This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Smartphone usage in the world is increasing day by day. People now-a-day's prefer Smartphone's over PC's and 2011 reports prove this fact. Security issue is the biggest problem Smartphone are facing and research is going on to make Smartphone's more and more secure. In this project we are making an android application which will detect and kill all the malicious activities carried out in background without the consent of user.
Cyber criminals continued their focus on the android operating system for Smartphone's as Android is becoming the dominant platform of mobile computing(75% market share worldwide in Table:2.1) according to the latest reports. Android users are tricked into downloading malwares which not only stole their personal information but also download and install other applications without their knowledge.
To maximize the security for android phones, we are making an application which will help the user to detect and kill any sort of malicious activities carried out in background. Android OS allows the user to install applications from anywhere and this proves to be an advantage for cyber-crooks. Sometimes when the user install an application, a hidden malicious code is also downloaded which keeps on running in the background affecting the battery life and stealing user's personal information and the user is unaware of all these malicious activities. Our application runs in background and will first detect all the running applications then it will detect all those applications which are connected to network (exchanging data) and in the last it will detect and remove the hidden malicious code in found in any of those applications. This will not only secure user's data but will also improve the battery life and performance of the mobile phone.
We will use some detecting techniques like signature based checking, anomaly checking, behavior checking, and integrity checking in order to detect the malicious code
o supporting multiple features, ranging from capturing and playing digital media, to e-mail access, e-banking, and remote access to personal files. As the capability of mobile phones is increasing, the threat of malicious code targeting them also is increasing. It is widely believed that the evolution of malware for mobile devices will take a similar direction as the evolution of PC malware. Many operations involving sensitive data transfer, such as financial transactions, online buying and selling of goods, are being done excessively through the mobile devices. Mobile devices are easy targets for malware because they are well connected, incorporating various means of wireless communications. Similar to PCs, the mobile devices are capable of Internet access for web browsing and emails. They also have the capability to communicate by wireless LAN, short range Bluetooth connectivity, and short/multimedia messaging service (SMS/MMS).
Android is the leading mobile operating system in the world having most of the market share (68% as of August 2012). Its open source and allows the users to use their phones freely with no restrictions. As the usage of Android OS is increasing, the security problems are also increasing. While downloading applications some hidden malicious codes are also downloaded without the information of the user which not only affects the mobiles performance but also steals the user's personal information and data.
There has been an explosive growth of android OS in the last couple of years and it is expected that it will keep on increasing time. Android already leads in the market share all over the world and its numbers keep on increasing with the each passing day. The biggest problem so far for the android users is that different types of malwares steal their personal data from their phones without their information and it also affects the mobile performance like battery timing, memory usage etc and many survey reports prove this fact. So, there is a massive need of good security application which detects and kills the malicious activity from the system. Many applications were introduced as a solution for this but none of them prove to be effective because they used signature based detection method and it is out of style years ago.
Android applications are increasing day by day and this results in increasing the number of malwares on daily basis as most of the users did not know that the app they are using is actually the malware even android market contains applications containing malwares and unfortunately there is no check for this kind of application
With the passage of time more and more methods are invented to attack the android devices and it is becoming difficult for developers to detect each of these attacks. There are some techniques which we will b using in our application which help us in detecting the kind of malicious activity.
It is a popular technique based on searching for previously defined virus signatures in input files. Signature detection has the advantage of detecting malicious activity before the system is infected by the malicious code.
It is another popular technique based on a behavior checker that resides in the memory looking for unusual behavior. In this case, the user is alerted about the misbehaving application. Behavior checker has a disadvantage that by the time a malicious activity is detected, some changes have already been done to the system.
It is a technique that maintains a log of all the files that are present in the system. The log may contain characteristics of files like the file size, date/time stamp and a checksum. Every time an integrity checker is run, it will check the files on the system and compares with the characteristics it had saved earlier.
