There has been an explosive growth of android OS in the last couple of years and it is expected that it will keep on increasing time. Android already leads in the market share all over the world and its numbers keep on increasing with the each passing day. The biggest problem so far for the android users is that different types of malwares steal their personal data from their phones without their information and it also affects the mobile performance like battery timing, memory usage etc and many survey reports prove this fact. So, there is a massive need of good security application which detects and kills the malicious activity from the system. Many applications were introduced as a solution for this but none of them prove to be effective because they used signature based detection method and it is out of style years ago.
2.1 RELATED WORK
As the growth of Android OS is increasing rapidly with time, the increase the android malwares is also increasing and the latest reports are shown in Figure:2.1. Mobile securityÂ companies are trying their best to provide a good and reliable solution for the android malwares. In a survey report of summer 2012 it is mentioned that over 40 android security applications were tested and only 7 have malware detection rate of over 90%. As the number of Android applications and daily AndroidÂ activations are growing by record numbers, so it's quite easy to believe that these reports of malwares would keep on increasing further.
A company by the name ofÂ AV-TESTÂ has taken this growth in Android security applications quite seriously and has published a rather large report on which of themÂ are actually effective. After testing over 40 android security applications, they were left with the following seven applications, who were the only ones able to detect over 90% of malware. Following are those seven applications.
2.1.1 Problems with current Android Security Apps
The problem with many Android security apps or antivirus programs is that they use signature-based tracking to identify viruses and malware. Signature-based tracking went out of style years ago among PC antivirus software companies because hackers kept finding ways around it. With signature-based defense, the antivirus software relies on a database of virus "signatures" and then protects users when it identifies that signature running on their computer. This technique is good up to some extent but due to massive increase in the production of malwares on regular basis this technique cannot provide the kind of security required by the system. Android security application or antivirus programs aren't using antiquated methods. Instead, they are forced to use signature-based antivirus tracking because any other type of tracking would require root access to the system. So, when a malware tries to modify core system files or affect other vital parts of the Android device, existing security applications can't recognize that because it is not able to access the 'root' of the system. As a result, leading Android security companies offer rooted versions of their applications that are more powerful than the non-rooted versions. For example,Â companies like AvastÂ haveÂ added a firewallÂ function into the rooted version of their app.
No security application can claim to be 100% effective, and that rule remains true for Android devices. And that is why security on our favorite mobile operating system is still an issue.
Figure : Increase in Android Malwares since January 2008 till October 2012
2.2 RESEARCH PAPERS LITERATURE
Understanding Android Security
This article gives a brief introduction to Android application development and points out security issues that developers have to be aware of, such as using explicit Intents whenever possible. In the beginning of the article it is described that how android has become the leader of smart phones market in such a short time as shown in Figure:2.2. Some of the essential features of android OS has been explained in the article like synchronization of contacts and calendar information and adapting other social networking functions. This article explains the complexity of Android security and further highlights some of the hidden facts of the operating system that occur when defining an application's security. Further in the article the framework of android application is explained. The framework of android application is also described for the help of android developers. That framework does not have a main function or a single point for execution rather the developer had to divide the design of application in different components forms. Android basically defines four types of component: (i) Activity components (define application user interface), (ii) Server components (performs background processing), (iii) Content provider components (store and share data using relational database interface), (iv) Broadcast receiver components (act as mailbox for messages from other applications). The article further explains components interaction using intents, intent filter and their potential issues and explains how to set access permission labels via manifest. The two mechanisms that Android use for the protection of application are (i) at system level , (ii) at ICC level. The article further described some permission protection levels like normal, dangerous, Signature, SignatureOrSystem using their own application called 'Friend Tracker'
Crowdroid: Behavior-Based Malware Detection System for Android
In the beginning it has been described that how malwares are increasing every day for the mobile phones after they have threatened PC's for so many years. Further a short survey of the growth of the android Smartphone's has been shown in Table 2.1. Security problems in android are increasing every day and no reliable solution is available so far. In a recent research a Global Threat Center of company " Jupiter Networks" found a shocking increase in Android malware since June 2010 and some most common malwares are "Fake Player", "Genimi", "PJApps" and "HongToutou". In order to detect these kind of malwares two approaches have been proposed so far for the complete analysis and detection: 'Static analysis' and 'Dynamic analysis'.. Static analysis, mostly used by antivirus companies, is based on source code or binaries inspection looking at suspicious patterns. On the other hand, in dynamic analysis the application performance is observed and then compared with a given sample in order to analyze the execution traces. In this paper they introduced a new framework "Behavior Based Malware Detection" for detecting malicious applications. As the security tools and mechanisms used in computers are not feasible for applying on Smartphone's due to the excessive use of system's resources like memory and battery etc. therefore, they have created their own dedicated remote server for the whole analysis process which will be used exclusively to collect information and detect malicious and suspicious applications on the Android operating system. They also have developed their own client "Crowdroid" which is available in the android market. With the help of Android users community, Crowdroid will be able to distinguish between benign and malicious applications of the same name and detect anomalous behavior of known applications. Keeping in view the success rate of previous detection methods they concluded that monitoring system calls is one of the most accurate technique to determine the behavior of android applications. After various experiments they have described that it is possible to obtain behavior information using artificially created user actions, or creating replicas of Smartphone's, but crowd sourcing helps the community to obtain real application traces of hundreds or of applications.
