's data for identity fraud [5]. early as 2004 for Symbian OS [26] and now it has gained Trojan is a harmful bit of programming that hides itself and exponential growth along with the popularity of smartphones. acts as an honest to goodness program to take unapproved Figure 1 shows the mobile malware growth since 2010 up to control of the device. Trojans do not self-replicate, rather date. through client communication, for example, downloading a document from the web [8]. They take the client's confidential data without their insight. Unlike Trojans, viruses attach themselves to executable files and it’s self-reproducing. Virus infection starts with one gadget, then onto the next [1] and [2]. Spyware for the most part assembles classified data covertly about the cell phone clients and go along this information to a third party. Now and again, these might be promoters or marketing data firms alluded to as "adware" [3]. Spyware uses the loss' flexible relationship to exchange singular information such as contacts, message affinities, program history and customer's inclinations to downloads [6]. Likewise, it assembles data, such as OS version, product ID, Fig. 1: Mobile Malware Growth IMEI number and global mobile subscriber identity number which can be used for future strikes 978-1-5386-7266-2/18/$31.00 ©2018 IEEE 1101 The remaining portions of this paper is outlined as follows: Generic signature analysis: In this signature, malware Section 2 presents the techniques of malware detection, with different behaviors, but belonging to the same cohort Section 3 discusses the performance and analysis of static and are detected. This technique previously defines an antivirus dynamic techniques, Section 4 discusses the hybrid detection definition, to discover new variants of malware. technique and Section 5 discusses the conclusions of the study. 2.1.3 Static Analysis tools 2. Malware detection techniques These tools are used in a preliminary analysis, when suspicious applications are first evaluated to detect any Mobile malware detection techniques are grouped into static, security threats. Examples of the tools are discussed as dynamic and hybrid but each technique comes with strengths follows: and challenges. IDA pro: The device is utilized to extricate the system 2.1 Static analysis detection technique calls made by the application and after that go to the centroid This technique is to analyze programs without executing it. machine to perform irregularity identification and order the Amid static examination, the application is separated by application in view of their malicious activities. Figure 2 utilizing reverse engineering tools and systems in order to re- shows its process in brief. construct the source code and calculations that the application is made. Static examination should be possible through Disassemble Extract System Anomaly program analyzer, debugger and disassembler. Application Application Calls Detection Different static methods are used and they are known as follows: Figure 2: IDA pro process 2.1.1 Signature based detection technique This method is also known as pattern matching or PiOS: The PiOS is utilized for static analysis to check if an fingerprinting technique. Here, a signature as a bit of sequence application has access sensitives and its capacity to transmit is infused into the application program by malware writers, over the network. PiOS first makes a control stream chart from which extraordinarily recognizes a specific malware [15]. To the application binaries earlier before it functions. recognize a malware in the code, the malware indicator has to UPX: This is a compact, elite executable packer for a few scan for a formerly determined signature in the code. diverse executable configurations. It accomplishes with great compression ratio and offers quick decompression. 2.1.2 Heuristic detection technique ProcDump: The primary design is to screen application for CPU spikes and produce a crash dump, which can be utilized This strategy is otherwise called proactive procedure. This by engineers and heads to decide the reason for the spike. strategy is like the signature based system, however, as ProcDump additionally incorporates hung window observing opposed to hunting down a specific signature in the code, the and unhandled special case checking that can produce dumps malware indicator now scans for the commands or instructions in view of the estimations of framework execution counters. that are absent in the application program [16], [12]. The Likewise, it can fill in as a general procedure dump utility that outcome is that, it turns out to be less difficult to recognize can be installed into different contents. new variations of malware that had not yet been found. Listed below are some techniques for heuristic analysis: File based heuristic analysis: This strategy is also 2.2 Dynamic analysis detection technique known as file analysis. With this system, the record is broken down profoundly by its substance, reason and goal. The way toward examining the conduct or the activities On the off chance that the record contains commands to performed by the application while it is executing is called erase or hurt other document, it is considered as malicious dynamic analysis [13]. Dynamic examination should be done [4]. through observing function calls, tracking the data stream, Weight base heuristic