The anomaly detection is done by a remote anomaly detection system. Each smart phone acts as a client, sending a set of features which are extracted by learning the various measurements of the resources, hardware and software components to the remote anomaly detection system, where these features are stored into a database. The database is accessed by detection units which analyzes the data for malicious activity.
Security concern is the biggest problem these days in the Smartphone's industry. With the each passing day numbers of cyber-attacks on mobile phones are increasing due to which users face a lot of troubles.
Improved Mobile Performance
A lot of Android user's complaint that the battery life of their phones is not up to the mark, it is because of the hidden malicious activities carried out in background and is invisible to the user.
The year 2011 is full of cyber-attacks on Android phones it is continued this year as well. Research is going on this aspect to provide more and more security to Android phones.
As Android is the leading Operating system in mobiles having most of the market share the need to make it more and more secure in increasing every day. Many antiviruses for android phones are produced but none of them proves to be effective rather they reduced the performance of mobile phones.
The demand of Android developers in the market is increasing day by day and it will last for quite a long time. By working on this project there is a lot for us to learn both in the development as well as in the research field.
AIMS AND OBJECTIVES
Our aim in this project is to provide maximum security for the Android phones. Security issue is a great threat to the mobile users as they store their personal information in their phones. We are targeting the internal attacks in the android phones and our application will detect and kill the applications which contain any sort of malicious code.
Observe running applications
Detect applications exchanging data over network
Detect any malicious activity
CHAPTER 2: RELATED WORK
2.1 RELATED WORK
As the growth of Android OS is increasing rapidly with time, the increase the android malwares is also increasing and the latest reports are shown in Figure:2.1. Mobile security companies are trying their best to provide a good and reliable solution for the android malwares. In a survey report of summer 2012 it is mentioned that over 40 android security applications were tested and only 7 have malware detection rate of over 90%. As the number of Android applications and daily Android activations are growing by record numbers, so it's quite easy to believe that these reports of malwares would keep on increasing further.
A company by the name of AV-TEST has taken this growth in Android security applications quite seriously and has published a rather large report on which of them are actually effective. After testing over 40 android security applications, they were left with the following seven applications, who were the only ones able to detect over 90% of malware. Following are those seven applications.
2.1.1 Problems with current Android Security Apps
The problem with many Android security apps or antivirus programs is that they use signature-based tracking to identify viruses and malware. Signature-based tracking went out of style years ago among PC antivirus software companies because hackers kept finding ways around it. With signature-based defense, the antivirus software relies on a database of virus "signatures" and then protects users when it identifies that signature running on their computer. This technique is good up to some extent but due to massive increase in the production of malwares on regular basis this technique cannot provide the kind of security required by the system. Android security application or antivirus programs aren't using antiquated methods. Instead, they are forced to use signature-based antivirus tracking because any other type of tracking would require root access to the system. So, when a malware tries to modify core system files or affect other vital parts of the Android device, existing security applications can't recognize that because it is not able to access the 'root' of the system. As a result, leading Android security companies offer rooted versions of their applications that are more powerful than the non-rooted versions. For example, companies like Avast have added a firewall function into the rooted version of their app.
No security application can claim to be 100% effective, and that rule remains true for Android devices. And that is why security on our favorite mobile operating system is still an issue.
Figure : Increase in Android Malwares since January 2008 till October 2012
2.2 RESEARCH PAPERS LITERATURE
Detecting Android Malware on Network Level
This paper describes approaches to detect Android malware on the network level. In the beginning evolution of android OS as the leader of Smartphone's industry is described. It has been found that over 190 million android devices are activated till the start of 2012 and the numbers are expecting to further increase. As android users can install an application from various sources like Google PlayStore, third party app stores, or by direct downloading and installation of APK files, the possibility of malwares present in the device in very large and even most of the users remain unknown about the stealing of their personal data and information. Further in the paper related work is mentioned i.e. Dasient company performed automated analysis on 10,000 android applications from the Google Android marketplace and of those 10,000 applications, 8.4% were found to leak the International Mobile Equipment Identifier from the device. Efforts to detect Android malware through dynamic analysis are being made by DroidBox. Further the paper described the new technique to detect malware on network level by analyzing network packets. Their analysis of packet traces focuses on finding information leakage in HTTP traces and identifying connection attempts to command and control server DNS and IP-addresses. Conversions containing IMEI, phone number or credit card information were tracked, as well as unexpected binary downloads and if no abnormalities are detected then the packet dump is compared manually to a dump generated by the uninfected VM template image.