Permission Usage To Detect Malware in Android
Smart phones are becoming more popular and the number of applications that are available for users are also increasing at a very high pace. Threat of malicious applications is also increasing even though Apple's App Store and Google's Play Store. Apple applies a rigorous review process made by at least two reviewers. Google's Android relies on permission system which enable users to view the number of permission an application require to work on their device using this information they can know what type of application they are downloading. Unfortunately this does not help much is protecting people from malicious applications as most of the users don't even check the permission list before downloading applications. Both Apple and Google have included clauses in the terms of services that urge developers not to submit malicious software, still they both have hosted malware in their stores. Both are developing different techniques to stop developers from posting malicious applications on their stores. Applications are divided into two main categories Benign Software dataset it is done by selecting different type of applications like widgets, web apps and native applications. All the safe applications are included in this category. Then there is Malicious Software a sample of malicious software is included in this category. Android applications require permission of user before being installed on the system . So it analyzed the following features:"\uses-permission", it contains permissions that the application needs to work is defined under this tag; and "\uses-feature", which shows which are the features of the device the application uses. Most of the malicious applications use the same type of permissions that the benign apps use. So finding the correct malicious app is s a little difficult. It is found that only 1 permission is required for the application to behave maliciously there is a low chance of them having 2 or 3. Machine learning method has been used to distinguish between benign and malicious application. WEKA tool is used in this process and k-fold cross validation technique is used. A correct number of false positives and negatives are also calculated. A correct threat detecting probability is known by this step. Over all conclusion of this article is that permissions are the most recognizable security feature in Android. User must accept them in order to install the application. For validation of the proposed process 239 malware samples were used. Still this method is more static than dynamic still research is going on this technique .
A Review of Malicious Code Detection Techniques for Android Devices
Number of mobile phones is rising is the world at a very high rate. Smart phones are becoming popular as the time is passing. Smart phones have the ability to use mobile networks like Wi-Fi, Bluetooth and GSM services for different tasks. Most of the people are connected to internet through their smart phones and perform many of their daily tasks from their phone instead of PCs. Due to many operations involving sensitive data transfer such as financial transactions, online buying and selling of goods, are being done excessively through these devices. They are easy targets for malware because they are well connected, incorporating various means of wireless communications. Malware can affect in different ways some of them are Theft of Data Hackers can often attack mobile devices to obtain transient and static information. Transient information is related to location of device, power and other data usage. Static information is the data exchanged over network. Phone Hijacking Phones can be hijacked and can be used to send expensive SMS or listen to call of that are being made by user. Denial of Service (DoS) attacks are also a threat to mobile devices as hackers can flood the device and cause the battery to drain by sending corrupt packets through Bluetooth or Wi-Fi. Many Trojans, Worms, Viruses have entered the mobile world and have affected them during the past years. There are mainly three approaches to detect malicious code Signature Based Detection, this technique is based on the history of previous defined viruses so it runs in the system is searching for the virus before it even start affecting the device. It has a drawback that it only has information about past virus definitions latest viruses are safe from it. Behavior checking technique refers to the application that resides in the memory of the device and keeps checking the applications for unusual behavior. Integrity Checker keeps the log of the applications already present in the system and whenever the checker runs it compares old log with a new one. These basic techniques can be enhanced to improve performance and improve security.
A study on the system for detect malware that disclose privacy information via the Android App Store
At the beginning a short survey of the growth of the android Smartphone's has been shown. It is analyzed that android Smartphone's are growing and Irish Research Company has published that more than 80% of the Smartphone users are using Android operating system in 2012. Similarly, with the evolution of Android operating system, malicious codes are also growing and personal data like contacts, messages and financial information is also in danger. Malicious codes are increased by 800% from February 2011 to May 2011 . Android-based malicious codes are growing by using different kind of mediums. Applications are sharing the personal information through web, Bluetooth, WiFi, etc. The paper says that this is the secondary crime called Phishing which can be detect by using the signature method. In signature method Phishing can be detecting by updating patters but this can be done after checking the performed unusual activity. To overcome this, another technique is mentioned by the name of heuristic type detection, to detect variant based malicious code still this technique cannot detect unknown malicious code. Unknown malicious codes can be detect by analyzing the API's (shown in Figure 2.4) and manifest or by analyzing the library used by the application, and by doing a dynamic analysis. The study of malicious must be done before its detection and malicious codes are more diverse in android operating system than desktop computer's environment. Analysis of malicious code distribution paths is mentioned in the paper in which it is shown that the most common distribution path is Google play store. Other distribution paths include Bluetooth, WAP/Web and others. Many applications are uploading on app store and according to the paper they proposed the technique to see the application during the registration process and if they found any malicious code the respective should not be uploaded on the android market but we are focusing on the detection inside the mobile and this can be done by analyzing API's and library paths (shown in Table 2.2) of the applications on which or priority is high. The functions like Access to IME data, Wi-Fi Information, access to location and their API's are mentioned in this paper (Table 2.3) which can be used for the detection of malicious codes. They have tested some applications which contain known and unknown malicious code which include Twalktupi, SMSReplicator, InfoStealer, Pirater, Imlog, and Geimini. These applications were reading the personal information of the user and the web links information and sending them. These applications were having the permissions to access the internet and other permissions to access the personal data of the user. At the end we conclude that rather than checking on the android market at the time of registration, we can use the same methodology inside the mobile by using APIs and detecting library files we can detect the application containing malicious codes by using the APIs and their functions and the library paths and their functions which are shown in this paper.[17