Mobile Malware Research Articles

A Two-Layer Deep Learning Method for Android Malware Detection Using Network Traffic

Because of the characteristic of openness and flexibility, Android has become the most popular mobile platform. However, it has also become the most targeted system by mobile malware. It is necessary for the users to have a fast and reliable detection method. In this paper, a two-layer method is proposed to detect malware in Android APPs. The first layer is permission, intent and component information based static malware detection model. It combines the static features with fully connected neural network to detect the malware and test its effectiveness through experiment, the detection rate of the first layer is 95.22%. Then the result (benign APPs from the first layer) is input into the second layer. In the second layer, a new method CACNN which cascades CNN and AutoEncoder, is used to detect malware through network traffic features of APPs. The detection rate of the second layer is 99.3% in binary classification (2-classifier). Moreover, the new two-layer model can also detect malware by its category (4-classifier) and malicious family (40-classifier). The detection rates are 98.2% and 71.48% respectively. The experimental results show that our two-layer method not only can achieve semi-supervise learning, but also can effectively improve the detection rate of malicious Android APPs.

Stochastic Modeling of IoT Botnet Spread: A Short Survey on Mobile Malware Spread Modeling

The Internet of Things (IoT) devices are being widely deployed and have been targeted and victimized by malware attacks. The mathematical modelling for an accurate prediction of malicious spreads of botnets across IoT networks is of great importance. Suppose the spread of IoT botnets can be predicted using mathematical models, the security community can then take the necessary steps to deter an outbreak of botnet attacks and minimize the damage caused by malware. This paper surveys mobile malware epidemiological models to understand the mechanisms and dynamics of malware spread for IoT botnets. We describe the characteristics of IoT botnets based on the Susceptible-Infection-Recovery-Susceptible and Susceptible-Exposed-Infection-Recovery-Susceptible epidemic models. These models extend the traditional SIR (Susceptible-Infection-Recovery) model by adding extra states and parameters specific to the epidemic spread of IoT botnets. We use mathematical modelling to simulate complex spreading processes of IoT botnets and interpret the influence of an epidemic on distributed denial of service attacks. We use MATLAB and R to illustrate the use of a stochastic IoT botnet transmission model in the identification and mitigation of challenges towards minimizing the impact of devastating IoT botnet epidemics.

A Power-Efficient Approach to Detect Mobile Threats on the Emergent Network Environment

Mobile and IoT devices are blooming, and their applications are prevailing worldwide. In the meantime, the Industry 4.0 trend converges industrial control systems with the internet environment, which makes it vulnerable. Mobile and IoT applications provide seamless connectivity to the emergent network environment for daily work. As mobile phones contain privacy information, malicious mobile applications could compromise mobile devices and cause financial losses. Moreover, attackers could launch DDoS attacks to exhaust a resource of mobile or IoT devices in the emergent network environment. Static malware analysis consumes less computing resources and power than dynamic analysis. This study proposes a power-efficient solution to identify mobile threats, which applies taint analysis to protect the emergent network environment. The experimental results show that the proposed approach could detect mobile malware efficiently.

Security-oriented view of app behaviour using textual descriptions and user-granted permission requests

One of the major Android security mechanisms for enforcing restrictions on the core facilities of a device that an app can access is permission control. However, there is an enormous amount of risk with regards to granting permissions since 97% of malicious mobile malware targets Android. As malware is becoming more complicated, recent research proposed a promising approach that checks implemented app behaviour against advertised app behaviour for inconsistencies. In this paper, we investigate such inconsistencies by matching the permission an app requests with the natural language descriptions of the app which gives an intuitive idea of user expected behaviour of the app. Then, we propose exploiting an enhanced app description to improve malware detection based on app descriptions and permissions. To evaluate the performance, we carried out various experiments with 56K apks. Our proposed enhancement reduces the false positives of the state-of-the-art approaches, Whyper, AutoCog, CHABADA by at least 87%, and TAPVerifier by at least 57%. We proposed a novel approach for evaluating the robustness of textual descriptions for permission-based malware detection. Our experimental results demonstrate a high detection recall rate of 98.72% on 71 up-to-date malware families and a precision of 90% on obfuscated samples of benign and malware apks. Our results also show that analysing sensitive permissions requested and UI textual descriptions provides a promising avenue for sustainable Android malware detection.