analysis: This is the much breaking down function parameters and tracing direction. For antiquated system where every application is weighted by the most part, a virtual machine or sandbox is utilized in this the risk it might have. In the event that the weighted esteem investigation where the questioned application is typically surpasses the predefined edge esteem, the application kept running in a virtual domain. On the off chance that the contains vindictive code. application gets out of hand, it is typically arranged as Ruled based heuristic analysis: This analyzer extricates noxious. This type of detection also come with many forms. the guidelines characterizing the application. These principles are coordinated with the already characterizes 2.2.1 Anomaly Based Detection rules. On the off chance that the principles are confounded, the application contains malware. [25] Proposed a tool that discover the conduct of applications dynamically. The tool was utilized to conjure 1102 the application for subtle elements (SourceForge.net, 2016). malware discovery through both Static and Dynamic approach The crowdsourcing application, which is introduced on the are given in Table 2 and Table 3 respectively. gadget, makes a log and sends it to a remote server. Log documents may incorporate the accompanying itemized Table 1: Limitations of Static and Dynamic Approaches gadget information and system calls. [23] Proposed an Android malware recognition Mechanism Limitation framework called andromly. This application ceaselessly Signature based Cannot detect zero day screens the state of the gadget at battery level, CPU detection malware and unknown utilizations and so forth while it is running and afterward malware types apply the machine learning algorithm to distinct amongst Permission based May consider benign malignant and benign applications. The solution can detection applications as malignant as a result of distinguish ceaseless assaults and show the report to client. Static little contrasts between consents asked for by 2.2.2 Emulation based detection the two sorts. Dalvik byecode It uses more memory [21] Proposed mobile dynamic analysis platform called detection DroidScope which is based on virtual machine Dynamic Taint Analysis Not reasonable for real introspection. Its main operation is to monitor the whole time examination operating system. Android Application Sandbox is an Anomaly detection Consume more battery example of such system as proposed by [22]. and memory. It invoke more API calls. 2.2.3 Taint Analysis Emulation based More resource detection consumption TaintDroid is another dynamic detection technique. This technique gives system-wide data stream tracking for Based on their working systems we have reasoned significant Android mobile. It can track numerous wellsprings of confinements and advantages for every recognition delicate information such as GPS, camera, and microphone component. and recognize the information spillage in outsider engineer applications. It tracks and label touchy information from the cell phone. 2.2.4 Dynamic Analysis Tools These tools that dynamically observe the behavior of mobile applications in a secluded situation. Such tools include: FileMon: This tool monitors file operations when the application is running on mobile device. It takes note of every executable file and gives a detail analysis. RegMon: This tool is a registry monitoring utility which prompts users of applications that are accessing the registry. The accessed keys and registry data are all read in real-time. Ethereal: This tool is a packet scanner that captures packets and supports the view contents on the device. 3. Performance evaluation and analysis of static and dynamic techniques An evaluation of the performance of the various parameters is done with a far reaching correlation of their diverse traits. Table 2. Malware detection by static analysis Table 1, gives the confinements of the static and dynamic approach of the malware identification techniques, while the Approach Name Goal Method Year Limitations Benefits 1103 DrordAnaly Automatic Create 3 level signature Cannot detect Also detect collect; for app on the basis of unknown malware; dynamic extraction, API call; Perform similarity score may malware analysis Opcode level analysis classify legitimate payloads; and (class, method, apps as malicious. Associates association application) 13 malware at Signature of Android opcode level Based malwares Detection AndrodSimilar Detect Use fuzzy hashing Limited signature Effective unseen and techniques; creates database, can only against code zero day variable length signature detect knows obfuscation samples of and compares with 13 malware and knowns signature database. repackaging. malwares. Stowaway Application API call tracing through Cannot resolve Notify about over static analysis tool; complex reflective the over Permission privilege permission map to 15 calls privileged Based detection identify the permission applications. Detection required by each API call. R.Sato Malware Analyze manifest file; Cannot detect Light weight detection compare extracted adware samples approach; low by manifest information with 15 cost; can detect file keyword list; calculate the unknown analysis malignancy score malwares PUMA Malware Analyze extracted High false positive detection permissions; evaluate the rate; not adequate High