998 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO.

2, SECOND QUARTER 2015

Android Security: A Survey of Issues,

Malware Penetration, and Defenses
Parvez Faruki, Ammar Bharmal, Vijay Laxmi, Vijay Ganmoor, Manoj Singh Gaur,
Mauro Conti, Senior Member, IEEE, and Muttukrishnan Rajarajan

Abstract—Smartphones have become pervasive due to the avail- I. I NTRODUCTION

ability of office applications, Internet, games, vehicle guidance us-
ing location-based services apart from conventional services such
as voice calls, SMSes, and multimedia services. Android devices
have gained huge market share due to the open architecture of An-
A NDROID smartphone OS has captured more than 75%
of the total market-share, leaving its competitors iOS,
Windows mobile OS and Blackberry far behind [1]. Even
droid and the popularity of its application programming interface though smartphones were used in the previous decade, since
(APIs) in the developer community. Increased popularity of the
Android devices and associated monetary benefits attracted the 2008, iOS and Android smartphone OS has generated an enor-
malware developers, resulting in big rise of the Android malware mous attraction among the users and developers worldwide.
apps between 2010 and 2014. Academic researchers and commer- Smartphones have become ubiquitous due to a wide range of
cial antimalware companies have realized that the conventional connectivity options such as GSM, CDMA, Wi-Fi, GPS, Blue-
signature-based and static analysis methods are vulnerable. In tooth and NFC. Gartner smartphone sale report 2013 reports
particular, the prevalent stealth techniques, such as encryption,
code transformation, and environment-aware approaches, are ca- 42.3% in Android devices compared to the previous year [1].
pable of generating variants of known malware. This has led The overall market share increased to 78% from 66%, substan-
to the use of behavior-, anomaly-, and dynamic-analysis-based tial rise of 12% among the users. However, the nearest Android
methods. Since a single approach may be ineffective against the competitor iOS sale decreased 4%, from 19 to 15 percent.
advanced techniques, multiple complementary approaches can Ubiquitous Internet connectivity and availability of personal
be used in tandem for effective malware detection. The existing
reviews extensively cover the smartphone OS security. However, information such as contacts, messages, social network access,
we believe that the security of Android, with particular focus on browsing history and banking credentials has attracted the
malware growth, study of antianalysis techniques, and existing attention of malware developers towards the mobile devices
detection methodologies, needs an extensive coverage. In this sur- in general and Android in particular. Android malware such
vey, we discuss the Android security enforcement mechanisms, as premium-rate SMS Trojans, spyware, botnets, aggressive
threats to the existing security enforcements and related issues,
malware growth timeline between 2010 and 2014, and stealth adware and privilege escalation attack exploits reported expo-
techniques employed by the malware authors, in addition to the nential rise apart from being distributed from the secure Google
existing detection methods. This review gives an insight into the Playstore and well known third-party market places [2]–[4].
strengths and shortcomings of the known research methodologies Android popularity has encouraged the developers to provide
and provides a platform, to the researchers and practitioners, innovative applications popularly called apps. Google Play, the
toward proposing the next-generation Android security, analysis,
and malware detection techniques. official Android app market, hosts the third party developer
apps for a nominal fee. Google Play hosts more than a million
Index Terms—Android malware, static analysis, dynamic anal- apps with a large number of downloads each day [5]. Unlike
ysis, behavioral analysis, obfuscation, stealth malware.
the Apple appstore, Google Play does not verify the uploaded
apps manually. Instead, official market depends on Bouncer [6],
[7], a dynamic emulated environment to control and protect the
Manuscript received May 14, 2014; revised October 16, 2014; accepted market place from the malicious app threats. Though Bouncer
December 9, 2014. Date of publication December 30, 2014; date of current protects against the malware threats, it does not analyze the
version May 19, 2015. This work was supported in part by the TENACE
PRIN Project 20103P34XC funded by the Italian MIUR and in part by vulnerabilities among uploaded apps [8]. Malware authors take
the Project “Tackling Mobile Malware with Innovative Machine Learning advantage of such vulnerable apps and divulge the private
Techniques” funded by the University of Padua. The work of M. Conti was user information to inadvertently harm the app-store and the
supported by Marie Curie Fellowship PCIG11-GA-2012-321980, funded by the
European Commission for the PRISM CODE Project. The work of P. Faruki, developer reputation. Moreover, Android open source philoso-
M. S. Gaur, and V. Laxmi was supported in part by the Department of phy permits the installation of third-party market apps, stirring
Information Technology, Government of India Project Grant “Security Analysis up dozens of regional and international app-stores [9]–[13].
Framework for Android Platform”.
P. Faruki, A. Bharmal, V. Laxmi, V. Ganmoor, and M. S. Gaur are with the However, the adequate protection methods and app quality at
Computer Engineering Department, Malaviya National Institute of Technology third-party app-stores is a concern [4].
(MNIT), Jaipur 302 017, India (e-mail: [email protected]; vlaxmi@ Android security solution providers report an alarming rise
mnit.ac.in; [email protected]).
M. Conti is with the Department of Mathematics, University of Padua, 35122 of malware from just three malware families with 100 samples
Padua, Italy (e-mail: [email protected]). in 2010, to more than hundred families consisting 0.12–0.6
M. Rajarajan is with the School of Engineering and Mathematical Sciences, million unique samples in the quarter four, 2013 [14]–[19]. The
Electrical and Electronics Engineering, City University London, EC1V 0HB
London, U.K. (e-mail: [email protected]). number of malicious apps uploaded on VirusTotal [20] is in-
Digital Object Identifier 10.1109/COMST.2014.2386139 creasing exponentially. Malware authors use stealth techniques,

1553-877X © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 999

dynamic execution, code obfuscation methods, repackaging malicious behavior within unknown apps, whereas detec-
and encryption [21], [22] to bypass the existing protection tion solutions aim to prevent the on-device installation.
mechanisms provided by the Android platform and commercial 2) Methodology to achieve the above goals can be either
anti-malware. Existing malware propagates by employing the static or dynamic analysis based approaches to detect
above techniques and defeats the conventional signature-based malware. Control-flow and data-flow analysis are the ex-
approaches. The new techniques that adapt to the smartphone amples of formal static analysis [29]. In dynamic analysis,
platform and provide timely response are an imminent need apps are executed/emulated in a sandboxed environment,
for the Android platform. Proactive methods to detect un- in order to monitor their activities and identify anomalous
known malware employing in-frequent signature updates, in- behaviors, that are otherwise difficult with static analysis.
contrast to one signature for each malware are desirable for 3) Deployment of the above discussed solutions.
Android.
Malware app developers gain smartphone control by ex- Existing smartphone security surveys review the state of the
ploiting platform vulnerabilities [23], stealing sensitive user art considering the popular mobile OS platforms [31], [32].
information [21], to extract monetary benefits by exploiting However, this review paper focuses on Android platform, the
the telephony services [24] or creating botnet [25]. Thus, it most popular mobile device OS. La Polla et al. [32] sur-
is important to understand their operational activities, working veyed the smartphone security threats and their solutions for
models and usage patterns to devise the proactive detection for the period 2004–2011, which has very limited coverage of
mobile devices. Android.
Exponentially increasing malicious apps has forced the anti- Suarez-Tangil et al. [31] extended the work of La Polla et al.
malware industry to carve out robust and efficient methods [32]. In particular, they concentrated on smartphone sensor
suited for on device detection within the existing constraints. feature based misuse attacks such as hardware, communication,
The existing commercial anti-malware solutions employ sig- sensors and system. Authors gave an insight into the misuse
nature based detection due to its implementation efficiency of specific Android features affecting the overall device se-
[26] and simplicity. Signature based methods can be easily curity. Authors categorized the malware based on their attack
circumvented using code obfuscation necessitating a new sig- goals, distribution, infection and privilege acquisition. On the
nature for each malware variant [27], forcing the anti-malware contrary, this review categorizes the malware according to the
client to regularly update its signature database. Due to the lim- commercial anti-malware industry terminology and provides
ited processing capability and constrained battery availability, an accurate description of malware infection rate and threat
cloud-based solutions for analysis and detection have come into perception between 2010–2014.
existence [28], [29]. Manual analysis and malware signature In 2011, William Enck [33] studied the Android security
extraction requires sufficient time and expertise. It can also mechanisms, particularly protection through permissions and
generate false negatives (FN) while generating signatures for security implications of inter-app communication. Moreover,
the variants of known families. Due to the exponential increased author discussed other third-party Android platform hardening
malware variants, there is a need to employ automatic signature solutions, their benefits and limitations. In addition, the study
generation methods that incur low false alarms. also examined app security analysis proposals and presented
Off-device malware analysis methods are needed to un- future directions to enhance the Android platform security.
derstand the malware functionality. Samples can be analyzed This paper aims to complement the former reviews by ex-
manually to extract the malware signatures. However, given the panding the coverage of Android security issues, and malware
rapid rise of malware, there is an urgent need of the analysis growth between 2010–14. The paper discusses code transfor-
methods requiring minimum human intervention. Automatic mation methods and strength and limitations of notable mal-
analysis helps the malware analyst generate timely response ware analysis and detection methodologies. In particular, this
to detect the unseen malware. Static analysis can quickly and paper comprehensively cover stealth techniques used by mal-
precisely identify malware patterns. However, it fails against ware authors to evade the detection by generating variants of the
code transformations, native code and Java reflections [30]. already known malware. Finally, we propose a hybrid Android
Thus, dynamic analysis approaches, though time consuming, is malware analysis and detection framework, an insight into our
an alternative to extract malicious behavior of a stealth malware future research directions. This survey paper is organized as
by executing them in a sandbox environment. follows.
Academia and industry researchers have proposed solutions Section II discusses the Android app architecture and secu-
and frameworks to analyze, and detect the Android malware rity enforcement mechanisms employed to weaken the attack
threats. Some of these are even available as open-source. surfaces. Section III covers Android security issues in-spite
These solutions can be characterized using the following three of existing enforcements discussed in Section II. Section III
parameters: covers major security enhancements in the subsequent An-
droid versions to tackle the enumerated issues. Section IV
1) Goal of the proposed solution can be either app- presents the time-line illustrating notable Android malware
security assessment, analysis or malware detection. families between 2010–2013 and categorizes them according
App-security assessment solutions determines the vulner- to their functionality. Section V covers various penetration
abilities, which if exploited by an adversary, harms the and stealth techniques employed by the advanced android
user and device security. Analysis solutions check for the malware.
1000 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