Mining nested flow of dominant APIs for detecting android malware

According to the Kaspersky Lab threat report, mobile malware attacks almost doubled in 2018. A study conducted in 2018 by Accenture found malware attacks to be the most expensive to resolve. Android Operating System (OS) is the most dominating platform on mobile devices. This makes Android OS susceptible to malware attacks. We need to develop new techniques and methods to stop this influx of malware attacks. In this paper, we propose a novel technique named DroidDomTree that mines the dominance tree of API (Application programming interface) calls to find similar patterns in Android applications for detecting malware. Dominance is a transitive relation. A dominance tree of API calls highlights a strong flow of path and identifies the nesting structure of APIs and hence emphasizes the importance of certain APIs in an application. It also helps in finding modules and their interaction in an application. If a malicious module is embedded in an application, then this provides strong evidence that the application contains malware. We use these properties and develop a nested model of the dominance tree of API calls and a new scheme for assigning weights to each node in the dominance tree for efficient feature selection. During 10-fold cross-validation, with eight different classifiers using real malware Android applications, DroidDomTree achieved detection rates in the range of 98.1%–99.3% and false positive rates in the range of 1.7%–0.4%.

Mobile Malware Classification based on Phylogenetics

Security researchers and practitioners face many challenges in mitigating mobile malware attacks against smartphones. Ranges of techniques have been developed by different developers to ensure that smartphones remain free from such attacks. However, we still lack efficient techniques to mitigate mobile malware attacks, especially for the iOS platform. Hence, this paper presents mobile malware classifications based on phylogenetics that can be used for mobile malware detection with regard to the iOS platform. Phylogenetics have been used as the basis concept associated with forming a mobile malware classification based on similar malware behavior, vulnerability exploitation and mobile phone surveillance features that originate from the same family of specific malware practices. A mobile malware classification based on the phylogenetic concept and on mathematical formulations has been developed for this purpose, and proof of the concept has been sought to support this new classification. This research was conducted in a controlled lab environment using open source tools and by applying dynamic analysis. Consequently, this paper can be used as reference for other researchers with the same interest in future.

EC2: Ensemble Clustering and Classification for Predicting Android Malware Families

As the most widely used mobile platform, Android is also the biggest target for mobile malware. Given the increasing number of Android malware variants, detecting malware families is crucial so that security analysts can identify situations where signatures of a known malware family can be adapted as opposed to manually inspecting behavior of all samples. We present EC2 ( E nsemble C lustering and C lassification), a novel algorithm for discovering Android malware families of varying sizes —ranging from very large to very small families (even if previously unseen). We present a performance comparison of several traditional classification and clustering algorithms for Android malware family identification on DREBIN, the largest public Android malware dataset with labeled families. We use the output of both supervised classifiers and unsupervised clustering to design EC2 . Experimental results on both the DREBIN and the more recent Koodous malware datasets show that EC2 accurately detects both small and large families, outperforming several comparative baselines. Furthermore, we show how to automatically characterize and explain unique behaviors of specific malware families, such as FakeInstaller , MobileTx , Geinimi . In short, EC2 presents an early warning system for emerging new malware families, as well as a robust predictor of the family (when it is not new) to which a new malware sample belongs, and the design of novel strategies for data-driven understanding of malware behaviors.