detection performance by k-fold 15 for efficient rate cross with k=10 malware detection Dalvik SCANDAL Privacy Extracts bytecode of More time and Saves data Bytecode leak applications as a dalvik memory from privacy Detection detection executable file; translates consumption; does leakage; dalvik dalvik executable 13 not support bytecode is language for efficient application for always analysis. privacy leakage available; better accuracy DroidAPIMiner(42 API level Extract API level 13 More occurrence of ) malware features; apply classifiers false positives; it Better accuracy detection for evaluation generates incorrect classification Karlsen Dalvik Provides formal control 16 Require extension in Support bytecode flow analysis; formalizes analysis of reflection and formalizati dalvik bytecode language reflection and dynamic on and with reflection features. concurrency dispatch control handling features; flow formal control analysis flow analysis easily traces the API calls Sandbox is an example of hybrid technique proposed by [22] 4. Hybrid analysis detection technique which distinguish suspicious applications by performing both static and dynamic investigation on them. This is the blend of both static investigation and dynamic The procedure entails is that, it first checks for the presence of examination [24]. Android Application malware signature in the code under review and screens it. Thus, this strategy consolidates static and dynamic methods. Table 3: Comparison of different dynamic analysis techniques 1104 Approach Name Goal Method Year Limitations Benefits CrowDroid Detecting Create tool to It required Provides deep anomalously perform system installation of analysis behaving calls tracing; CrowDroid malicious dynamic analysis client; results application is performed on incorrect if the data at server 11 legitimate app Anomaly side; CrowDroid invokes more Detection client app install system calls on user’s device AntiMalDroid Malware Generates More time Low cost and detection behavioral consumption better through characteristic; performance; characteristic monitors the 13 higher learning and behavior of detection rate signature application and generation. their characteristics; learning module Data stream Automatically Cannot track Efficient investigation leads the data; information tracking of Taint TaintDroid and spillage keeps track of the 10 that leaves the sensitive Analysis identification data device and information return in network reply Emulation AASandbox Malware System calls Limited code Can be based Detection tracking; built coverage utilized to detection upon QEMU enhance the (quick emulator). 10 effectiveness of the antimalware programs for Android OS DroidScope Android System calls 13 Limited code Can malware tracking; built coverage distinguish detection upon QEMU benefit (quick emulator) acceleration assaults on the kernel 5. Conclusion investigation of instruments for dissecting malware with an unmistakable comprehension of different countermeasures that In this paper, malware and additionally their entrance should be adopted. strategies are evaluated while extensively reasoning their It is determined that utilizing a static technique is less favorable circumstances and disservices. A proposition of a proficient at distinguishing the pernicious substance that are hybrid anti-malware is introduced to help address the stacked progressively from remote servers. While the dynamic impediments of the current static and dynamic strategies with technique is proficient as it continues checking the application the point of actualizing it sooner rather than later. and ready to identify the vindictive substance at execution We have likewise studied on the different sorts of malware time, it is however obvious that, the segments of malicious and classes of noxious programming. Specifically, the codes that are not executed stay undetected. Clearly, any exposition of the different detection and instruments for single security arrangement in cell phones cannot give full mobile malware. In spite of the fact that the rate perils of new assurance against the vulnerabilities and malware. In this malware are expanding at a disturbing rate, there is careful manner, it is smarter to convey more than one solution at the 1105 same time - static and dynamic. Utilizing a crossover approach [12] I. Santos, J. Nieves, and P.G. Bringas, “Collective Classification for will first statically examine the application and will then Unknown Malware Detection.,” in Proceedings of the International perform a dynamic investigation. Despite the fact that the Conference on Security and Cryptography, Seville, 18-21 July 2011. operation is costly because of accessibility of assets such as [13] G. Savan and B. Kaushal, “Techniques for Malware Analysis” in,’ International Journal of Advanced Research in Computer Science and battery and memory, these restrictions of a hybrid usage can Software Engineering, vol. 3, Issue 4, April 2013ISSN: 2277 128X, be tended to. Thinking about on twofold, right off the bat the April, 2013. static examination should be possible locally on the cell [14] R. Tian, L. Batten, and S. Versteeg, “Function Length as a Tool for phone; and a short time later, the dynamic investigation could Malware Classification,” in Proceedings of the 3rd International be performed in a conveyed design by sending the noxious Conference on