Malware Detection Techniques for Mobile Devices

International Journal of Mobile Network Communications & Telematics ( IJMNCT) Vol.7, No.4/5/6, December 2017 MALWARE DETECTION TECHNIQUES FOR MOBILE DEVICES Belal Amro, College of Information Technology, Hebron University ABSTRACT Mobile devices have become very popular nowadays, due to is portability and high performance, a mobile device became a must device for persons using information and communication technologies. In addition to hardware rapid evolution, mobile applications are also increasing in their complexity and performance to cover most the needs of their users. Both software and hardware design focused on increasing performance and the working hours of a mobile device. Different mobile operating systems are being used today with different platforms and different market shares. Like all information systems, mobile systems are prone to malware attacks. Due to the personality feature of mobile devices, malware detection is very important and is a must tool in each device to protect private data and mitigate attacks. In this paper, we will study and analyze different malware detection techniques used for mobile operating systems. We will focus on the to two competing mobile operating systems – Android and iOS. We will asset each technique summarizing its advantages and disadvantages. The aim of the work is to establish a basis for developing a mobile malware detection tool based on user profiling. KEYWORDS Malware, malware detection, mobile device, mobile application, security, privacy 1. INTRODUCTION During the last 10 years, mobile devices technologies have grown rapidly due to the daily increase in the number of users and facilities, according to [ 1], the number of mobile users has become 4.92 billion global users in 2017. Current mobile devices can be used for many applications as camera, tablet, web browser, … etc. According to Gartner figures about smartphones, Android and iOS are the two dominant operating systems with 99.6% market share and 81.7 for Android and 17.9 for iOS [2]. A general comparison between Android and iOS mobile operating systems in provided by Aijaz sheikh et. al. [3]. Table 1 below shows some specifications of both android and iOS. Table 1: Specifications of Android and iOS Android operating system is divided into four layers as shown in Figure 1, the Linux kernel is the bottom layer responsible for abstraction of device hardware. The libraries layer contains a set of libraries including WebKit, Libc, and SSl. Android libraries includes Java-based libraries such as DOI : 10.5121/ijmnct.2017.7601 1 International Journal of Mobile Network Communications & Telematics ( IJMNCT) Vol.7, No.4/5/6, December 2017 android view and android widget. Application framework layer provides higher level services to applications in terms of Java classes. The top layer is called application layer where applications are written to be installed. Figure1: Android architecture The iOS architecture is shown in Figure 2. The Cocoa Touch layer contains frameworks for iOS apps. Media layer contains the graphics, video, and audio technologies for iOS apps. The core services layer contains the fundamental system services for iOS apps. At bottom, the core OS layer contains the low-level features that most other technologies are built upon [4] Figure 2: iOS architecture In terms of application distribution, Android applications are mostly distributed through google play where more than half of the applications are free. Apple applications are distributed through App store, almost quarter of the applications are for free. An important issue is that all iOS applications at App store are scrutinized before they are released. The later step made App store applications more reliable than those at google play [5]. The rest of the paper is organized as follows, a summary of mobile malware is provided in Section 2. Section 3 describes malware spreading techniques. Malware evasion techniques are provided in Section 4. The detection techniques used by antimalware programs are describes in Section 5. At last, Section 6 summarizes the work done in this paper. MOBILE MALWARE ANALYSIS: In this section, we provide a summary of mobile malwares including Trojans, Back doors, Ransomwares, Botnets, and Spyware. Besides, a statistical data about malwares and their distribution is provided as well. 2 International Journal of Mobile Network Communications & Telematics ( IJMNCT) Vol.7, No.4/5/6, December 2017 MOBILE MALWARES: As reported by