Summary
The smartphone has rapidly become an extremely prevalent computing platform, with just over 115 million devices sold in the third quarter of 2011, a 15% increase over the 100 million devices sold in the first quarter of 2011, and a 111% increase over the 54 million devices sold in the first quarter of 2010. Android in particular has seen even more impressive growth, with the devices sold in the third quarter of 2011 (60.5 million) almost triple the devices sold in the third quarter of 2010 (20.5 million), and an associated doubling of market share. This popularity has not gone unnoticed by malware authors. Despite the rapid growth of the Android platform, there are already well-documented cases of Android malware, such as DroidDream, which was discovered in over 50 applications on the official Android market in March 2011. Furthermore, it is found that Android’s built-in security features are largely insufficient, and that even non malicious programs can (unintentionally) expose confidential information. A study of 204,040 Android applications conducted in 2011 found 211 malicious applications on the official Android market and alternative marketplaces.
The problem of using a machine learning-based classifier to detect malware presents the challenge: Given an application, we must extract some sort of feature representation of the application. To address this problem, we extract a heterogeneous feature set, and process each feature independently using multiple kernels.We train a One-Class Support Vector Machine using the feature set we get to classify the application as a benign or malware accordingly.
The problem of using a machine learning-based classifier to detect malware presents the challenge: Given an application, we must extract some sort of feature representation of the application. To address this problem, we extract a heterogeneous feature set, and process each feature independently using multiple kernels.We train a One-Class Support Vector Machine using the feature set we get to classify the application as a benign or malware accordingly.
Excerpt
Table Of Contents
Malik, Sapna: Malware Detection in Android Phones, Hamburg, Anchor Academic
Publishing 2017
PDF-eBook-ISBN: 978-3-96067-704-8
Druck/Herstellung: Anchor Academic Publishing, Hamburg, 2017
Bibliografische Information der Deutschen Nationalbibliothek:
Die Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen
Nationalbibliografie; detaillierte bibliografische Daten sind im Internet über
http://dnb.d-nb.de abrufbar.
Bibliographical Information of the German National Library:
The German National Library lists this publication in the German National Bibliography.
Detailed bibliographic data can be found at: http://dnb.d-nb.de
All rights reserved. This publication may not be reproduced, stored in a retrieval system
or transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording or otherwise, without the prior permission of the publishers.
Das Werk einschließlich aller seiner Teile ist urheberrechtlich geschützt. Jede Verwertung
außerhalb der Grenzen des Urheberrechtsgesetzes ist ohne Zustimmung des Verlages
unzulässig und strafbar. Dies gilt insbesondere für Vervielfältigungen, Übersetzungen,
Mikroverfilmungen und die Einspeicherung und Bearbeitung in elektronischen Systemen.
Die Wiedergabe von Gebrauchsnamen, Handelsnamen, Warenbezeichnungen usw. in
diesem Werk berechtigt auch ohne besondere Kennzeichnung nicht zu der Annahme,
dass solche Namen im Sinne der Warenzeichen- und Markenschutz-Gesetzgebung als frei
zu betrachten wären und daher von jedermann benutzt werden dürften.
Die Informationen in diesem Werk wurden mit Sorgfalt erarbeitet. Dennoch können
Fehler nicht vollständig ausgeschlossen werden und die Diplomica Verlag GmbH, die
Autoren oder Übersetzer übernehmen keine juristische Verantwortung oder irgendeine
Haftung für evtl. verbliebene fehlerhafte Angaben und deren Folgen.
Alle Rechte vorbehalten
© Anchor Academic Publishing, Imprint der Diplomica Verlag GmbH
Hermannstal 119k, 22119 Hamburg
http://www.diplomica-verlag.de, Hamburg 2017
Printed in Germany
TABLE OF CONTENTS
CHAPTER 1: INTRODUCTION ... 3
BACKGROUND ... 3
MALWARE THREATS TO MOBILE OSS ... 4
ANDROID ARCHITECTURE ... 5
ANDROID RUNTIME ... 7
APPLICATION FRAMEWORK ... 7
APPLICATIONS ... 8
CHAPTER 2: METHODOLOGY ... 15
REVERSE ENGINEERING OF THE ANDROID APPLICATION ... 15
FUNCTION CALL GRAPH CREATION ... 16
FLOWDROID FEATURES ... 16
CLASSIFICATION ... 18
CHAPTER 3: VISUAL REPRESENTATION ... 27
LEVEL-0 DFD ... 27
BASIC PROGRAM STRUCTURE ... 27
CHAPTER 4: DEVELOPMENT PHASES ... 28
PREPROCESSING OF DATASET ... 28
ANALYSIS OF DATASET ... 28
CLASSIFICATION ... 28
RESULT ... 29
CHAPTER 5: APIS USED ... 30
JAVA ASSIST ... 30
SOOT ... 30
DEX2JAR ... 31
JD-CLI ... 32
JADX... 32
FLOWDROID ... 32
CHAPTER 6: SCREENSHOTS ... 34
BASIC UI ... 34
CHAPTER 7: THE MAIN SOURCE CODE ... 38
CHAPTER 8: CONCLUSION ... 41
REFERENCES ... 42
3
CHAPTER 1: INTRODUCTION
The smartphone has rapidly become an extremely prevalent computing platform, with just over
115 million devices sold in the third quarter of 2011, a 15% increase over the 100 million
devices sold in the first quarter of 2011, and a 111% increase over the 54 million devices sold in
the first quarter of 2010 [1], [2]. Android in particular has seen even more impressive growth,
with the devices sold in the third quarter of 2011 (60.5 million) almost triple the devices sold in
the third quarter of 2010 (20.5 million), and an associated doubling of market share [2]. This
popularity has not gone unnoticed by malware authors. Despite the rapid growth of the Android
platform, there are already well-documented cases of Android malware, such as DroidDream,
which was discovered in over 50 applications on the official Android market in March 2011 [3].