Sections VI and VII categorize the prominent assessment,

analysis, detection methods along with their deployment so-
lutions respectively. Section VIII classifies the state of the
art tools proposed by the academia and anti-malware industry
according to their functionality covered in Section VI. This
section discusses the strengths and drawbacks of well known
analysis techniques, tools and summarize as per the functional-
ity discussed in Table I. Comparison of the popular, web based
analysis sandbox is illustrated in Table II. Finally, Section IX
concludes this paper and proposes a hybrid malware analysis
and detection framework as a recommendation for the future
research directions.

II. A NDROID A PP AND S ECURITY A RCHITECTURE

Android is being developed under Android Open Source
Project (AOSP), maintained by Google and promoted by the
Open Handset Alliance (OHA). It consists of the Original
Equipment Manufacturers (OEMs), chip-makers, carriers and
application developers. Android apps are written in Java, how-
ever the native code and shared libraries are developed in
C/C++. Typical Android architecture is illustrated in Fig. 1. The
bottom layer Linux kernel is customized specifically for the
embedded environment consisting limited resources. Android
is developed on top of Linux kernel due to its robust driver
model, efficient memory and process management, networking
support for the core services. Currently, Android supports two
Instruction Set Architectures: 1) ARM, prevalent on smart-
Fig. 1. Android Architecture [34].
phones, Tablets; 2) x86, prevalent among the Mobile Internet
Devices (MIDs). On the top of the Linux kernel, the native
Dalvik bytecode to be executed on the Dalvik Virtual Machine.
libraries developed in C/C++ support high performance third-
META − INF stores the signature of the app developer certificate
party reusable, shared libraries.
to verify the third party developer identity.
Android user app, written in Java language is translated
As mentioned previously, the Android apps are developed
to Dalvik byte code that runs under newly created runtime,
in Java. The development process is illustrated in Fig. 3. Com-
the Dalvik Virtual Machine (DVM) as illustrated in Fig. 1. It
piled Java code generates a number of .class files, interme-
is specifically optimized for the resource constrained mobile
diate Java-bytecode of the classes defined in the source. Using
OS platform. Once the OS boot completes, a process known
the dx tool, .class files merged into a single Dalvik Executable
as zygote initializes the Dalvik VM by pre-loading the core
(.dex). The .dex file stores the Dalvik bytecode to be executed
libraries. Zygote then waits through a socket to load the newly
on the DVM to speedup the execution.
forked processes. Zygote process speeds up the app loading the
instances of libraries to be shared with the new loaded user
apps. Finally, the application framework provides a uniform B. App Components
and concise view of the Java libraries to the app developer. An Android app is composed of one or more components
Android protects the sensitive functionality such as telephony, discussed below:
GPS, network, power-management, radio and media as system
• Activity: It is the user interface component of an app. Any
services with the permission based model. number of activities can be declared within the manifest
depending on the developer requirements. Apart from
A. App Structure
some pre-defined task, an activity can also return the result
Android app is packaged into an APK .apk, a zip archive to its caller. Activities are launched using the Intents as
consisting several files and folders as shown illustrated in Fig. 2. explained in the Section II-C.
In particular, the AndroidManifest.xml stores the meta-data • Service: Service component performs background tasks
such as package name, permissions required, definitions of one without any UI. For example, playing an audio or down-
or more components like Activities, Services, Broadcast Re- load data from the network. Services are launched using
ceivers or Content Providers, minimum and maximum version Intents further discussed in the Section II-C.
support, libraries to be linked etc. Folder res stores icons, • Broadcast Receiver: This component listens to the An-
images, string/numeric/color constants, UI layouts, menus, ani- droid system generated events. For example, BOOT_
mations compiled into the binary. Folder assets contains non- COMPLETED, SMS_RECEIVED etc. are system events. Other
compiled resources. Executable file classes.dex stores the apps can broadcast their own application-defined events,
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1001

Fig. 3. App Building Process.

policy, whereas assigning permission to the components in an

application specifies an access policy to protect its resources.
App components interact with each other at a high-level
abstraction of inter-process communication (IPC) using Intent,
handled by the Binder IPC driver. Apps invoke the activities
and services and sends the broadcast events with Intents. Sys-
tem events are also broadcast through the Intents. Intent(s)
can contain explicit address of the receiver components using
class/package name field. Depending upon the presence of
action, category and data fields, system sends implicit Intents
to one or more matching receiver components. Each component
Fig. 2. Android PacKage (APK) Structure. registers itself to receive the Intent(s) using one or more intent-
filter. It is also specified if the kind of action, category and/or
which can be handled by other the apps using the Service
data can be accepted by the intent. As shown in the Listing 1,
component.
service component is only invoked when it receives the system
• Content Provider: Content provider also known as the
Intent with action equals to BOOT_COMPLETED in the List-
data-store, provides a consistent interface for data access
ing at line number 29.
between within and between different apps. Externally,
the data within the content provider appears relational. D. App Sandboxing
However, it may have a completely different storage
implementation. Data-store is accessible through the Android has been designed as secure mobile OS with a mo-
application-defined Uniform Resource Identifiers (URIs). tive to protect the user data, developer apps, the device, and the
network [34]. However, the security depends on the developer
Component is made accessible to the other apps by explicitly
willingness and capabilities to adhere the best development
exporting it. Listing 1 discusses the declaration of components
practices. Also, user must be aware of the effect an app may
as an usage example definition the AndroidManifest.xml
have on the data and device security. Anti-malware solutions
binary. The declared component(s) can be invoked or executed
do not have sufficient rights to perform aggressive malware
independently since the app component development and com-
checks due to enforced OS security model. For example, anti-
munication is asynchronous. Android app has multiple entry-
malware apps have a restricted scanning and/or monitoring
points, depending on the number of components an application
capabilities and/or file-system in the device. This section covers
defines.
the Android security features.
Android Kernel implements the Linux Discretionary Access
C. Inter-Component Communication Control (DAC). Each app process is protected with an assigned
Android Security protects apps and data with combination a unique id (UID) within a isolated sandbox. The sandboxing
of system level and Inter Component Communication (ICC) restrains the other apps or their system services from interfering
[35]. ICC defines the core security utilizing the guarantee of the the other app. Android protects network access by implement-
Linux framework. An app runs with a unique user-id to thwart ing a feature Paranoid Network Security, a feature to control
the programming issues. Android middleware mediates the ICC Wi-Fi, Bluetooth and Internet access within the groups [36].
between application and components. Access to a component is If an app is permission for a network resource (e.g., Bluetooth),
restricted by assigning an access permission label. When a com- the app process is assigned to the corresponding network access
ponent initiates ICC, the reference monitor looks at the permis- id. Thus, apart from UID, a process may be assigned one or
sion labels assigned to its container app. If the target component more group id (GIDs). Android app sandboxing is illustrated
access permission label is in the said collection, it allows ICC in Fig. 4.
to be initiated. If the label does not belong to the collection, An app must contain a PKI certificate signed with the devel-
ICC establishment is refused even if the components are a part oper key (see Fig. 3). App signature is the point of trust between
of same app. The developer assigns permission labels through Google and the third party developers to ensure the app integrity
the Manifest within an app. Developer defines the app security and the developer reputation. App signing procedure places an
1002 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

Fig. 4. Android Apps within Sandbox at Kernel-level [34].