Most malware on Android devices uses very basic communication techniques, specifically static C&C server addresses and plain-text trans- mission of data. Preliminary results show that the presented detection techniques are viable, but large-scale testing is required to determine real world performance.
Understanding Android Security
This article gives a brief introduction to Android application development and points out security issues that developers have to be aware of, such as using explicit Intents whenever possible. In the beginning of the article it is described that how android has become the leader of smart phones market in such a short time as shown in Figure:2.2. Some of the essential features of android OS has been explained in the article like synchronization of contacts and calendar information and adapting other social networking functions. This article explains the complexity of Android security and further highlights some of the hidden facts of the operating system that occur when defining an application's security. Further in the article the framework of android application is explained. The framework of android application is also described for the help of android developers. That framework does not have a main function or a single point for execution rather the developer had to divide the design of application in different components forms. Android basically defines four types of component: (i) Activity components (define application user interface), (ii) Server components (performs background processing), (iii) Content provider components (store and share data using relational database interface), (iv) Broadcast receiver components (act as mailbox for messages from other applications). The article further explains components interaction using intents, intent filter and their potential issues and explains how to set access permission labels via manifest. The two mechanisms that Android use for the protection of application are (i) at system level , (ii) at ICC level. The article further described some permission protection levels like normal, dangerous, Signature, SignatureOrSystem using their own application called 'Friend Tracker'
Crowdroid: Behavior-Based Malware Detection System for Android
In the beginning it has been described that how malwares are increasing every day for the mobile phones after they have threatened PC's for so many years. Further a short survey of the growth of the android Smartphone's has been shown in Table 2.1. Security problems in android are increasing every day and no reliable solution is available so far. In a recent research a Global Threat Center of company " Jupiter Networks" found a shocking increase in Android malware since June 2010 and some most common malwares are "Fake Player", "Genimi", "PJApps" and "HongToutou". In order to detect these kind of malwares two approaches have been proposed so far for the complete analysis and detection: 'Static analysis' and 'Dynamic analysis'.. Static analysis, mostly used by antivirus companies, is based on source code or binaries inspection looking at suspicious patterns. On the other hand, in dynamic analysis the application performance is observed and then compared with a given sample in order to analyze the execution traces. In this paper they introduced a new framework "Behavior Based Malware Detection" for detecting malicious applications. As the security tools and mechanisms used in computers are not feasible for applying on Smartphone's due to the excessive use of system's resources like memory and battery etc. therefore, they have created their own dedicated remote server for the whole analysis process which will be used exclusively to collect information and detect malicious and suspicious applications on the Android operating system. They also have developed their own client "Crowdroid" which is available in the android market. With the help of Android users community, Crowdroid will be able to distinguish between benign and malicious applications of the same name and detect anomalous behavior of known applications. Keeping in view the success rate of previous detection methods they concluded that monitoring system calls is one of the most accurate technique to determine the behavior of android applications. After various experiments they have described that it is possible to obtain behavior information using artificially created user actions, or creating replicas of Smartphone's, but crowd sourcing helps the community to obtain real application traces of hundreds or of applications.