Furthermore, it is [3] found that Android's built-in security features are largely insufficient, and
that even non malicious programs can (unintentionally) expose confidential information. A study
of 204,040 Android applications conducted in 2011 found 211 malicious applications on the
official Android market and alternative marketplaces.
The problem of using a machine learning-based classifier to detect malware presents the
challenge: given an application, we must extract some sort of feature representation of the
application. To address this problem, we extract a heterogeneous feature set, and process each
feature independently using multiple kernels .We train a One-Class Support Vector Machine
using the feature set we get to classify the application as a benign or malware accordingly.
Background
The number of malicious applications targeting the Android system has literally exploded in
recent years. While the security community, well aware of this fact, has proposed several
methods for detection of Android malware, most of these are based on permission and API usage
or the identification of expert features. Unfortunately, many of these approaches are susceptible
to instruction level obfuscation techniques. Previous research on classic desktop malware has
shown that some high level characteristics of the code, such as function call graphs, can be used
to and similarities between samples while being more robust against certain obfuscation
strategies. However, the identification of similarities in graphs is a non-trivial problem whose
4
complexity hinders the use of these features for malware detection. In our project we use a
method for malware detection based on efficient embedding of function call graphs with an
explicit feature map inspired by a linear-time graph kernel. In an evaluation with 181 malware
samples our method, purely based on structural features, outperforms several related approaches
and detects 69% of the malware with few false alarms, while also allowing to pin-point
malicious code structures within Android applications. The project got us good results with a
smaller database of the ours. If a platform with higher resources is given it will produce good
results.
Malware Threats to Mobile Oss
Figure 1. Growth trend of total Android suspicious samples [4]
WHY ANDROID IS INSECURE
A from the University of Cambridge put some hard numbers to Android's security failings. The
conclusion finds that "on average 87.7% of Android devices are exposed to at least one of 11
known critical vulnerabilities."
Data for the study was collected through the group's "Device Analyzer" app, which has
been available for free on the Play Store since May 2011. After the participants opted into the
survey, the University says it collected daily Android version and build number information from
over 20,400 devices. The study then compared this version information against 13 critical
vulnerabilities (including the Stage fright vulnerabilities) dating back to 2010. Each individual
device was then labelled "secure" or "insecure" based on whether or not its OS version was
5
patched against these vulnerabilities or placed in a special "maybe secure" category if it could
have gotten a specialized, back ported fix.
The study found that Google's Nexus devices were the most secure out there, with a FUM score
of 5.2 out of 10. Surprisingly, LG was next with 4.0, followed by Motorola, Samsung, Sony, and
HTC, respectively.
With 87 % of devices flagged as insecure on any given day, the study really shows how far the
Android ecosystem has to go to protect its users. Google and some OEMs have committed to a
monthly security update program, but that is usually for devices that are less than two years old
(Google recently bumped Nexus devices to three years) and only for flagship devices. The vast
majority of Android sales are not flagship devices. Until Google re-architects Android
to support centralized, device-agnostic updates, we just don't see a solution to Android's security
problems.
Android Architecture
Android operating system is a stack of software components which is roughly divided into five
sections and four main layers as shown below in the architecture diagram [5].
Figure 2. Android Architecture [5]
6
Linux kernel
At the bottom of the layers is Linux - Linux 3.6 with approximately 115 patches [5]. This
provides a level of abstraction between the device hardware and it contains all the essential
hardware drivers like camera, keypad, display etc. Also, the kernel handles all the things that
Linux is really good at such as networking and a vast array of device drivers, which take the pain
out of interfacing to peripheral hardware.