app into an isolated sandbox assigning it a unique UID. If the access to a particular Uniform Resource Locator (URL).
certificate of an app A matches with an already installed app B READ_PHONE_STATE allows an app to identify whether the
on the device, Android assigns the same UID (i.e., sandbox) to device rings or is on hold. At the same time it also allows the
apps A and B, permitting them to share their private files and app to read the sensitive information such as device identifiers.
the manifest defined permissions. This unintended sharing can Permissions such as WRITE_SETTINGS, CAMERA are broadly
be exploited by the malware writers as naive developers may defined, thus it violates the least privilege access principle.
generate two certificates. It is advisable for the developers to Access to WRITE_CONTACTS or WRITE_SMS does not imply
keep their certificates private to avoid their misuse. the access to READ_CONTACTS or READ_SMS permissions. Thus
permissions are not hierarchical and they must be separately
E. Permissions at Framework-Level requested by the developer. At the install time, the user is forced
to grant either all permissions or deny the app installation.
To restrict an app from accessing the sensitive functionality Hence the dangerous permissions cannot be avoided at the
such as telephony, network, contacts/SMS/sdcard and GPS install time. Moreover, the users cannot differentiate between
location, Android provides permission-based security model the necessity and its imperative misuse which may expose the
in the application framework. Developer must declare the for exploitation [38].
permissions required using the uses − permissions tag in
AndroidManifest.xml as discussed before in the Listing 1 at
line number two, four and six respectively. Android controls F. Secure System Partition
the individual apps to mitigate the undesirable effects on the Android system partition is built from the kernel, system
system apps or third party developer apps within the sandbox. libraries, the android runtime, app framework and the apps
These restrictions are enforced on the process at the install [34]. Android system partition are read-only to protect the
time. Android permissions are divided into the following four unauthorized access and/or modifications. Also, some part of
protection-levels [37]: file-system such as application cache and sdcard are protected
1) Normal: These permissions have a minimal risk on the with the appropriate privileges to prevent its tampering by the
user, system app or the device. Normal permissions are adversary when the device is connected to the desktop through
granted by default at the install time. the USB.
2) Dangerous: These permissions fall within the high risk
group due their capability of accessing the private data and
important sensors of the device. A user must accept the G. Secure Google Play Store
installation of dangerous permissions at the install time. Google discourages the users to install apps to thwart any
3) Signature: These permissions are granted only if the re- third party market place app due to the security concern.
questing app is signed with the same developer certificate However, it still permits the installation from other third party
of the app that declared the permissions. They are granted markets. Third party developer apps are made available from
automatically at the install time. Signature permissions the official playstore. Google vets the third party developer app
are available with the system apps. with Bouncer [6], a dynamic analysis sandboxed environment
4) SignatureOrSystem: These permissions are granted if the to thwart any malware from entering the Google Play. Bouncer,
requesting app is signed with the same certificate as the if not invincible is a reasonably effective security mechanism
Android system image or with an app that declared this [39]. Android has the facility of running a verification service
permissions. They are granted automatically at installa- while installing apps from other market places. Google Play is
tion time. capable of remote un-install if it finds the malicious behavior
Android permissions are coarse-grained. For example, the [40]. However, this facility is available for the devices con-
INTERNET permission does not have the capability to restrict nected to the Internet.
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1003

III. A NDROID S ECURITY I SSUES AND E NHANCEMENTS their own requirements. Such an update chain takes months
This section gives a detailed description about the user and before the patch reach the end-users. This phenomenon is called
device security issues. Moreover, it covers various enhance- Fragmentation, where different versions of Android remain
ments employed by the AOSP in subsequent Android versions. scattered due to unavailability of updates. Specifically, handsets
with older and un-patched versions remain vulnerable to the
known exploits.
A. Android Threats Android OS updates and upgrades are more frequent com-
AOSP is committed to a secure Android smartphone OS but, pared to the desktop OS. Android has released 29 stable OS
it is also susceptible to the social-engineering attacks. Once version updates and upgrades since its launch in September
the app is installed, it may create undesirable consequences for 2008 [43]. Over The Air (OTA) update significantly changes
the device security. Following is the list of malicious activities the existing version modifying the large number of files across
that have been reported or can be employed across subsequent the platform, maintaining the integrity of existing user data and
Android versions. apps [44]. New version update is facilitated through a service
called Package Management System (PMS). Xing et al. [44]
• Privilege escalation attacks were leveraged by exploiting performed a comprehensive pileup vulnerabilities study which
publicly available Android kernel vulnerabilities to gain in turn can be exploited by the malware authors during the
root access of the device [41]. Android exported compo- version upgrades. An app developed for the older version can
nents can be exploited to gain access to the dangerous be exploited to use the dangerous permission(s) introduced in
permissions. the higher version release. During the update, Android does not
• Privacy leakage or personal-information theft occurs verify the appended permissions in the updated app [44]. Thus,
when users grant dangerous permissions to malicious apps it compromises the device security. During a major update
and unknowingly allows access to sensitive data and ex- or upgrade, large number of files are modified ensuring the
filtrate them without user knowledge and/or consent. sensitive user information remains intact leading to complexity
• Malicious apps can also spy on the users by monitor- in update procedures.
ing the voice calls, SMS/MMS, bank mTANs, recording
audio/video without user knowledge or consent.
• Malicious apps can earn money by making calls or sub- C. Native Code Execution
scribe to premium rate number SMSes without the user Android allows native code execution through libraries im-
knowledge or consent. plemented in C/C++ using Native Development Kit (NDK).
• Compromise the device to act as a Bot and remotely Even though native code executes outside Dalvik VM, it is
control it through a server by sending various commands sandboxed through user-id/group-id(s) combination. However,
to perform malicious activities. native code has the potential to perform privilege escalation
• Aggressive ad campaigns may entice users to download by exploiting platform vulnerabilities [23], [45]–[49], demon-
potentially unwanted apps (PUA’s), or malware apps [42]. strated by quite a few malware attacks in the recent past [50].
• Colluding attack happens when a set of apps, signed with
same certificate, gets installed on a device. These apps
D. Security Enhancements in the Recent Versions
would share UID with each other, also any dangerous
permission(s) requested by one app will be shared by In the view of security issues, vulnerabilities and/or reported
the colluding malware. Collectively, these apps perform malware attacks, AOSP releases patches, updates, enhance-
malicious activities, whereas, their individual functionality ments and upgrades. Here, we discuss notable security fixes and
is benign. For example, an app with READ_SMS permis- features incorporated in the subsequent Android OS versions up
sion can read SMSes and ask the colluding partner with to Android Kitkat 4.4:
INTERNET permission to ex-filtrate the sensitive informa- 1) Android prevented stack buffer and integer overflow in
tion to a remote server. the OS version 1.5. In version 2.3, Android fixed string
• Denial of Service (DoS) attack can happen when app(s) format vulnerabilities, and added hardware based No
overuses already limited CPU, memory, battery and band- eXecute (NX) support to stop execution of code in stack
width resources and restrains the users executing normal and heap [34].
functions. 2) In Android 4.0 Address Space Layout Randomization
(ASLR) was added to prevent the return-to-libc and
memory related attacks [34].
B. Version Update Issues
3) Information can be ex-filtrated by connecting the de-
Android Open Source Project (AOSP), led by Google, up- vice to a PC using the Android Debug Bridge (ADB)
grades and maintains Android source-code. However, the patch, driver. Though the ADB is developed as a debugging
an update or major upgrade distribution release remains the tool, it permits app installation/install/un-install, reading
responsibility of Original Equipment Manufacturers (OEMs) system partitions etc. even if the device is locked, but
or the wireless carriers. Individual OEM branches out updated connected to a Personal Computer (PC). To prevent such
versions of the OS and customize them accordingly. In some unauthorized access, Android 4.2.2 authenticates an ADB
countries, the wireless carriers customize the OEM OS to suit connection using RSA keypair [51]. User response is
1004 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

prompted on the device screen if the ADB connection have exploited root-based attacks such as rage-against-the-
accesses the device. Thus, if the device is locked, attacker cage [23], gingerbreak [48] and z4root [45] to gain superuser
would not be able to gain the control. privileges to control the device. The most recent android exploit
4) To prevent the malware from silently sending premium- is the master-key attack [59], which has the versions starting
rate SMS messages, Android 4.2 introduced an additional from 1.6 to 4.2.2 vulnerable.
notification feature to prompt the user before a user app Each quarter, the anti-malware companies report an expo-
sends an SMS [52]. nential increase in the new families and existing malware
5) Android introduced a major capability addition to the ver- variants [3], [60]. These companies differ in the approximation
sion 4.2 (API version 17) permitting creation of multiple of the malware infection-rate on Android devices. In particular,
users (MU) to allow multiple users access a shared device Lookout Inc. reported the global malware infection-rate like-
such as tablet [53]. Restricted profile (RP) access capabil- lihood percentage 2.61% for its users [61]. Two independent
ity was introduced added in Android 4.3 (API version 18) researches estimated the real infection-rate. 1) In [62], the
in July 2013. These modifications were placed keeping in authors used the smartphone Domain Name Resolution (DNS)
mind the usage of sharable mobile devices such as tablets traffic in the United States and reported 0.0009% infection.
to provide private space to multiple users on a single 2) Truong et al. [63] instrumented the Carat app [64] to estimate
mobile device. For each user, a separate account, user the infection-rates for three different malware datasets reporting
selected apps, custom settings, private files and private 0.26% and 0.28% for McAfee and Mobile Sandbox dataset
user data is assigned. This capability enables the multiple respectively. Thus, the present Android threat perception and
users share a single device. In the MU scenario, main malware infection rate has a huge reported variation between
account is the owner of the device. Using device settings, the commercial anti-malware and independent studies.
owner can create additional MUs. Except the original In the following paragraph, we discuss the Android malware
user, other created MU user cannot create, modify or classified and its characteristics.
delete the device MU users.
6) Android 4.3 removed the setuid()/setgid() programs
[51] as they were vulnerable to the root exploits. A. Trojan
7) Android 4.3 experimented with SELinux to provide
Trojans masquerade as benign apps, but they perform harm-
the enhanced security [54]. Android 4.4 introduced
SELinux with enforcing mode for multiple root pro- ful activities without consent or knowledge of the users. Trojans
cesses. SELinux imposed Mandatory Access Control leak the confidential user information, or they may “phish” the
user and steal the sensitive information such as passwords. Till
(MAC) policies in place of the traditional Discretionary
Access Control (DAC). In DAC, the owner of the resource the second quarter of 2012, majority of the android variants
decides which other interested subjects can access it, belonged to various SMS trojan families. SMS trojan apps are
capable of sending SMS to premium rate numbers without
where as in MAC the system (not the users) authorizes the
subject to access a particular resource. Thus, MAC has the knowledge and/or consent of the user incurring financial
the potential to prevent the malicious activity(s) even if loss to the owner. Apart from that, such trojans also divulge
contacts, messages, IMEI/IMSI numbers to the command and
the root access of the device is compromised. Thus, MAC
substantially reduces the effect of kernel-level privilege control domains. FakeNetflix [65] masquerades itself as popular
Netflix app, phishing the user to enter their login credentials.
escalation attacks.
Fakeplayer [42], Zsone [3] and Android.Foney [66] are a few
notable Android trojans incurring financial loss to the user.
E. Third-Party Security Enhancements On account of the increased mobile banking transactions,
malware authors have targeted the two-factor mobile bank-
Many independent Android security enhancements have
ing authentication. After capturing the username and pass-
been proposed [55]–[58]. These mechanisms allow an organiza-
word of target accounts employing social engineering attacks,
tion to create fine grained security policies for their employee
Zitmo and Spitmo Trojans monitor and steal the mTANs (Mo-
devices. Contextual information such as device location, app
bile Transaction Authentication Numbers) to silently complete
permissions and inter-app communication can be monitored
transactions [67].
and verified against the already declared policies. Scope of this
paper is to investigate Android security, malware issues and
defense techniques, it does not examine the above mentioned
B. Backdoor
prevention techniques in detail.
Backdoor allows other malware to silently enter the system
facilitating them the bypass of the normal security procedures.
IV. R EPORTED A NDROID M ALWARE
Backdoor can employ root exploits to gain the superuser privi-
T HREAT P ERCEPTION
lege and hide from the anti-malware scanners. A number of root
Fig. 5 illustrates the time-line of some notable malware fam- exploits such as rage-against-the-cage, rageagainstthecage and
ilies of Android during 2010–2013. Among them, SMS Trojans gingerbreak [48] gain full-control of the device. Basebridge
have major contribution; some of these have even infected [50], KMin [50], Obad [22] are notable example of the known
the Google Playstore [50]. A large number of malware apps backdoors.
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1005