Review of Mobile Malware Forensic

Developments in the world of information technology have brought security needs, ethical and social responsibilities, risks and inconveniences. The dramatic increase and spread of smartphone usage, especially in line with advances in mobile technology, has led to an increase in IT crimes committed on smartphones. The increase in the processing of information crimes via smartphones has necessitated the investigation of informatics crimes and produced many analysis softwares&methods. Particularly in Turkey, by the usage of ByLock and Eagle apps by FETO criminals, mobile forensic became the most important proof of evidence of being a member of the terroristic organization. Afterwards, it was discovered that the malicious software was infected to some of nun-member suspects’ mobile phones by Morbeyin operation which was discovered and revealed by mobile malware forensic experts. Thousands of innocents have suffered because of this malware. This kind of threats is also considered to have some negative impact of m-government solutions and development. In the field of forensic crimes, there has been a subcategory of investigation of smart phones and mobile phones. In this study, the important details about the examination of smartphones within the scope of forensic computing are analyzed by comparing various mobile software, applications and studies.

Towards Deep Learning-Based Approach for Detecting Android Malware

In this article, the authors implement a deep learning environment and fine-tune parameters to determine the optimal settings for the classification of Android malware from extracted permission data. By determining the optimal settings, the authors demonstrate the potential performance of a deep learning environment for Android malware detection. Specifically, an extensive study is conducted on various hyper-parameters to determine optimal configurations, and then a performance evaluation is carried out on those configurations to compare and maximize detection accuracy in our target networks. The results achieve a detection accuracy of approximately 95%, with an approximate F1 score of 93%. In addition, the evaluation is extended to include other machine learning frameworks, specifically comparing Microsoft Cognitive Toolkit (CNTK) and Theano with TensorFlow. The future needs are discussed in the realm of machine learning for mobile malware detection, including adversarial training, scalability, and the evaluation of additional data and features.

Malware Mobile Devices in Indonesia

The number of mobile devices and information technology supporting applications is currently very diverse. Ranging from expensive to cheap, even new and used. On the other hand, the increase in connections needed every year always increases along with its development. Both of these are always accompanied by increasing crime in cyberspace so that the level of risk and threats that arise will also always spread threats from time to time. Many people do not understand what cyber risk is, its impact and how minimal handling is needed to overcome the above. This research was conducted to provide an overview of cybersecurity information to anyone about the amount of malware on existing and scattered devices and the user behavior itself. It starts with scanning network traffic, type of malware, then the patterns and its characteristics. On the other hand, this also provides input on how to make minimal handling as a way to control cybersecurity. The aim of the work is to focus on establishing the basic behavior of a user on mobile malware for user profiling analysis.

Identifying Malware on Cyber Physical Systems by incorporating Semi-Supervised Approach and Deep Learning

Malicious applications can be a security threat to Cyber-physical systems as the Cyber-physical systems are composed of heterogeneous distributed systems and mostly depends on the internet, ICT services and products. The usage of ICT products and the services gives the opportunity of less expensive data collection, intelligent control and decision systems using automated data mining tools. Cyber-physical systems become exposed to the internet and the public networks as it has integrated to the ICT networks for easy automated options. Cyber-attacks can lead functional failure, blackouts, energy theft, data theft etc. and this will be critical security concern of Cyber-physical systems. At present, the mobile devices are replacing the pc environment and become a key element of Internet of Things. Therefore, it is essential to develop such a malware detection engine that will identify the mobile malware and reduce the spreading of the malicious code through mobile devices. This research work will identify the malware by incorporating semi-supervised approach and deep learning. The original and significant contributions are to propose an effective malware detection model by incorporating semi-supervised approach and deep learning, to implement the model using parallel processing and to evaluate the performance of the model using recent dataset. Here we have used the permission and the API call as the features. The proposed method has been tested on the real mobile malware data set and it shows improvement in accuracy. The Experimental results show that the deep learning along with semi-supervised method will be an effective way to identify the malware and it outperforms other detection methods.

System Call Dependence Graph Based Behavior Decomposition of Android Applications

Millions of developers and third-party organizations have flooded into the Android ecosystem due to Android’s open-source feature and low barriers to entry for developers. .However, that also attracts many attackers. Over 90 percent of mobile malware is found targeted on Android. Though Android provides multiple security features and layers to protect user data and system resources, there are still some overprivileged applications in Google Play Store or third-party Android app stores at wild. In this paper, we proposed an approach to map system level behavior and Android APIs, based on the observation that system level behaviors cannot be avoidedbut sensitive Android APIs could be evaded.To the best of our knowledge, our approach provides the first work to decompose Android application behaviors based on system-level behaviors. We then map system level behaviors and Android APIs through System Call Dependence Graphs. The study also shows that our approach can effectively identify potential permission abusing, with an almost negligible performance impact.