Skycure [31], one third of mobile devices has a medium to high risk of data disclosure, Android devices are nearly twice likely to have a malware compared to iOS devices. in this subsection, we will explain some of the most important mobile malwares. TROJANS: Trojan is a software that appears to the user to be benign application however, it performs malicious acts in the back ground[6]. Trojan are used to help attacking a system by performing acts that might compromise security of the system and hence enables hacking it easily. Examples of Trojans are FakeNetflix [7], which collects users credentials for Netflix account in Android environments. KeyRaider is a Trojan that was used to steal Apple IDs and passwords[17]. BACK DOORS – ROOT EXPLOITS Backdoors exploits root privileges to hide a malware from antiviruses. Rage against the cage (RATC) is one of the most popular Android root exploits which gain full- control of device [8]. If the root exploit gains root privilege, the malware become able to perform any operation on the device even the installation of applications keeping the user unaware of this act [9]. In iOS, Xagent is a Trojan that opens a back door and steals information from the compromised device [16] RANSOMWARE Ransomware prevents the users from accessing their data by locking the device or encrypting the data files, until ransom amount is paid. FakeDefender.B [10] is a malware pretending to be Avast antivirus. It locks the victim’s device for the sake of money. An iOS ransomware was reported in 2017, scammers exploited Safari bug used for pop-up [35]. BOTNETS A "bot" is a type of malware that enables an attacker to take control over an affected Mobile device, it is also known as “Web robots”, they are part of a network of infected machines, known as a “botnet”, which is typically made up of all victim mobile devices across the globe. Geinimi [11] is one of the Android botnets. SPYWARE A spyware is simply a spying software. It runs unnoticed in the background while it collects information, or gives remote access to its author. Nickspy [12] and GPSSpy [13] are examples of Android spyware that monitors the user’s confidential information and sends them to the owner. An example of an iOS Spyware is Passrobber[16] , which is capable of intercepting outgoing SSL communications, it then checks for Apple IDs and passwords, and can send these stolen credentials to a C&C sever. MOBILE MALWARE STATISTICS: In this section, we provide some statistics about mobile malware attacks. The number of mobile malwares is increasing dramatically last two years. According to MacAfee LABs [28], the number of malwares exceeded 16,000,000 in first quarter of 2017 as shown in Figure 3. 3 International Journal of Mobile Network rk Communications & Telematics ( IJMNCT) Vol.7, No.4/5/6, D December 2017 Figure 3: Total mobile malware By looking at the global mobilee malware m infection rate reported by MacAfee LABss 22017, Figure 4 shows a significant increase in the infection rate for the first quarter of the year 201 017. Figure ure 4: global mobile malware infection rates Kaspersky Labs [32] reported the distribution of new mobile malware in the years 20 2015 and 2016 as shown in Figure 5: Figure Fig 5: distribution of mobile malware 4 International Journal of Mobile Network Communications & Telematics ( IJMNCT) Vol.7, No.4/5/6, December 2017 As reported by LookingGlass [33], “in 2015, the threat actors shift their tactics to smaller targets with mobile-ransomware focusing more on individuals and less on corporations. The bring your own Device (BYOD) environment became more pervasive with organizations realizing the importance of establishing concrete BYOD policies”. A survey conducted by Dimensional research [34] on security professional reported that security professionals are unprepared and not confident about arising security issues, it also reported that mobile devices are to come under increasing attacks.From this section, we realize that mobile threats are increasing rapidly and are more focused on targets. This made us to predict a huge damage in the near future unless efficient tools are developed and used. MALWARE SPREADING TECHNIQUES To mitigate malware attacks, we should be aware of malware spreading techniques. In this section, we categorize malware spreading techniques including repackaging, drive by download, dynamic payloads, and stealth techniques. REPACKAGING Malware authors repackage popular mobile applications in official market, and distribute them on other less monitored