Libraries
On top of Linux kernel there is a set of libraries including open-source Web browser engine
WebKit, well known library libc, SQLite database which is a useful repository for storage and
sharing of application data, libraries to play and record audio and video, SSL libraries
responsible for Internet security etc.
Android Libraries
This category encompasses those Java-based libraries that are specific to Android development.
Examples of libraries in this category include the application framework libraries in addition to
those that facilitate user interface building, graphics drawing and database access. A summary of
some key core Android libraries available to the Android developer is as follows -
· android.app - Provides access to the application model and is the cornerstone of all
Android applications.
· android.content - Facilitates content access, publishing and messaging between
applications and application components.
· android.database - Used to access data published by content providers and includes
SQLite database management classes.
· android.opengl - A Java interface to the OpenGL ES 3D graphics rendering API.
· android.os - Provides applications with access to standard operating system services
including messages, system services and inter-process communication.
· android.text - Used to render and manipulate text on a device display.
7
· android.view - the fundamental building blocks of application user interfaces.
· android.widget - A rich collection of pre-built user interface components such as
buttons, labels, list views, layout managers, radio buttons etc.
· android.webkit - A set of classes intended to allow web-browsing capabilities to be
built into applications.
Having covered the Java-based core libraries in the Android runtime, it is now time to turn our
attention to the C/C++ based libraries contained in this layer of the Android software stack.
Android Runtime
This is the third section of the architecture and available on the second layer from the bottom.
This section provides a key component called Dalvik Virtual Machine which is a kind of Java
Virtual Machine specially designed and optimized for Android.
The Dalvik VM makes use of Linux core features like memory management and multi-threading,
which is intrinsic in the Java language. The Dalvik VM enables every Android application to run
in its own process, with its own instance of the Dalvik virtual machine.
The Android runtime also provides a set of core libraries which enable Android application
developers to write Android applications using standard Java programming language.
Application Framework
The Application Framework layer provides many higher-level services to applications in the
form of Java classes. Application developers are allowed to make use of these services in their
applications.
The Android framework includes the following key services -
· Activity Manager - Controls all aspects of the application lifecycle and activity stack.
· Content Providers - Allows applications to publish and share data with other
applications.
8
· Resource Manager - Provides access to non-code embedded resources such as strings,
color settings and user interface layouts.
· Notifications Manager - Allows applications to display alerts and notifications to the
user.
· View System - An extensible set of views used to create application user interfaces.
Applications
You will find all the Android application at the top layer. You will write your application to be
installed on this layer only. Examples of such applications are Contacts Books, Browser, Games
etc.
Application components are the essential building blocks of an Android application. These
components are loosely coupled by the application manifest file AndroidManifest.xml that
describes each component of the application and how they interact.
There are following four main components that can be used within an Android application:
Components
Description
Activities
They dictate the UI and handle the user interaction to the smart phone
screen
Services
They handle background processing associated with an application.
Broadcast Receivers
They handle communication between Android OS and applications.
Content Providers
They handle data and database management issues.
Additional Components
There are additional components which will be used in the construction of above mentioned
entities, their logic, and wiring between them. These components are
9
Components
Description
Fragments
Represents a portion of user interface in an Activity.
Views
UI elements that are drawn on-screen including buttons, lists forms etc.
Layouts
View hierarchies that control screen format and appearance of the views.
Intents
Messages wiring components together.
Resources
External elements, such as strings, constants and drawable pictures.
Manifest
Configuration file for the application.
Malware
· More serious malware threats
· Suspicious samples increasing rapidly
Fake Installer
Android.FakeInstaller is a widespread mobile malware family. It has spoofed the Olympic
Games Results App, Skype, Flash Player, Opera and many other top applications. This is not
news in the mobile malware world, the FakeInstaller family is one of the most prevalent malware
that we have analysed. More than 60 % of Android samples processed by McAfee are
FakeInstallers. This threat has become more dangerous, adding server-side polymorphism,
obfuscation, antireversing techniques and frequent recompilation, all to avoid detection by
antivirus solutions.
Android.FakeInstaller sends SMS messages to premium rate numbers, without the user's
consent, passing itself off as the installer for a legitimate application. There are a large number of
variants for this malware, and it is distributed on hundreds of websites and fake markets. The
spread of this malware increases every day.
Figure 3. Icons of Android.FakeInstallers.
Details
- Pages
- Type of Edition
- Erstausgabe
- Year
- 2017
- ISBN (PDF)
- 9783960677048
- ISBN (Softcover)
- 9783960672043
- File size
- 5.7 MB
- Language
- English
- Publication date
- 2017 (November)
- Grade
- A
- Keywords
- Android malware DroidDream machine learning-based classifier One-Class Support Vector Machine Android application information security Kernel operating system smart phone application Android security