Fig. 5. Android Malware Family Chronology [2], [14]–[16], [18], [19].

C. Worm information to remote-server or as complex leading to denial

Worm app can create an exact or similar copies of itself of service attacks. Bot can also include commands to download
and spreads them through network and/or removable media. malicious payloads automatically. Geinimi [50], Anserverbot
For example, Bluetooth worms can exploit bluetooth function- [50], Beanbot [50] are notable Android botnets.
ality and send copies to the paired devices. Android.Obad.OS
[22] is well known bluetooth worm.
E. Spyware
D. Botnet
Spyware may present itself as a good utility, but has a hidden
Botnet apps compromise the device to create a Bot, so that agenda to surreptitiously monitor contacts, messages, location,
the device is controlled by a remote server, called Bot-master, bank mTANs etc. that leads to undesirable consequences. It can
through a series of commands. Network of such bots is called send the collected information to the remote server. Nickyspy
a Botnet. Commands can be as simple as sending private [50], GPSSpy [3] are known examples of spyware apps.
1006 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

F. Aggressive Adware divert advertisement revenues by replacing the advertisements

of the original developers.
Android provides coarse and fine grained location services.
AndroRAT APK Binder [72] repackages and generates a
Some advertisement affiliate networks misuse such location
trojanized version of a popular and legitimate equipping it with
services and send personalized advertisements to the user de-
the Remote Access functionality. Adversary can remotely force
vice to generate revenues. Aggressive adware can create short-
the infected device to send SMS messages, make voice calls,
cuts on the home-screen, steal bookmarks, change the default
access the device location, record video and/or audio and access
search engine settings and pushing unnecessary notifications
the device files using the remote access service.
to hinder the effective device usage. Plankton [3] is a known
aggressive adware.
B. Drive-by Download
G. Ransomware An attacker can employ social engineering, aggressive adver-
Ransomware can lock the user device to make it inaccessible tisements and click a malicious URL, incite user to download
until some ransom amount is paid through online payment ser- malware automatically. Optionally, a drive by download may
vice. For example, FakeDefender.B [68] masquerade as avast! disguise a legitimate application and coax the user install an
[69] anti-malware and displays the fake malware alerts to coax app. Android/NotCompatible [25] is a notable drive-by down-
the user install this hoax malware. In addition, it locks the load app.
device and demands ransom to unlock the device.
C. Dynamic Payload
V. M ALWARE P ENETRATION AND S URVIVAL T ECHNIQUES An app can also embed malicious payload as an executable
In this section, we summarize the malware penetration and apk/jar in encrypted or plain format within the APK re-
state of the art stealth techniques employed by the Android sources. Once installed, the app decrypts the payload. If the
malware apps. payload is a jar file, malware loads DexClassLoader API
and execute dynamic code. However, it can coax the user
install the embedded apk by disguising as an important up-
A. Repackaging Popular Apps date. The app can execute native binaries using Runtime.exec
Repackaging is a process of disassembling/decompiling the API, an equivalent of Linux fork()/exec(). BaseBridge [50]
popular free/paid apps from the popular market places, in- and Anserverbot [50] malware families employs the above
sert, append the malware payload, re-assemble the trojan app discussed technique. Some malware families does not embed
and distribute them via the less monitored local app-stores. malicious payload as a resource, but rather download them from
An app can be repackaged with the existing the reverse- the remote server and successfully evade detection. DroidKung-
engineering tools. Repackaging process is illustrated in Fig. 6. FuUpdate [50] is a notable example of dynamically executing
The following section discusses the main steps involved in app payload. Such techniques go undetected with static analysis
repackaging: methods.

• Download the popular free/paid app from the popular app-

store(s). D. Stealth Malware Techniques
• Disassemble the app with a disassembler such as Android OS is developed for resource constrained environ-
apktool [70]. ment keeping in mind the availability of limited battery avail-
• Generate a malicious payload in dalvik bytecode or Java ability of the underlying smartphone. On device anti-malware
and convert it to the bytecode using the dx [71] tool. apps cannot perform the real-time deep analysis unlike their
• Add the malware payload into benign app. Modify the desktop counterpart. Malware authors exploit these hardware
AndroidManifest.xml and/or resources if required. constraints limiting the anti-malware and obfuscate the mali-
• Assemble modified source again using apktool. cious payloads to thwart the commercial anti-malware. Stealth
• Distribute repackaged app by self-signing with another techniques such as code encryption, key permutations, dynamic
certificate to the less monitored third party app market. loading, reflection code and native code execution remain a
Repackaging is one of the most common malware app gen- matter of concern for signature-based anti-malware solutions.
eration technique. More than 80% samples from the Malware Following the trends of the desktop platform, code obfus-
Genome Dataset are repackaged malware variants [4] of the cation is also evolving on Android [73], [74]. Obfuscation
legitimate official market apps. Repacking and repackaging techniques are implemented for one or more of the following
techniques can be used the generate large number of malware purposes.
variants. It can also be used to generate a number of unseen • To protect the proprietary algorithm from rivals by making
variants of the already known malware. As the signature of each the reverse-engineering difficult.
malware variant varies, the commercial anti-malware detect • To protect Digital Rights Management of multimedia re-
the unseen malware. Repackaging is a big threat as it can sources to reduce piracy.
pollute the app distribution market places and also hurts the • Obfuscating the apps make them compact and thus faster
reputation of the third party developer. Malware authors can in execution.
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1007

Fig. 6. App Repackaging Process.

• To hide the already known malware from anti-malware to alter the malware app signature. Opcode can be re-ordered
scanners to propagate and infect more devices. with the goto instructions in-between the functions and alter the
• To prevent or at least delay human analysts and/or auto- control flow, preserving the original execution semantics. These
matic analysis engines from figuring out actual motive of methods can be used to evade the signature-based or opcode-
the unknown malware. based detection solutions [73], [74].
Dalvik bytecode is amenable to reverse-engineering due to 2) Package, Class or Method Renaming: Android app is
the availability of type safe information such as class/method uniquely identified with its unique package name. Dalvik byte-
types, definitions, variables, registers literal strings and instruc- code being type safe preserves the class and method names.
tions. Code transformation methods can be easily implemented Many anti-malware use trivial signatures such as package, class
on dalvik bytecode, optimize it with a code protection tool or method names of a known malware as detection signature
such as Proguard [75]. Proguard is an optimization tool to re- [79]. Such trivial transformations can be used to evade the anti-
move the unused classes, methods and fields. Meaningful class/ malware signature based detection [74].
method/fields/local-variable names are replaced with unread- 3) Altering Control-Flow: Some anti-malware use semantic
able code to harden the reverse engineering. Dexguard [76] is a signatures such as control flow and/or data flow analysis to
commercial Android code protection tool. It can be used to im- detect the malware variants employing simple transformation
plement code obfuscation techniques such as class encryption, techniques [79]. Control flow of a program can be modified
method merging, string encryption, control flow mangling etc. with the goto instructions or by inserting and calling the junk
to protect app from being reverse-engineered. Code transforma- methods. Though trivial, such techniques evade the commercial
tion techniques can also be used to hinder the malware detection anti-malware [74].
approaches [73], [74]. Faruki et al. [77] proposed an automated 4) String Encryption: Literal strings like messages, URLs
dalvik bytecode transformation framework to generate unseen and shell-commands reveal a lot about the app. To prevent
variants of already known malware with different bytecode ob- such analysis, the plain text strings can be encrypted and made
fuscation techniques. In addition, they also evaluated the unseen unreadable. Also, each time the string encryption is executed,
malware samples against the top commercial anti-malware and various encryption methods (or keys) make it difficult to au-
static analysis techniques. The authors reported that, even trivial tomate the decryption process. In that case, literal strings can
transformation techniques can fail the existing commercial anti- only be available during the code execution. Hence, it evades
malware. the static analysis methods.
In the following, we cover various code transformation meth- 5) Class Encryption: Important information such as prod-
ods used to obfuscate the existing known malware and gener- uct license-checks, paid downloads and DRM can be hidden
ate huge number of unseen malware signatures. In fact, code by encrypting the entire classes utilizing the above sensitive
transformation can also implemented to thwart the disassembly information [76].
tools [78]. 6) Resource Encryption: Content of resources folder, assets
1) Junk Code Insertion and Opcode Reordering: Junk code and native libraries can be altered as unreadable, hence they
or no-operation code (nop) insertion is a well-known technique must be decrypted at runtime [76].
that changes the executable size and evades the anti-malware 7) Using Reflection APIs: Static analysis methods search
signature database. Junk code insertion preserves the semantics sensitive Android API within the malware apps map the ma-
of the original app. However, it changes the opcode sequence licious behavior. User apps permits Java reflection allowing
1008 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

