[Paper] Dissecting Android Malware: Characterization and Evolution

Title Dissecting Android Malware: Characterization and Evolution [link]
Author Yajin Zhou and Xuxian Jiang from CS in NSCU Email yajin zhou@ncsu.edu
Publishing SP ’12 Proceedings of the 2012 IEEE Symposium on Security and Privacy Year 2012
Abstract The popularity and adoption of smartphones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.
Summary
1. Goals and contributions
  • Presenting large collection of 1260 Android malware samples in 49 malware families
  • Performing a timeline analysis of discovery based on characterization
  • Performing an evolution-based study of representative Android malare

 androidmalware

2. Malware Characterization

(1) Malware Installation:
  • Repackaging (86%) to piggyback malicious payloads into popular applications
  • Update Attack: Updating component that fetch or download the malicious payloads at runtime
  • Drive-by Download: Enticing users to download “interesting” or “feature-rich” applications
  • Other groups: spyware, fake apps, apps including functionality with purposeful malice, root privilege
(2) Activation: BOOT_COMLETED, SMS_RECEIVED, ACTION_MAIN
(3) Malicious Payloads
  • Privilege Escalation (36.7%): Platform level exploits
  • Remote Control (93%): Bot-like capability (C&C)
  • Financial Charge(45.3%): Premium background SMS
  • Information Collection
(4) Permission Uses
  • Benign and malicious app: INTERNET, READ_PHONE_STATE, ACCESS_NETWORK_STATE, WRITE_EXTERNAL_STORAGE
  • Malicious app only: READ_SMS, WRITE_SMS, RECEIVE_SMS, SEND_SMS
 
3. Malware Detection
(1) Anti-Virus Products
  • AVG Antivirus Free v2.9 (or AVG)
  • Lookout Security & Antivirus v6.9 (or Lookout)
  • Norton Mobile Security Lite v2.5.0.379 (Norton)
  • TrendMicro Mobile Security Personal Edition v2.0.0.1294 (TrendMicro)
(2) signature base: 20.2% – 79.6%
Note

This paper illustrates Android malware features in common, analyzing a large collection (over 1,200) in a chronological order. It  raised a need of systematic Android malware analysis, which is not presence today despite of rapid growing in number. The authors collected 1,200 malware samples and classified them into 49 families (categories). A variety of findings has been shown in terms of characterization including malware installation, activation, malicious payloads, and permission use, which provides useful insight to identify Android malware in the near future when deciding if an application is suspicious.

Although the authors mentioned that existing mobile anti-virus application poorly detected malware, the biggest reason might be due to lack of samples as anti-virus detection normally depends on the signatures. It would be great the study could be carried out in a regular basis, making a comparison in changes.