Permission Usage To Detect Malware in Android
Smart phones are becoming more popular and the number of applications that are available for users are also increasing at a very high pace. Threat of malicious applications is also increasing even though Apple's App Store and Google's Play Store. Apple applies a rigorous review process made by at least two reviewers. Google's Android relies on permission system which enable users to view the number of permission an application require to work on their device using this information they can know what type of application they are downloading. Unfortunately this does not help much is protecting people from malicious applications as most of the users don't even check the permission list before downloading applications. Both Apple and Google have included clauses in the terms of services that urge developers not to submit malicious software, still they both have hosted malware in their stores. Both are developing different techniques to stop developers from posting malicious applications on their stores. Applications are divided into two main categories Benign Software dataset it is done by selecting different type of applications like widgets, web apps and native applications. All the safe applications are included in this category. Then there is Malicious Software a sample of malicious software is included in this category. Android applications require permission of user before being installed on the system . So it analyzed the following features:"\uses-permission", it contains permissions that the application needs to work is defined under this tag; and "\uses-feature", which shows which are the features of the device the application uses. Most of the malicious applications use the same type of permissions that the benign apps use. So finding the correct malicious app is s a little difficult. It is found that only 1 permission is required for the application to behave maliciously there is a low chance of them having 2 or 3. Machine learning method has been used to distinguish between benign and malicious application. WEKA tool is used in this process and k-fold cross validation technique is used. A correct number of false positives and negatives are also calculated. A correct threat detecting probability is known by this step. Over all conclusion of this article is that permissions are the most recognizable security feature in Android. User must accept them in order to install the application. For validation of the proposed process 239 malware samples were used. Still this method is more static than dynamic still research is going on this technique .
A Review of Malicious Code Detection Techniques for Android Devices
Number of mobile phones is rising is the world at a very high rate. Smart phones are becoming popular as the time is passing. Smart phones have the ability to use mobile networks like Wi-Fi, Bluetooth and GSM services for different tasks. Most of the people are connected to internet through their smart phones and perform many of their daily tasks from their phone instead of PCs. Due to many operations involving sensitive data transfer such as financial transactions, online buying and selling of goods, are being done excessively through these devices. They are easy targets for malware because they are well connected, incorporating various means of wireless communications. Malware can affect in different ways some of them are Theft of Data Hackers can often attack mobile devices to obtain transient and static information. Transient information is related to location of device, power and other data usage. Static information is the data exchanged over network. Phone Hijacking Phones can be hijacked and can be used to send expensive SMS or listen to call of that are being made by user. Denial of Service (DoS) attacks are also a threat to mobile devices as hackers can flood the device and cause the battery to drain by sending corrupt packets through Bluetooth or Wi-Fi. Many Trojans, Worms, Viruses have entered the mobile world and have affected them during the past years. There are mainly three approaches to detect malicious code Signature Based Detection, this technique is based on the history of previous defined viruses so it runs in the system is searching for the virus before it even start affecting the device. It has a drawback that it only has information about past virus definitions latest viruses are safe from it. Behavior checking technique refers to the application that resides in the memory of the device and keeps checking the applications for unusual behavior. Integrity Checker keeps the log of the applications already present in the system and whenever the checker runs it compares old log with a new one. These basic techniques can be enhanced to improve performance and improve security.
