Understanding Android Financial Malware Attacks:Taxonomy, Characterization, and Challenges

Abstract

With the increased number of financial-related malware, the security community today has turned their attention to the Android financial malware. However, what constitutes Android financial malware is still ambiguous. A comprehensive understanding of the existing Android financial malware attacks supported by a unified terminology is necessarily required for the deployment of reliable defence mechanisms against these attacks. Thus, in this paper, we address this issue and devise a taxonomy of Android financial malware attacks. By devising the proposed taxonomy, we intend to: give researchers a better understanding of these attacks; explore the Android financial malware characteristics; and provide a foundation for organizing research efforts within this specific field. In order to evaluate the proposed taxonomy, we gathered a large collection of Android financial malware samples representing 32 families, which are selected based on the main characteristics defined in the taxonomy. We discuss the characterization of these families in terms of malware installation, activation and attacks, and derive a set of research question: how does the malware spread to the Android users?, how does the malware activate itself on the phone?, and what happens after the malware has reached the Android system? Evaluation and characterization of this taxonomic model towards Android financial malware implies the possibility for introducing an automatic malware categorization, which can effectively save the time of malware analysts to correlate various symptoms of malicious behavior; this combination provides a systematic overview of malware capabilities, which can help analyst in the malware-triage process for prioritizing which malware to be scrutinized. Also, we identified a number of challenges related to Android financial malware, which can create opportunity for future research.