Malicious and Unwanted Software, 2008. action as a log record to a remote server. The remote server [15] R. Tian, L. Batten, R. Islam, and S. Versteeg, “An Automated Classification System Based on the Strings of Trojan and Virus will play out the dynamic examination rapidly and Families,” in Proceedings of the 4th International Conference on productively as the server will have enough assets to perform Malicious and Unwanted Software, Montréal. a dynamic examination and can create quick reactions against [16] R. Tian, M.R. Islam, L. Batten and S. Versteeg, “Differentiating the application behavior and notify the client. This hybrid Malware from Cleanwares Using Behavioral Analysis,” in Proceedings solution needs more examination and is subjected to designs of 5th International Conference on Malicious and Unwanted Software (Malware), Nancy, 2010, pp. 19-20 October 2010, 23-30, 2009. tradeoffs. Further studies will focus on how to make hybrid [17] V. Mehra Dolly Uppal and V. Verma, Trend Micro. “A Brief History of techniques more robust. Mobile Malware”, Basic survey on Malware Analysis, Tools and Techniques, 2014. [18] M.F. Zolkipli, and A. Jantan, “An Approach for Malware Behavior Identification and Classification,” in Proceeding of 3rd International References Conference on Computer Research and Development, Shanghai, pp.11- [1] B. Anderson, D. Quist, J. Neil, C. Storlie, and T. Lane, “Graph Based 13, March 2011. Malware Detection Using Dynamic Analysis,” Journal in Computer [19] Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterizing Virology, vol. 7, pp. 247-258, 2011. and Evolution,” in Proceedings of IEEE Symposium on Security and [2] B. Anderson, C. Storlie, and T. Lane, “Improving Malware Privacy, August, 2012. Classification: Bridging the Static/Dynamic Gap,” in Proceedings of 5th [20] N. DuPaul, “Common Malware Types,” 12 October 2012. [Online]. ACM Workshop on Security and Artificial Intelligence, AISec, pp. 3-14, Available: https://ww.veracode.com/blog/2012/10/common-malware- 2012 types-cybersecurity-101. [Accessed 21 December 2017] [3] U. Bayer, P.M. Comparetti, C. Hlauschek, and C. Kruegel, “Scalable, [21] L.K. Yan and H. Yin, “Droidscope: Seamlessly Reconstructing the OS Behavior-Based Malware Clustering.,” in Proceedings of the 16th and Dalvik Semantic views for Dynamic Android Malware Analysis,” in Annual Network and Distributed System Security Symposium, 2009. Proceedings of USENIX Security Symposium, 2012. [4] I. Firdausi, C. Lim, and A. Erwin, “Analysis of Machine Learning [22] T. Bläsing, L. Batyuk, A.D. Schmidt, S.A. Campete and S. Albayrak, Techniques Used in Behavior Based Malware Detection,” in “An android application sandbox system for suspicious software Proceedings of 2nd International Conference on Advances in detection,” in Proceedings of 5th IEEE International Conference on Computing, Control and Telecommunication Technologies (ACT), Malicious unwanted software, Malware, 2010. Jakarta, 2-3 December 2010, pp. 201-203. [23] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer and Y. Weiss, [5] D. Kong, and G. Yan, “Discriminant Malware Distance Learning on “Andromal: a behavioural malware detection framework for android Structural Information for Automated Malware Classification.,” in devices,” in,” Journal Intell. Inf. Syst., vol. 38, no.1, 2012. Proceedings of the ACM SIGMETRICS/International Conference on [24] Y. Robiah, S. Rahayu, M.M. Zaki, S. Shahrin, M.A. Faizal and R. Measurement and Modeling, 2013. Marliza, “A new generic taxonomy on hybrid malware detection [6] T. Lee, and J.J. Mody, “Behavioral Classification,” in Proceedings of the technique,”nin Journal arXiv preprint arXin: 0909.4860, 2009. European Institute for Computer Antivirus Research Conference [25] B. Iker, Z. Urko and N.T. Simin, Crowdroid: behavior-based malware (EICAR’06), 2006. detection system for android,” in Proceedings of the 1st ACM workshop [7] R. Moskovitch, D. Stopel, C. Feher, N. Nissim, and Y. “Elovici, on Security and privacy in smartphonesand mobile devices, 2011. Unknown Malcode Detection via Text Categorization and the Imbalance [26] “Mind the (Security) Gaps: The 1H 2015 Mobile Threat Landscape - Problem.,” in Proceedings of the 6th IEEE International Conference on Security News - Trend Micro USA.” [Online]. Available: Intelligence and Security Informatics. 2008. http://www.trendmicro.com/vinfo/us/security/news/mobile- [8] S. Nari, and A. Ghorbani, “Automated Malware Classification Based on safety/mindthe-security-gaps-1h-2015-mobile-threat-landscape. Network Behavior,” in Proceedings of International Conference on [Accessed: 08-Dec- 2017]. Computing, Networking and Communications (ICNC), San Diego, 28- 31 January 2013, pp. 642-647. [9] J. Nieves, I. Santos, and P.G. Bringas, “Semi-Supervised Learning for Unknown Malware Detection,” in,” International Symposium on Distributed Computing and Artificial Intelligence Advances in Intelligent and Soft Computing, 2011. [10] Norton. Norton Safe Web. of Computer Systems, July 2012.[Online]. Available: http://safeweb.norton.com [11] I. Santos, J. Devesa, F. Brezo, J. Nieves, and P.G. Bringas, “OPEM: A Static-Dynamic Approach for Machine Learning Based Malware Detection,” in Proceedings of International Conference CISIS’12- ICEUTE’12, Special Sessions Advances in Intelligent Systems and Computing, vol. 189, pp. 271-280, 2013. 1106 1107 View publication stats