the creation of programmatic class instances and/or method sions. App-security and assessment solutions can analyze the
invocation using the literal strings. To identify the exact class components using their definition and bytecode interaction to
or method names, data-flow analysis can be implemented. identify the vulnerabilities [8], [84], [85].
However, the literal strings can be encrypted, making it hard 3) Permission-Based Analysis: Requesting permission to
to automatically search the reflection API. Such techniques can access a sensitive resource is the central design of Android
easily evade static analysis approaches. security model. No application by default has any permis-
sion that can affects user security. Identifying the dangerous
VI. A PPROACHES FOR A SSESSMENT, permission request is not sufficient to declare the malware
A NALYSIS , AND D ETECTION app, but nevertheless, permissions mapping requested and
Android security solutions such as vulnerability assessment, used permissions is an important risk identification technique
malware analysis and detection techniques are divided into: [86], [87].
1) Static; 2) Dynamic and 3) Hybrid. Static analysis methods Sanz Borja et al. [38] used uses − permission and
analyze code without actually running it, hence they are quick, uses − features tags present in AndroidManifest.xml to
but they have to deal with false-positives. Dynamic analysis detect malware apps. Authors utilized machine learning algo-
techniques monitor the executed code and inspect its interaction rithms Naive Bayes, Random Forest, J48 and Bayes-Net on a
with the system. Though time-consuming they are effective dataset of 249 malware and 357 benign apps. In [88] authors
against malware obfuscation. Hybrid approaches leverage the mapped the requested and used permissions from the mani-
good of both the static and dynamic analysis methods. fest and their corresponding API in the dalvik bytecode. The
Security solutions can be categorized as rule-based [80] or mapped attributes were used with the machine learning algo-
feature extraction based machine-learning models [81]. Inap- rithms on 125,249 malware and benign app dataset. Enck et al.
propriate feature selection can degrade the performance of [89] developed a certification tool, Kirin to define a set of rules
model, to generate false-positives (i.e., false detection of benign to identify the combination of specific dangerous permissions to
apps as malware). Moreover, the number of features under the identify malware attributes before installing the app on device.
problem must be small sized and effective as an on device 4) Dalvik Bytecode Analysis: Dalvik bytecode is semanti-
anti-malware solution. Feature reduction methods combined cally rich containing type information such as classes, methods
with statistical measures such as mean, standard deviation, chi- and instructions. The type information can be utilized to verify
square, haar transforms can be used to identify the prominent the app behavior. Detailed analysis based on control and data
attributes responsible for malicious actions. Learning models flow gives an insight into the dangerous functionality such as
can be created by analyzing the features such as processor, privacy leakage and telephony services misuse [30], [80], [90].
memory usage, battery consumption, system call invocation, Control and data flow analysis are also useful to rebuild a
network activity etc. that can be used with the clustering or de-obfuscated bytecode, for example and nullify the effect of
classification algorithms to predict anomalous behavior. trivial transformation techniques [91].
Bytecode control-flow analysis identifies the possible paths
that an application can take while it is executed. Dalvik byte-
A. Static Approach
code contains jump, branch and method invocation instructions
Static analysis based approaches work by just disassembly, that alter execution order. To facilitate further analysis, an intra-
decompilation without actually running it, hence does not infect procedural (i.e., within a single method) or inter-procedural
the device. This approach is undermined by the use of various (i.e., spanning across methods) control-flow bytecode graph
code transformation techniques discussed in this review in (CFG) is generated. Karlsen et al. [91] formalized the Dalvik
Section V-D. bytecode to perform the control-flow analysis based semantic
1) Signature-Based Malware Detection: The existing com- signatures to detect malware apps.
mercial anti-malware use signature based malware detection Bytecode data-flow analysis predicts the possible set of
approaches. It extracts the interesting syntactic or semantic values during the different point of execution. CFG can be
patterns, features [82] and create a unique signature matching used to traverse the possible execution paths to determine the
that particular malware. Signature-based methods fails against control and data dependency. Data-flow analysis is performed
the unseen variants of already existing and known malware. within methods (intra-procedural) or between different methods
Moreover, the signature extraction process being manual, its (inter-procedural level) to improve the approximation of the
efficacy in the wake of exponential unique signature out- desired output. In particular, special data-flow analysis also
break may leave the device vulnerable to malware attacks. known as “constant propagation” is implemented to identify the
Faruki et al. [83] developed AndroSimilar, an automated robust constant arguments of sensitive API calls invoked during the
statistical feature signature based method to detect zero-day app execution. For example, a malware app sending premium
variants of the already known malware. rate SMS to a pre-defined hard coded number can be detected
2) Component-Based Analysis: In order to perform de- with the constant propagation data-flow analysis [80]. Taint
tailed app-security assessment or analysis, an app can analysis another type of data-flow analysis method to identify
be disassembled to extract the important content such as the colored variables holding the sensitive information. For ex-
AndroidManifest.xml, resources and bytecode. Manifest ample, taint analysis can identify privacy leakage which can be
stores important meta-data about such as list of the components used to steal the sensitive user information apps [90]. Sensitive
(i.e., activities, services, receivers etc.) and required permis- API-call tracking within the bytecode can be useful to identify
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1009

malicious behavior [92]. It is also helpful in identifying the app analysis techniques along with machine learning methods are
clones [93]. Zhou et al. [4] utilized the sequence of opcodes used to distinguish the abnormal behavior [81], [107], [108].
in the Dalvik bytecode instructions to identify the repackaged 2) Malicious Behavior Detection: Specific malicious be-
malware apps. haviors like sensitive data leakage, sending SMS/emails, voice
5) Re-Targeting Dalvik Bytecode to Java Bytecode: Avail- calls without user consent can be accurately detected by moni-
ability of number of Java decompilers [94]–[96] and static toring the particular features of interest [109]–[112].
analysis tools based on [97]–[99], has motivated the re- 3) Virtual Machine Introspection: The downside of app be-
searchers to re-target the Dalvik bytecode to the Java bytecode. havior monitoring from an emulator (VM) is, an emulator
Enck et al. [100] developed the ded tool that is used to convert itself is susceptible against the malicious app which defeats
Dalvik bytecode to Java source. Later, they performed static the analysis purpose. To counter this, Virtual Machine Intro-
analysis control-flow, data-flow, on the Java code using Fortify spection approaches can be employed to detect app behavior by
SCA [99] framework. In [101] authors developed Dare tool observing the activities out of the emulator [113].
to convert the Dalvik bytecode to Java bytecode with 99%
accuracy. Bartel et al. [102] developed the Dexpler plugin
for static analysis framework, Soot [97]. Dexpler converts the VII. D EPLOYMENT FOR A SSESSMENT, A NALYSIS ,
Dalvik bytecode into Soot’s internal Jimple code. However, it AND D ETECTION A PPROACHES
is unable to handle the optimized dex (odex) files. Gibler et al. Security assessment, malware analysis and detection meth-
[103] employed ded and dex2jar [104] to convert the Dalvik ods can be deployed at different places, depending on the re-
bytecode into Java bytecode and source code respectively. quirement, from on-device solution to a completely off-device
Authors implemented static analysis WALA [98] framework to or cloud base techniques.
identify the privacy leakage within Android apps on a fairly big
dataset.
A. On-Device
Signature-based malware is simple and efficient. The de-
B. Dynamic Approach tailed assessment and analysis remains constrained on a mo-
bile as compared to the desktop anti-malware analysis. Thus,
Static analysis and detection approaches are quick, they
lightweight risk assessment solutions can be proposed by ana-
fail against the encrypted, polymorphic and code transformed
lyzing the components and permissions as an on device solution
malware. Dynamic analysis methods execute the app in a
[89]. Following are some on device anti-malware limitations.
protected environment, providing all the emulated resources
it needs, thereby learning its interaction identify malicious • Anti-malware apps run as a normal app without any spe-
activities. Some dynamic analysis methods have been imple- cial privileges. As a result, they are also under the purview
mented, but the resource constraints of a smartphone limits of process isolation. Hence, they cannot directly scan other
such execution methods. Android app execution being event app memory, files read/written and private files during the
based with asynchronous multiple entry points, it is important app scanning.
to trigger those events. User Interface (UI) gestures such as • Android permits execution of background app services.
tap, pinch, swipe, keyboard and back/menu key press must be However, it can stop anti-malware app services if it runs
automatically triggered to initiate the app interaction with the out of hardware resources. Similar privileged apps can
device. Android SDK comes is equipped with the monkey [105] force stop an anti-malware app execution with appropriate
tool, to automate some of the above gestures discussed above. privileges.
In order to perform an in-depth monitoring, one may need to • Without acquiring the root privileges, anti-malware app
modify the framework by inserting the tracking code known as cannot create system hooks to monitor the file-system or
Instrumentation. perform network access.
A serious drawback of dynamic approach is that some mali- • Without acquiring root privileges, anti-malware app can-
cious execution path may get missed, if it is triggered according not uninstall any other app. It has to depend upon the user
to some non-trivial event. For example, at a particular time of for removing the app.
the day the malware functionality is executed, but that event
is never executed. Anti-emulation techniques such as Sandbox
B. Distributed (Some Part On-Device, Some Part Off-Device)
[39], [106] detection, timing out the analysis environment,
delaying the malware execution can evade the dynamic analysis On the fly analysis and/or detection can be performed on
methods. Dynamic approaches are divided into the following the device, detailed and computationally expensive analysis
three categories. can be performed at remote server to make anti-malware app
1) Profile-Based Anomaly Detection: Malicious apps may limited-resource friendly. In the case of profile-based anomaly
create Denial of Service (DoS) attacks by over utilizing the detection, resource usage parameters are be collected at the
constrained hardware resources. Range of parameters such client-side and sent back to the remote server for detailed analy-
as CPU usage, memory utilization statistics, network traffic sis. The results can be finally sent back to the device [81], [110].
pattern, battery usage and system-calls for benign and malware However, continuous availability of the Internet bandwidth and
apps are collected from the Android subsystem. Automatic associated cost is a concern. In case of unavailability of network
1010 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