third party markets. Repackaging includes the disassembling of the popular benign apps, then appending the malicious content and finally reassembling. This is done by reverse-engineering tools. TrendMicro report have shown that 77% of the top 50 free apps available in Google Play are repackaged [14]. DRIVE BY DOWNLOAD Drive by Download refers to an unintentional download of malware in the background. It Occurs when a user visits a website that contains malicious content and downloads malware into the device. Android/NotCompatible [15] is the most popular mobile malware of this category. DYNAMIC PAYLOADS Uses dynamic payload to download an embedded encrypted source in an application. After installation, the application decrypts the encrypted malicious payload and executes the malicious code [16]. STEALTH MALWARE TECHNIQUES Stealth Malware Technique refers to an exploit of hardware vulnerabilities to obfuscate the malicious code to easily bypass the anti-malware. Different stealth techniques such as key permutation, dynamic loading, native code execution, code encryption, and java reflection are used to attack the victim’s device[16]. MALWARE EVASION TECHNIQUES Kaspersky LABs reported in their 2016 year findings [1] that malware creators have used new ways to bypass Android protection mechanisms. Malware creators need to constantly monitor mobile security techniques and develop new techniques to avoid detection. These techniques are called evasion techniques and are listed below [29]: 5 International Journal of Mobile Network rk Communications & Telematics ( IJMNCT) Vol.7, No.4/5/6, D December 2017 Anti-security techniques: these se techniques are used to avoid detection by security ity devices and programs as anti-malwares, firew ewalls, and any other tools that protect the environmen ent. Anti-sandbox techniques: sand ndboxing is a technique used to separate running pprograms and hence to avoid any harm from om unverified programs to the computer system.. A Anti-sandbox technique is used to detect auto tomatic analysis and to avoid report on the behavior ior of malware. This can be done by detecting registry reg keys, files, or processes related to virtual envir vironments. Anti-analyst techniques: in these th techniques, a monitoring tool is used to aavoid reverse engineering. The tools might be process explorer or Wireshark to perform monit nitoring and to detect malware analyst. wo or three of the above techniques to make de detection more Malware creators might use tw difficult. Figure 6 shows the pop opularity of evasion techniques used by malware creat eators: Figure ure 6: Evasion techniques used by malwares MALWARE DETECTION TECH HNIQUES: In this section, we analyze the state-of-the-art s malware detection techniques for mo mobile phones. We categorized them in two categories cat according to the basis they rely on whenn detecting for malwares. The categories are stat tatics and dynamic techniques STATIC TECHNIQUES: Static techniques rely on the so source code of an application to classify it accordi rdingly without having the application being exe xecuted. These techniques are classified into one off tthe following classes according to the basis the hey rely on for analyzing the source code: CH SIGNATURE BASED APPROAC This method extracts the seman antic patterns and creates a unique signature [18].. A program is classified as a malware if its sig ignature matches with existing signatures. It is a very ery fast method for detecting malware, however, r, it can be easily circumvented by code obfuscation. n. IT can only identify the existing malwaress and a fails against the unseen variants of malwares. s. It also needs immediate update of malware signatures. sig 6 International Journal of Mobile Network Communications & Telematics ( IJMNCT) Vol.7, No.4/5/6, December 2017 PERMISSION BASED ANALYSIS: Permissions requested by the application plays a vital role in governing the access rights. By default, apps have no permission to access the user’s data and effect the system security. User must allow the app to access all the required resources during installation process. It is worth mentioning that developers must mention the permissions requested for the resources. But not all declared permissions are necessarily required permissions as shown in [19]. Permission based detection is fast in application scanning and identifying malware but do not analyze other files which contain the malicious code. Also a very small difference in permissions exists between malicious