A study on the system for detect malware that disclose privacy information via the Android App Store
At the beginning a short survey of the growth of the android Smartphone's has been shown. It is analyzed that android Smartphone's are growing and Irish Research Company has published that more than 80% of the Smartphone users are using Android operating system in 2012. Similarly, with the evolution of Android operating system, malicious codes are also growing and personal data like contacts, messages and financial information is also in danger. Malicious codes are increased by 800% from February 2011 to May 2011 . Android-based malicious codes are growing by using different kind of mediums. Applications are sharing the personal information through web, Bluetooth, WiFi, etc. The paper says that this is the secondary crime called Phishing which can be detect by using the signature method. In signature method Phishing can be detecting by updating patters but this can be done after checking the performed unusual activity. To overcome this, another technique is mentioned by the name of heuristic type detection, to detect variant based malicious code still this technique cannot detect unknown malicious code. Unknown malicious codes can be detect by analyzing the API's (shown in Figure 2.4) and manifest or by analyzing the library used by the application, and by doing a dynamic analysis. The study of malicious must be done before its detection and malicious codes are more diverse in android operating system than desktop computer's environment. Analysis of malicious code distribution paths is mentioned in the paper in which it is shown that the most common distribution path is Google play store. Other distribution paths include Bluetooth, WAP/Web and others. Many applications are uploading on app store and according to the paper they proposed the technique to see the application during the registration process and if they found any malicious code the respective should not be uploaded on the android market but we are focusing on the detection inside the mobile and this can be done by analyzing API's and library paths (shown in Table 2.2) of the applications on which or priority is high. The functions like Access to IME data, Wi-Fi Information, access to location and their API's are mentioned in this paper (Table 2.3) which can be used for the detection of malicious codes. They have tested some applications which contain known and unknown malicious code which include Twalktupi, SMSReplicator, InfoStealer, Pirater, Imlog, and Geimini. These applications were reading the personal information of the user and the web links information and sending them. These applications were having the permissions to access the internet and other permissions to access the personal data of the user. At the end we conclude that rather than checking on the android market at the time of registration, we can use the same methodology inside the mobile by using APIs and detecting library files we can detect the application containing malicious codes by using the APIs and their functions and the library paths and their functions which are shown in this paper.
Table 2.1: Android marker share till September 2012
Table 2.2: Information leakage and malicious activity related Android Library Paths
Table 2.3: Information leakage and malicious activity related Android API
Malware on G-Fan App Market
Over 500,000 apps are infected in the market of china. They are the Android Operating System users. An application called SMSzombie, were downloaded by more than 500,000 users and their money was stolen by reading their account details which was given to buy gaming applications on a Chinese third party application store called G-Fan App market. This case was noticed on August 20, 2012. Things to be notice are that these kinds of malicious codes can even steal your financial property. There is still no security on the application level.
CHAPTER 3: REQUIREMENT SPECIFICATION
This document is designed for the malicious code detection which is divided into several phases.
The purpose of this project is to provide the maximum security from private data to the android Smartphone users. Private data of the user means the personal data like messages, contacts and links that are used or using by the user. The other purpose is to make the android system more efficient by closing the unusual activities to free the resources. The resources like RAM and Battery usage should be used efficiently. That may takes the user's Smartphone into the level where performance will be provided more.
Threat of malware is increasing in the android world, so there is need for applications that will prevent malicious applications from invading user privacy. At the time of completion our product, it will be able to detect malicious apps that are running in the device and would stop them. It will keep the track of the apps that have a malicious signature and may perform a malicious activity. It will make sure that the user's privacy is preserved.
3.1.3 Definitions, Acronyms, and Abbreviations
SDK:A "software development kit" is typically a set of software development tools that allows for the creation of applications for a certain software package, software framework, hardware platform, computer system, video game console, operating system, or similar platform.
IDE: An "integrated development environment" (IDE) is a software application that provides comprehensive facilities to computer programmers for software development. An IDE normally consists of a source code editor, build automation tools and a debugger.
MCD: "Malicious code Detector" is the name our application that we are going to build for the android Smartphone.
RAM: "Random-access memory" (RAM) is a form of computer data storage. A random-access device allows stored data to be accessed in very nearly the same amount of time for any storage location, so data can be accessed quickly in any random order.
Malware: Malware, short for malicious (or malevolent) software, is software used or created to disrupt computer operation, gather sensitive information, or gain access to private computer systems.
DroidBox: An open source project utilizing Google's Android Virtual Device to log Android application behavior.
ICC: Inter component communication.
Rooted Device: Allow the user to root the device and provide super user functionality and every type of access to the system file.
This part of document is focusing on functionalities of product. All the aspects of malicious code detection will be covered in this topic. Detail of all the interfaces will be explained including user, hardware, software interfaces. Moreover functional and non-functional requirements are also explained in this section.