resources host-based detection approach can protect the device

from malware attack [108].

C. Off-Device
It is important to automate the deep static analysis of a
new malware sample to enable the human analysts take quick
decision to identify and mitigate the malware. Such automated
Fig. 7. Features of Androguard.
deep analysis solutions need computational power and memory.
Due to this, they are usually deployed off-device [30], [80],
[90], [113]. cannot re-assemble the dis-assembled intermediate class
files.
5) JEB [117] is a leading professional Android reverse-
VIII. S TATE - OF - THE -A RT T OOLS & T ECHNIQUES FOR
engineering software available on Windows, Linux and
A NDROID A PP A SSESSMENT, A NALYSIS , AND D ETECTION
Macintosh platforms. It is a GUI-based interactive de-
Industry and academia have proposed several solutions for compiler to analyze the reversed malware app content.
Android malware analysis and detection. In this section, we sur- App information such as manifest, resources, certificates,
vey and examine promising reverse-engineering tools and de- literal strings can be examined in Java source by provid-
tection approaches. Detection approaches have been classified ing an easy navigation through the cross-references. JEB
according to the following: 1) Goal, which can be app-security converts the Dalvik bytecode directly into Java source by
assessment, analysis and/or malwaredetection; 2) Methodology utilizing dalvik bytecode semantics. Exceptionally, JEB
as discussed in Section VI; and 3) Deployment discussed can also de-obfuscate Dalvik bytecode to make disassem-
in Section VII. bled code more readable in comparison to its counterparts
[70], [104]. JEB supports Python scripts or plugins by
allowing access to the decompiled Java code Abstract
A. Reverse-Engineering Tools Syntax Tree (AST) through API. This feature is helpful
Content of Android package (APK) is stored in the binary in automating the custom analysis. According to us, it is
format. Before assessment, analysis or detection task initiates, the best reverse-engineering tool so far.
it is important to disassemble it for further processing. There are
a number of tools to disassemble and/or decompile the Android
app. In the following section, we discuss some known reverse- B. Androguard
engineering tools considering their strengths. Goal: Risk Assessment, Analysis and Detection
1) apktool [70] can decode binary content of an APK into Methodology: Static
nearly original form in project-like directory structure. Deployment: Off-Device
It disassembles the binary resources and converts byte- Illustrated in Fig. 7, Androguard [79] an open-source, static
code within classes.dex into the smali [114] bytecode analysis tool can reverse engineer to disassemble and decom-
for easier reading and manipulation. After making the pile Android apps. It generates the control flow graphs for
changes, it can also repackage it back into an APK. This each method and provides access through Python-API on the
tool is one of the best open source reverse-engineering command line and graphic interface. Androguard Normalized
tool. Compression Distance (NCD) approach finds similarities and
2) dex2jar [104] is a disassembler to parse both the .dex differences of two suspected clones reliably, which is also
and optimized dex file, providing a light-weight API to helpful to detect repackaged apps. It provides python APIs to
access it. dex2jar can also convert dex to a jar file, by access the disassembled resources and static analysis structures
re-targeting the Dalvik bytecode into Java bytecode, for like basic-blocks, control-flow and instructions of an APK. An
further manipulation. Moreover, it can also re-assemble analyst can develop his own static analysis framework using
the jar into a .dex after the modifications. the python APIs. Following are some of the features explained
3) Dare [115] project aims at re-targeting Dalvik bytecode below.
within classes.dex to traditional .class files using 1) App Code Similarity: Androguard finds similarities be-
strong type inference algorithm. This .class files can tween two apps by calculating Normalized Compression
be further analyzed using a range of traditional tech- Distance between each method pairs and calculates a simi-
niques developed for Java applications, including the de- larity score between 0–100, where 100 means identical apps.
compilers. Octeau et al. [101] demonstrated that Dare is It displays IDENTICAL, SIMILAR, NEW, DELETED and
40% more accurate than dex2jar. SKIPPED methods of the two suspected clones. In the same
4) Dedexer [116] disassembles the classes.dex into way, it displays differences between two methods by comparing
Jasmin-like syntax and creates a separate file for each each basic blocks pairs. More specifically, to calculate differ-
class maintaining the package directory structure for easy ences between two similar methods, it first converts each unique
reading and manipulation. However, unlike the apktool, it instruction in basic block into a string. Then, it applies Longest
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1011

Fig. 8. Architecture of Andromaly.

Common Subsequence algorithm on these strings of two basic ferred through network, number of active processes and battery
blocks to find differences between them [118]. usage.
2) Risk Indicator: Risk Indicator calculates fuzzy risk score As shown in Fig. 8, Andromaly has four major components:
of an APK from 0 (low risk) to 100 (high risk). It considers
following parameters:
• Feature Extractors: They collect feature metrics, by
• Native, Reflection, Cryptographic and Dynamic code pres-
communicating with Android kernel and application
ence in an app.
framework. Feature Extractors are triggered at regular
• Number of executables/shared-libraries present in an app.
intervals to collect new feature measurements by the fea-
• Permission requests related to privacy and monetary risks.
ture manager. Feature Manager may also perform some
• Other Dangerous/SystemOrSignature/Signature permis-
pre-processing on the raw feature data.
sion requests.
• Processor: It is an analysis and detection unit. It re-
3) Signature of Malicious Apps: Androguard manages a ceives the feature vectors from Main Service, analyze
database of signatures and provides an interface to add/remove them and perform threat assessment and pass it on to
signatures to/from the database. Signature is described in the Threat Weighting Unit (TWU). Processors can be rule-
JSON format. It contains a name (or family-name), set of based, knowledge-based classifiers or anomaly detectors
sub-signatures and a Boolean formula to mix different sub- employing machine learning methods. TWU applies en-
signatures. Following are the two types of sub-signatures: semble algorithm on the analysis results received from
• METHSIM: It contains three parameters, CN—class all the processors to derive a final decision on the device
name, MN—method name and D—descriptor. infection. Alert Manager smoothes the results to reduce
• CLASSSIM: It contains a single parameter, CN—class the false alarms.
name. • Main Service: It coordinates feature collection, malware
Thus sub-signature can be applied on a specific method detection and alert process. It is responsible for requesting
or entire class. Different sub-signatures can be mixed with new feature measurements, sending new feature metrics to
Boolean formula (BF). the processors and receives final recommendations from
the alert manager. Loggers can log information for de-
bugging, calibration and experimentation. Configuration
C. Andromaly
Manager manages the configuration of an application,
Goal: Anomaly Detection for example, active processors, alert threshold, sampling
Methodology: Dynamic interval etc. The task of activating or deactivating proces-
Deployment: Half On-Device, Half Off-Device sors is taken care by Processor Manager. Operation Mode
In [81], Shabtai et al. have proposed a light-weight Android Manager switches application from one mode to another
malware detection system based on machine learning approach. that results in the activation/deactivation of processors
It performs real-time monitoring for collection of various and feature extractors. This change in operation modes is
system metrics, such as CPU usage, amount of data trans- resulted due to change in resource levels.
1012 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

Fig. 9. AndroSimilar Methodology.

• Graphical User Interface: It interacts with the user to a given threshold, mark it as malicious (or repackaged)
configure application parameters, activate/deactivate the sample.
application, alerts user regarding threats and allows ex- Thus, they generate signatures of known malware families as
ploring collected data. Experiments were carried out using a representative database. If similarity score of an unknown app
few categories of artificial malware, thus working model with any existing family signatures matches beyond a threshold,
needs testing by real malware. then it is labeled as malicious. We believe AndroSimilar is a
promising approach to detect unseen malware variants.