XSS MBot: Mobile Botnet for Stealthy DDoS Attacks

Mobile devices are overgrowing; nowadays people are using mobile devices for different activities. Over the years malware attacks on mobile devices are increasing, the primary intention of the attacker is to steal sensitive information and turn the infected mobile device into a member of the botnet. We studied differences between traditional botnets and mobile botnets, also analyzed different mobile botnet attacks. Mobile malware applications spread through Cross-site Scripting vulnerabilities in trusted websites. Developed a mobile malware which can perform Denial-of-service attacks and used this malware to test and review mobile botnet attacks. We also studied solutions to prevent these mobile botnet attacks.

Android Malware Detection Using Complex-Flows

This paper proposes a new technique to detect mobile malware based on information flow analysis. Our approach examines the structure of information flows to identify patterns of behavior present in them and which flows are related, those that share partial computation paths. We call such flows Complex-Flows, as their structure, patterns, and relations accurately capture the complex behavior exhibited by both recent malware and benign applications. N-gram analysis is used to identify unique and common behavioral patterns present in Complex-Flows. The N-gram analysis is performed on sequences of API calls that occur along Complex-Flows’ control flow paths. We show the precision of our technique by applying it to four different data sets totaling 8,598 apps. These data sets consist of both recent and older generation benign and malicious apps to demonstrate the effectiveness of our approach across different generations of apps.

Opcode sequence analysis of Android malware by a convolutional neural network

SummaryThe number of malware has exploded due to the openness of the Android platform, and the endless stream of malware poses a threat to the privacy, tariffs, and device of mobile phone users. A novel Android mobile malware detection system is proposed, which employs an optimized deep convolutional neural network to learn from opcode sequences. The optimized convolutional neural network is trained multiple times by the raw opcode sequences extracted from the decompiled Android file, so that the feature information can be effectively learned and the malicious program can be detected more accurately. More critically, the k‐max pooling method with better results is adopted in the pooling operation phase, which improves the detection effect of the proposed method. The experimental results show that the detection system achieved the accuracy of 99%, which is 2%‐11% higher than the accuracy of the machine learning detection algorithms when using the same data set. It also ensures that the indicators, such as F1‐score, recall, and precision, are maintained above 97%. Based on the detection system, a multi–data set comparison experiment is carried out. The introduced k‐max pooling is deeply studied, and the effect of k of k‐max pooling on the overall detection effect is observed.

Detection of Social Media Exploitation via SMS and Camera

Internet users all over the world are highly exposed to social media exploitation, where they are vulnerable to be targeted by this cyber-attack. Furthermore, excessive use of social media leads to Internet Addiction Disorder (IAD). Fortunately, social media exploitation and IAD can be monitored and controlled closely based on user’s mobile phone surveillance features which are camera, SMS, audio, geolocation (GPS) and call log. Hence to overcome these challenges, this paper presents five (5) Application Programming Interfaces (APIs) and four (4) permissions for SMS and camera that are mostly and widely used with the social media applications. These 9 APIs and permissions matched with 2.7% of the APIs and permissions training dataset that are related with SMS and camera. This experiment was conducted by using hybrid analysis, which inclusive of static analysis and dynamic analysis, with 1926 training dataset from Brunswick. These 9 APIs and permissions, if being misused by the attacker, could lead to privacy concerns of a mobile device. The finding from this paper can be used as a guidance and reference for the formation of new mobile malware detection technique and modeling in future.