3.2 Product Perspective
3.2.1 User Interfaces
This is mobile application and all the detail will be shown to user on the front end of the mobile screen.
3.2.2 Hardware Interfaces
A mobile system with a reasonable amount of RAM would be required to give fast results.
3.2.3 Software Interfaces
The software interfaces used to develop the system are
Android SDK, JDK
3.2.4 Product Overview
Our application 'Malicious Code Detector' basic goal is to provide maximum security to the android phone users and enhance performance of the mobile phone. First user will start this application and then it will first detect no. of running applications and all those applications which are stealing user's personal data and misusing the system resources like battery life, memory etc. then finally it will detect the misbehaving applications and if required urgently close that application without user's permission and in some cases it will ask to the user for permission to close the malicious application.
3.2.5 Business Opportunity
As android operating system is leading in the market share worldwide its security problems increases rapidly with time. Most of the companies have been working on it to provide a successful solution for this issue and many security applications and antivirus software's have been introduced but none of them prove to be effective. Malicious code detection can provide much better results than all the previous security applications and it provides us a great opportunity to start a business.
3.2.6 Problem Statement
To provide maximum security and performance to the android phones
The problem of
Security in android phones is currently the biggest problem in the Smartphone industry
Security issues affect the android users and android founders badly as malwares not only stole the user personal data but also decrease the system performance.
the impact of which is
It affects the reputation of android OS in the market
a successful solution would be
Maximum security, performance, less memory usage
3.2.7 Product Position Statement
Android users and founder of the company
The (product name)
Malicious code detection is a security related product
Will provide maximum security and performance
More effective than previous applications
No other security application enhances the performance rather they reduced the system performance our application will enhance the system performance
3.2.8 Market Demographics
Android users are increasing day by day and as a result its applications are increasing with rapid speed. Android users can install application through various sources like Google PlayStore, third party app store and by directly downloading and installing APK files. This results in malwares which not only steal the personal data of user but reduce the mobile performance. Security is the biggest problem android OS is facing so far and many researches are going on this topic but even after development of many security related apps and anti-viruses there is no effective solution to detect malwares and there is intense need of a more effective application to detect malwares.
3.2.9 Alternatives and Competition
Since the evolution of android malwares many security companies started developing the solution to detect the malwares in the OS and since summer 2010 over 40 security related apps were tested to detect malwares but only 7 of them have a success rate of over 90%. This result show that all those apps were not up to the mark and the need for a real efficient system is still required.
In FYP-1 we have developed some malicious android applications which will steal data without the user's information. These are as follows.
It's a simple tic-tac-toe game but while playing this game user's contacts and messages will be sent to the hacker automatically. When user will press the button to take action in the game his personal information will be leaked automatically he will be unaware of all this. Further this game will also make a list of all the running applications, messages, contacts and send that list to the hacker.
3.4 Functional Requirements
This will enable the application to run on background while user can perform other tasks and our application will keep on working at background.
It involves following processes.
Detect running applications
Detect misbehaving applications
Detect content sending applications
Detect network applications
3.4.3 User Permission
Our application asks for user permission after detecting malicious application and to close that application user will provide the permission.
Some malicious applications will be closed without the user permission and a notification is shown to the user about the action performed.
3.5 Non-Functional Requirements
3.5.1 Performance Requirements
The mobile operating system must be android Gingerbread 2.3.3 or latest so that our application can give maximum performance. Low processing time will also help in increasing the performance of the application.
The application must be portable so that it can be installed on all the latest android OS.
The application depends on the reliability of hardware devices because if hardware crashes all confidential data will be lost.
The application must b easily accessible on Google Play Store or any other android source.
The application must be easy to install and a complete step by step process should be displayed to the user so that he can easily understand how the application will work.
The application must be flexible enough to accommodate any update or changes or adding some new features for better performance.
If there are too many applications installed in the Smartphone then the system must be scalable so that it can handle large amount of data.