D. AndroSimilar E. Andrubis
Goal: Malware Detection Goal: Malware Analysis and Detection
Methodology: Static Methodology: Static and Dynamic
Deployment: Off-Device (Portable to On-Device too) Deployment: Off-Device
In [83] authors proposed AndroSimilar, an automatic signa- Andrubis [121] is a web-based malware analysis platform,
ture generation approach that extracts statistically rare syntactic built upon some well-known existing tools Droidbox [122],
features for malware detection. Apart from existing malware, TaintDroid [109], apktool [70] and Androguard [79]. Users
AndroSimilar is able to reasonably detect obfuscated malware can submit suspicious apps through the web based interface.
with techniques like string encryption, method renaming, junk After analyzing the app at the remote-server, Andrubis re-
method insertion and changing control flow, widely used to turns detailed static and dynamic analysis reports as a web
evade fixed anti-malware signature, thus it can detect unknown page. Andrubis also provides app behavior rating between
variants of existing malware. AndroSimilar approach is based 0–10, where 0 indicates benign and 10 specifies malicious
on Similarity Digest Hash (SDHash) [119] used in digital rating.
forensics to identify similar documents. To study the Andrubis functionality, a custom SMS based
Intuitively, completely unrelated apps should have lower botnet was uploaded on the Andrubis web service. This re-
probability of having common features. When two unrelated search prototype rated custom SMS bot with a score 9.9/10.
apps share some features, such features should be considered However, none of the commercial anti-malware on the virusto-
weak as using these shall lead to false positives [120]. Fixed- tal portal were able to detect this unseen malware. This demon-
size byte-sequence features are extracted based on empirical strates the effectiveness of Andrubis behavior rating against the
probability of occurrence of their entropy values, then popu- zero day malware. However, Vidas et al. [106] demonstrated
lar features are searched among them according to rarity in that Andrubis virtual environment is detected with anti-analysis
neighborhood [119]. Fig. 9 shows the working of AndroSimilar. techniques and identified the analysis sandbox.
Following are the steps involved:
F. APKInspector
• Submit Google Play, third-party or an obfuscated mali-
cious app as input to AndroSimilar. Goal: Malware Analysis
• Generate entropy values for every byte-sequence of fixed Methodology: Static
size in a file and normalize these in range of [0, 1000]. Deployment: Off-Device
• Select statistically robust features according to similarity APKInspector [123] is a full-fledged Android static analysis
digest scheme as representative of the app. tool, consisting Ded [124], smali/baksmali [114], apktool [70]
• Store extracted features into Bloom Filters. Sequence of and Androguard [79]. It provides a rich GUI and has following
Bloom Filters is a signature of an app. features:
• Compare the signature with the database to detect match • App meta-data
with known malware family. If similarity score is beyond • Analysis of sensitive permissions
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1013

• Displays Dalvik bytecode and Java source code

• Displays control-flow graph
• Displays call-graph, displaying call-in and call-out struc-
tures
• Static instrumentation support by allowing modification to
the smali code

G. Aurasium
Goal: Analysis and Detection
Methodology: Dynamic
Deployment: On-Device
Aurasium [125] is a powerful technique that takes control of
execution of apps, by enforcing arbitrary runtime security poli- Fig. 10. Crowdroid Architecture.
cies. To be able to do that, Aurasium repackages the Android
apps with the policy enforcement module. Aurasium Security
Manager component can apply policies on the individual and
multiple apps. Any security and privacy violations are reported
to the user. Thus, it eliminates the need for manipulating
Android OS to monitor app behavior. It intervenes in-case of
application accessing sensitive information such as contacts,
messages, phone identifiers and executing shell-commands by
asking user for confirmation regarding the same.
Aurasium is limited by the fact that it succumbs to the stealth
malware, i.e., it can be detected by apps based on signature
modification and presence of predefined native library. Malware
app may not reveal its malicious behavior if it identifies the
presence of Aurasium, hence avoids the detection. As Aura-
sium depends on repackaging, it may fail to disassemble (or
assemble) an code transformed app.
Fig. 11. Features of Droidbox.

H. Bouncer
analysis can effectively detect malicious behavior. They have
Goal: Malware Detection
also provided a web interface for other users to analyze apps
Methodology: Dynamic
[127]. However, Vidas et al. [106] demonstrate the identi-
Deployment: Off-Device
fication of CopperDroid’s virtual environment by employing
Google protects its own app-store, Google Play, with a
advanced anti-analysis techniques.
system called Bouncer. It is a virtual machine based dynamic
analysis platform to test the uploaded third party developer
apps, before availing them to the users for download. It executes
J. Crowdroid
app to look for any malicious behavior and also compares it
against previously analyzed malicious apps. Though no docu- Goal: Malware Detection
mentation of internal functioning is available, Oberheide et al. Methodology: Dynamic
[39] presented their analysis of Bouncer environment by im- Deployment: Half On-Device, Half Off-Device
plementing a custom command and control app. Dynamic code Crowdroid [110] is a behavior based malware detection
loading techniques can evade the Bouncer [126] scrutiny. system (see Fig. 10). It has two components, a crowd sourcing
app which need to be installed on user-devices and a remote-
server for malware detection. The crowd sourcing app sends
I. CopperDroid
the behavioral data (i.e., system-call details) in the form of
Goal: Malware Analysis and Detection an application log file to the remote server. Strace, a system
Methodology: Dynamic utility present on device is used to collect the system-call details
Deployment: Off-Device of the apps. The application log file consists of basic device
Reina et al. proposed CopperDroid [107], a system which information, list of installed applications and behavioral data.
performs system call-centric dynamic analysis of Android apps, At the remote-server, this data is processed to create feature
using Virtual Machine Introspection. To address the path cov- vectors which could then be analyzed by 2-means partition
erage problem, they have supported the stimulation of events clustering to predict the app as either benign or malicious. An
as per the specification present in app manifest file. Authors app report is generated and stored in the database of the remote
have shown through experimentation that system call-centric server.
1014 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

Fig. 12. DroidMOSS Methodology.

Fig. 13. Working of Drozer.

Results of Crowdroid are accurate for self-written malware app is responsible for ex-filtration. API monitoring involves
and promising for some of the real malware. If the malware is API logging with its parameters and return values. The results
very active, then it is possible to have large difference in system consists the following parameters:
calls, which can help in detection for the same. But, it also • App hash values
suffers with false-positives, as demonstrated by authors using • Network data transferred or received
Monkey Jump2, an app with HongTouTou malware. • File read and write operations
Limitation of Crowdroid is, the crowd sourcing app must • Data leaks
always be available for monitoring, which can drain the avail- • Circumvented permissions
able device resources. Also, this technique is yet to be tested • Broadcast receivers
on the known malware families available to ascertain its • Services started and classes loaded through
effectiveness. DexClassLoader
• SMS sent and dialed calls
• Cryptographic operations implemented with Android API
K. Droidbox • Temporal operations order
Goal: Taint Analysis and Monitoring • Tree-map for similarity analysis
Methodology: Dynamic Limitation: Droidbox can only monitors the tasks performed
Deployment: Off-Device within the Android Framework. If the native code leaks the
Droidbox [122] as illustrated in Fig. 11 is a dynamic analysis sensitive data, existing system cannot detect and hence the data
tool developed on top of TaintDroid [109]. It modifies the is ex-filtrated without user knowledge.
Android framework for API call analysis. Fig. 11 displays the
static and dynamic analysis operations of the Droidbox. App
L. DroidMOSS
analysis begins with the static-pre-checking, which includes
parsing permissions, activities and receivers. The app under Goal: Repackaged App Detection
analysis is executed in emulated environment to perform taint- Methodology: Static
analysis and API monitoring. Taint-analysis involves labeling Deployment: Off-Device
(tainting) private and sensitive data that propagates through the DroidMOSS [4] is an app repackaging detection prototype
program variables, files and interprocess communication. employing semantic file similarity measures. More specifically,
Taint-analysis keeps track of tainted data that leaves the sys- it extracts the DEX opcode sequence of an app and generates
tem either through network, file(s) or SMS and the transmitting a signature fuzzy hashing [128] signature from the opcode.
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1015

It also adds developer certificate information, mapped into a

unique 32-bit identifier in the signature. Suspected app features
are verified against the original apps using the edit-distance
algorithm to identify the similarity score. Proposed approach
is discussed and illustrated in Fig. 12.
Intuition behind DroidMOSS using the opcodes feature is, it
might be easy for adversaries to modify operands, but very hard
to change the actual opcodes [4]. This approach has several dis-
advantages. First, it only considers DEX bytecode, ignoring the
native code and app resources. Second, the opcode sequence do
not consist high level semantic information and hence generates
false negatives. Smart adversary can easily evade this technique
using code transformation techniques such as inserting junk
bytecode, restructure methods and alter control flow to evade
the DroidMOSS prototype.

Fig. 14. Taint propagation in TaintDroid.