and benign applications, hence, permission based methods require second pass to provide efficient malware detection. VIRTUAL MACHINE ANALYSIS: In mobile application, a virtual machine is used to test the byte code of a particular application. Bytecode analysis tests the app behavior and analyses control and data flow which might be helpful in detecting dangerous functionalities performed by malicious applications. Plenty of virtual machine application have been implemented for mobile devices, specially for android systems. DroidAPIMiner [20], identifies the malware by tracking the sensitive API calls. Limitations of virtual machine analysis is that analysis is performed at instruction level and consumes more power and storage space. DYNAMIC TECHNIQUES: In dynamic analysis, an application is examined during execution and then classified according to one of the following techniques. The classification is done according to the behavior of the detection mechanism. ANOMALY BASED Anomaly based analysis is based on watching the behavior of the device by keeping track of different parameters and the status of the components of the device. Andromly is a behavior based malware detection technique [21]. To detect a malware, Andromly continuously monitors the different features of the device state such as battery level, CPU usage, network traffic, etc. Measurements are taken during running and are then supplied to an algorithm that classifies them accordingly. CrowDroid [22] and AntiMalDroid [23], are two different anomalies based tools used for malware detection in Android devices. The first depends on analyzing system calls’ logs while the latter analyzes the behavior of an application and then generates signatures for malware behavior. SMS Profiler and iDMA are two tools used to detect illegitimate use of system services in iOS[24]. TAINT ANALYSIS Taintdroid [25] is a tool that tracks multiple sources of sensitive data and identifies the data leakage in mobile applications. The tool labels sensitive data and follows the data moving from the device. Taintdroid provides efficient tracking of sensitive data, unfortunately, it does not perform control flow tracking. 7 International Journal of Mobile Network Communications & Telematics ( IJMNCT) Vol.7, No.4/5/6, December 2017 EMULATION BASED DroidScope [26] is an emulation based tool used to dynamically analyze applications based on Virtual Machine Introspection. It monitors the whole system by being out of execution environment, hence malwares will not be able to detect existence of anti-malware installed on the device. Another emulation based tool provided by Blaising et al. [27] and called Android Application Sandbox (AASandbox). AASandbox detects the malicious applications by using static and dynamic analysis. The effect of the tool is limited to sandbox for security reasons. The tool dynamically analyzes the user behavior such as touches, clicks and gestures etc. Unfortunately, the tool cannot detect new malwares. 2. SUMMARY Malware attacks have been growing rapidly last 10 years, these attacks targeted all technology device including mobile phones. Due to the personality of the mobile usage and the sensitive data they might contain, safeguards against malwares must be implemented. In this paper, we introduced different types of attacks on the top two competing mobile operating systems – Android and iOS. We also introduced the techniques used to deliver mobile malwares, and provided up-to-date statistics for malware attacks in the last 3 years. We then introduced the most common malware detection techniques used for mobile applications. We also pinpointed and discussed the weakness in each malware detection technique. We will be working on developing a new malware detection tool for mobile devices that can be used efficiently based on mobile user profiling. BIBLIOGRAPHY: [1] Web site https://wearesocial.com/special-reports/digital-in-2017-global-overview accessed 29/9/2017 [2] web site http://www.gartner.com/newsroom/id/3609817 accessed 29/9/2017 [3] Aijaz Ahmad Sheikh et. al. , Smartphone: Android Vs IOS , The SIJ Transactions on Computer Science Engineering & its Applications (CSEA), September-October 2013 [4] Website https://developer.apple.com/library/content/documentation/Miscellaneous/Conceptual/iPhoneOSTech Overview/CoreOSLayer/CoreOSLayer.html#//apple_ref/doc/uid/TP40007898-CH11-SW1 last accessed 29/9/2017 [5] Thomas L. Rakestraw et. al., The mobile apps industry: A case study , Journal of Business Cases and Applications, 2013. [6] “Android and Security - Official Google Mobile Blog.” [Online]. Available: https://www.blog.google/topics/safety-security/shielding-you-potentially-harmful-applications/ html. [Accessed: 28-sep-2017]. [7] R. Raveendranath, V. Rajamani, A. J. Babu, and S. K. Datta, “Android malware attacks and countermeasures: Current and future directions,” 2014 Int. Conf. Control. Instrumentation, Commun. Comput. Technol., pp. 137–143, 2014. [8] “root exploits.” [Online]. Available: http://www.selinuxproject.org/~jmorris/lss2011_slides/caseforseandroid. pdf. [Accessed: 15-Dec2015]. 