Mobile malware attacks: Review, taxonomy & future directions

A pervasive increase in the adoption rate of smartphones with Android OS is noted in recent years. Android’s popular and attractive environment not only captured the attention of users but also increased security concerns. As a result, Android malware detection is one of the sizzling topics in the mobile security domain. This paper provides a comprehensive review of state-of-the-art mobile malware attacks, vulnerabilities, detection techniques and security solutions over the period of 2013–2019 that majorly targeted Android platform. We have presented various well-organized and in-depth taxonomies that uncover mobile malware detection approaches based on their analysis techniques, working platform, data acquisition, operational impact, obtained results and artificial intelligence component involved. Another taxonomy comprises of mobile malware attack vector is presented to look threat clusters and loopholes to locate their malicious widespread impact on communities. Furthermore, we have discussed and classified forensic analysis efforts in mobile malware detection perspective. From the intruder point of view, we have compared various evasion techniques that are used prominently by the malware authors to hinder detection efforts. Finally, future work directions are presented as guidelines for academia and industry alike to help them reduce or even avoid the harmful impact of these annoying efforts.

Time, accuracy and power consumption tradeoff in mobile malware detection systems

In order to incorporate mobile malware detection into embedded systems and Internet of Things (IoT) the question of optimizing the tradeoff between detection accuracy, detection time and power consumption with respect to different application-specific goals and how it can be achieved, must be addressed as malware detection in real-time scenarios is an important and, furthermore, critical problem. To solve this problem, we first introduce a methodology based on multi-objective optimization, able to achieve customized detection solutions with respect to the mentioned requirements and application-specific goals. Then, we apply this methodology for developing a customized malware detection system to Android. We use this system also to discover the dependencies between its parameters, namely the monitoring period and detection algorithm parameters, and our optimization objectives, namely detection accuracy, detection time, and power consumption. Our results show that one of the most influential parameters in optimizing time, accuracy and power tradeoff, that is frequently neglected in related work, is a selection of a suitable monitoring interval. This selection must be accompanied by a carefully chosen set of suitable detection algorithm parameters to maximize the effectiveness and efficiency of the detection system.

A mobile malware detection method using behavior features in network traffic

Android has become the most popular mobile platform due to its openness and flexibility. Meanwhile, it has also become the main target of massive mobile malware. This phenomenon drives a pressing need for malware detection. In this paper, we propose a lightweight framework for Android malware identification. Network traffic generated by mobile app is mirrored from the wireless access point to the server for data analysis. All data analysis and malware detection are performed on the server side, which consumes minimum resources on mobile devices with minimum impacts to user experience. Due to the difficulty in identifying disparate malicious behaviors of malware from the network traffic, our method performs a multi-level network traffic analysis, gathering as many features of network traffic as necessary. The proposed method combines network traffic analysis with machine learning algorithm (C4.5) that is capable of identifying Android malware with high accuracy. In an evaluation with 8,312 benign apps and 5,560 malware samples, our method performs better than other state-of-the-art approaches, and especially when combining two detection mechanisms, it achieves a detection rate of 97.89%. In addition, for the benefit of user, this framework not only displays the final detection results, but also analyzes the behind-the-curtain reason of malicious results. The result explanation also reveals insightful behavioral characteristics of mobile malware.

PrivacyContext: identifying malicious mobile privacy leak using program context

Serious concerns have been raised about user's privacy leak in mobile apps, and many detection approaches are proposed. To evade detection, new mobile malware starts to mimic privacy-related behaviours of benign apps, and mix malicious privacy leak with benign ones to reduce the chance of being observed. Since prior proposed approaches primarily focus on the privacy leak discovery, these evasive techniques will make differentiating between malicious and benign privacy disclosures difficult during privacy leak analysis. In this paper, we propose PrivacyContext to identify malicious privacy leak using context. PrivacyContext can be used to purify privacy leak detection results for automatic and easy interpretation by filtering benign privacy disclosures. Experiments show PrivacyContext can perform an effective and efficient static privacy disclosure analysis enhancement and identify malicious privacy leak with 92.73% true positive rate. Evaluation also indicates that to keep the accuracy of privacy disclosure classification, our proposed contexts are all necessary.