8 International Journal of Mobile Network Communications & Telematics ( IJMNCT) Vol.7, No.4/5/6, December 2017 [9] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets,” Proc. 19th Annu. Netw. Distrib. Syst. Secur. Symp., no. 2, pp. 5–8, 2012. [10] “Android.Fakedefender.B | Symantec.” [Online]. Available: https://www.symantec.com/security_response/writeup.jsp?docid=2013- 091013-3953-99. [Accessed: 15-Dec-2015]. [11] Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” 2012 IEEE Symp. Secur. Priv., no. 4, pp. 95–109, 2012 [12] Y. Zhou and X. Jiang, “Dissecting Android Malware: Characterization and Evolution,” 2012 IEEE Symp. Secur. Priv., no. 4, pp. 95–109, 2012. [13] C. a Castillo, “Android Malware Past , Present , and Future,” McAfee White Pap. Mob. Secur. Work. Gr., pp. 1–28, 2011 [14] “A Look at Repackaged Apps and their Effect on the Mobile Threat Landscape.” [Online]. Available: http://blog.trendmicro.com/trendlabs- security-intelligence/a-look-into-repackaged-apps-and-its-rolein-the- mobile-threat-landscape/. [Accessed: 15-Dec-2015]. [15] “NotCompatible Android Trojan: What You Need to Know | PCWorld.” [Online]. Available: http://www.pcworld.com/article/254918/notcompatible_android_trojan_ what_you_need_to_know.html. [Accessed: 15-Dec-2015]. [16] New Threats and Countermeasures in Digital Crime and Cyber Terrorism. IGI Global, 2015. [17] “the apple threat landscape”Symantec, [online]. Available: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/applethreat-landscape.pdf. [accessed: 29-sep -2017] [18] A. Aiken, “Apposcopy : Semantics-Based Detection of Android Malware Through Static Analysis,” Fse 2014, pp. 576–587, 2014. [19] Android Permissions Demystified.” [Online]. Available: https://www.truststc.org/pubs/848.html. [Accessed: 06-Nov-2015]. [20] Y. Aafer, W. Du, and H. Yin, “DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android,” Secur. Priv. Commun. Networks, vol. 127, pp. 86–103, 2013. [21] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss, “„Andromaly‟: a behavioral malware detection framework for android devices,” J. Intell. Inf. Syst., vol. 38, no. 1, pp. 161–190, 2012 [22] “strace download | SourceForge.net.” [Online]. Available: http://sourceforge.net/projects/strace/. [Accessed: 22-Dec-2015]. [23] M. Zhao, F. Ge, T. Zhang, and Z. Yuan, “AntiMalDroid: An efficient SVM-based malware detection framework for android,” Commun. Comput. Inf. Sci., vol. 243 CCIS, pp. 158–166, 2011. [24] Dimitrios Damopoulos et.al. , The Best of Both Worlds. A Framework for the Synergistic Operation of Host and Cloud Anomaly-based IDS for Smartphones, EuroSec’14, April 13 - 16, 2014 [25] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones,” Osdi ‟10, vol. 49, pp. 1– 6, 2010. [26] L. Yan and H. Yin, “Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis,” Proc. 21st USENIX Secur. Symp., p. 29, 2012. [27] T. Bläsing, L. Batyuk, A. D. Schmidt, S. A. Camtepe, and S. Albayrak, “An android application sandbox system for suspicious software detection,” Proc. 5th IEEE Int. Conf. Malicious Unwanted Software, Malware 2010, pp. 55–62, 2010. [28] McAfee Labs Threats Report, June 2017 [29] McAfee Labs Threats Report, June 2016 9 International Journal of Mobile Network Communications & Telematics ( IJMNCT) Vol.7, No.4/5/6, December 2017 [30] Mobile Threat Report: What lies ahead for 2017, intel security 2017 [31] Skycure, Mobile Threat Intelligence Report, Q1 2016 [32] Kaspersky, Mobile Malware evolution report, 2016 [33] LookingGlass report, Mobile Security Threat Landscape: Recent Trends and 2016 Outlook, 2015 [34] Dimensional Research, THE GROWING THREAT OF MOBILE DEVICE BREACHES A GLOBAL SURVEY OF SECURITY PROFESSIONALS, April 2017. SECURITY [35] Ransomware scammers exploited Safari bug to extort porn-viewing iOS users". Available at : https://arstechnica.com/information technology/2017/03/ransomware -scammers-exploited-safaribug-to-extort-porn-viewing-ios-users/ . [last viewed: 20 November 2017] 10