M. DroidScope
Goal: Analysis O. Kirin
Methodology: Dynamic Goal: Risk Assessment
Deployment: Off-Device Methodology: Static
DroidScope [113] is a Virtual Machine Introspection (VMI) Deployment: On-Device
based dynamic analysis Android framework. Unlike other dy- In [89] authors proposed a security policy enforcement
namic analysis platforms, it stays out of the emulator and mon- mechanism, Kirin, an on device app vetting framework. Kirin
itors the OS and Dalvik semantics. Hence, even the privilege defines a set of rules based on the combination of certain
escalation attacks on the Android kernel can be detected. It dangerous permissions requested by the app. If an app fails
also makes the attackers task of disrupting analysis difficult. to satisfy the Kirin security rules, the installation is prevented.
DroidScope is built upon QEMU emulator with a rich set of Thus, the proposed approach decides based on set of rules, on
APIs to customize the malware analysis prototype. Android the user behalf.
malware families DroidKungFu and DroidDream were ana-
lyzed and detected with this technique. However, DroidScope’s
effectiveness against other malware families remains to be P. TaintDroid
tested. Goal: Taint Analysis
Methodology: Dynamic and Android Instrumentation
N. Drozer Deployment: Off-Device
TaintDroid [109] extends the Android platform to track the
Goal: Risk Assessment using Exploitation privacy sensitive information leakage in the third-party devel-
Methodology: Static and Dynamic oper apps. The sensitive data is automatically tainted (or la-
Deployment: Half On-Device, Half Off-Device beled) in order to keep track whether the labeled data leaves the
Drozer [129] is a comprehensive attack and security as- device. When the sensitive data leaves the system, TaintDroid
sessment framework for Android devices, available as an records the label of the particular data and the app which sent
open-source and a professional version. It allows secu- the data along with its destination address.
rity enforcement agencies to remotely exploit Android de- Taint propagation is tracked at four levels of granular-
vices to identify vulnerabilities and threats in Android OS. ity, 1) Variable-level, 2) Method-level, 3) Message-level and
Fig. 13 displays the Drozer functionality. Following is the list 4) File-level. Variable-level tracking uses variable semantics,
of features supported by the Drozer: which provides necessary context to avoid taint propagation. In
• It installs an Agent app on the devices which executes message-level tracking, the taint on messages is tracked to avoid
exploitation modules using Java Reflection API. At server- IPC overhead. Method-level tracking is used for Android native
side, one can create their own custom modules in Python libraries that are not directly accessible to apps but through
and send it to Agent app to perform exploitation activities modified firmware. Lastly file-level tracking ensures integrity
on the devices. of file-access activities by checking whether taint markings are
• It can interact with the Dalvik VM to discover installed retained.
packages and related app components. It also allows Let us consider the working of TaintDroid where data of
interaction with the app-components like services, content one trusted app is accessed by some untrusted app and sent
providers and broadcast receivers to identify vulnerabilities. over the network. The above scenario is displayed in Fig. 14.
• It can create a shell to remotely interact with Android OS. First, the information of the trusted app is labeled according
• It is capable of generating known exploits taking advan- to its context. A native method interfaces with the Dalvik VM
tage of the already known rooting vulnerabilities. interpreter to store the taint markings in a virtual taint map.
1016 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

TABLE I
S UMMARY OF A SSESSMENT, A NALYSIS AND D ETECTION T OOLS FOR A NDROID P LATFORM ACCORDING
TO T HEIR G OAL , M ETHODOLOGY AND D EPLOYMENT. ∗ I NDICATES W EB -BASED I NTERFACE

Every interpreter simultaneously propagates the taint tags ac- targeted advertising. AdRisk [130] detected a few aggressive ad
cording to data-flow rules. The Binder library of the TaintDroid libraries performing targeted advertisements at the cost of the
is modified to ensure the tainted data of the trusted application user privacy. There have been instances of ad-affiliate networks
is sent as a parcel having a taint tag reflecting the combined getting classified as suspicious due to either targeted adver-
taint markings of all contained data. The kernel transfers this tisement inclusions or sending malicious advertisement and
parcel transparently to reach the Binder library instance at the compromise the user security [3]. Thus, it is equally important
untrusted app. The taint tag is retrieved from the parcel and to detect such ad libraries within an app to make an informed
marked to all the contained data by the Binder library instance. decision. AdDetect [131] is a promising semantic approach
Dalvik bytecode interpreter forwards these taint tags along with that detects the presence of in-app ad-library with reasonable
requested data towards untrusted app component. When that accuracy compared to existing approaches.
app calls taint sink (for example, network) library, it retrieves Damopoulos et al. [108] proposed a combination of host and
taint tag and marks that activity as malicious. cloud based Intrusion Detection System (IDS). In particular,
authors highlight the importance of such a system to protect
the smartphone when the network resource availability is low,
Q. Other Promising Techniques
in such case it performs the host based detection. In the
Third party app developers earn revenues on free apps by device battery is drained, the prototype intelligently opts for
using the in-app advertisement libraries. A number of adver- the cloud-based detection to leverage the infinite processing
tisement agencies provides the advertisement libraries to the and memory. In [132], authors propose an indoor navigation
app developers for inclusion in apps to earn revenues with for the visually impaired people in various lighting conditions.
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1017

TABLE II
S UMMARY OF W EB BASED A NDROID M ALWARE A NALYSIS I NTERFACES E MPLOYING DYNAMIC OR A H YBRID A SSESSMENT A PPROACH

Proposed prototype PERCEPT-V, a smartphone based UI em- they demonstrated the detection of some Android malware that
ploys visual tags with a sampling algorithm with different send messages without user knowledge or consent. However,
environments, lighting, ambience and usage angles. their approach does not take into account asynchronous APIs in
Vidas et al. [106] proposed a system to identify the emu- Android such as inter-component communication, which fails
lated Android environment based on differences in behavior, to detect sophisticated SMS Trojans such as Dendroid [135].
performance evaluation, presence/absence of smartphone hard- AsDroid [112] is an another interesting static analysis tool that
ware and functionality based software capabilities. Such a sys- detects stealth behavior by finding semantic mismatch between
tem highlights the importance of employing anti anti-analysis the user-interface texts and their corresponding use of sensitive
techniques among the sandbox environment. Faruki et al. features.
[133] proposed a platform-neutral anti anti-emulation sandbox Portokalidis et al. [53] proposed an alternative off-device
to detect the stealth Android malware. Authors also propose malware detection approach by cloning smartphone state at re-
a machine learning model to predict the resource hoggers. mote server. The remote server can have high computing power,
Moreover, in [134], the authors proposed a novel solution based more memory and an uninterrupted power supply to execute
on a behavior-triggering stochastic model to detect the target, multiple detection techniques in parallel. The proposed proto-
and advanced malware. type is scalable, practical and incurs a low network overhead. In
SMS Trojans capable of sending messages to premium- [136], authors proposed a comparison framework for different
rate numbers are growing to maximize monetary benefits. dynamic analysis sandbox to identify the limitations among
Elish et al. [111] devised a static anomaly detection method the known web based automatic malware analysis frame-
to identify illegitimate data dependency between arguments of works. Authors concluded that the existing sandbox approaches
user input call-backs to sensitive functions. Using this approach fail against the advanced and targeted malware. However,
1018 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

Fig. 15. A Proposed Hybrid Approach for Android Malware Analysis, malware app detection.

Faruki et al. [133] proposed a transparent, scalable and An- gains have prompted malware authors to employ various attack
droid version invariant sandbox to detect the advanced Android vectors to target Android. Due to large increase in unique mal-
threats. ware app signature(s) and limited capabilities within Android
Rattazi et al. [137] proposed a systematic approach that iden- environment, signature based methods are not sufficient against
tifies the critical places where access controls are not present or unseen, cryptographic and transformed code. Researchers have
do not properly identify the subject and object of a decision. proposed various behavioral approaches to guard the central-
Authors performed specific experiments to test their hypothesis ized app markets as malware authors are targeting easy-to-
and concluded that the newer capabilities still need to mature to reach-user online distribution mechanism. In this survey, we
be used as a sharing environments on mobile Internet devices. discussed Android security architecture and its issues, malware
Petsas et al. [138] demonstrate advanced malware apps penetration and stealth techniques. In Section VI we discussed
thwarting virtual/emulated environment to hinder dynamic static and dynamic approach for malware analysis and detec-
analysis. Authors patched existing malware apps with anti- tion. Both approaches can be used separately, but each one
analysis features to demonstrate the weakness of majority of has its own limitations. Static analysis can be thwarted by em-
existing frameworks already discussed in [127], [139]–[143]. ploying encryption and/or transformation techniques discussed
However, Faruki et al. proposed an Android platform invariant in Section V-D. Dynamic analysis can be evaded by several
Android Sandbox to uncover advanced malware failing the anti-emulation techniques covered in Section VI-B. We also
existing web based analysis sandbox discussed above. covered prominent malware analysis and detection approaches
as summarized in Table I according to their goal, methodology
and deployment. Summary shows there is not a single solution
R. Comparison of Web Based Analysis Sandbox that addresses every issue. To tackle wide variety of new
Here, we discuss Sandbox prototypes implemented and malware, a comprehensive evaluation framework incorporating
available as web service to aid a human analyst keep pace robust static and dynamic methods can be proposed on Android
with an exponential increase in Android malware. Andrubis platform.
and Copperdroid are implemented on top of Taintdroid and Manual analysis has become infeasible due to the expo-
Droidbox, a privacy leakage detection approach and dynamic nential increase in the number of unknown malware samples.
analysis technique respectively. Table II compares various web Based on the current reviews, this paper proposes an automated,
based sandbox approaches used by researchers to test and hybrid approach for Android malware analysis. Architecture of
automate malware analysis. Mobile Sandbox is an automated the proposed approach shown in Fig. 15 is our future research
malware analysis and detection approach incorporating native direction. As illustrated the APK file is initially dissected
code analysis, a facility not available with the existing proto- with static analysis module. In case of its failure against the
types. Droidanalyst is an anti anti-analysis sandbox to detect encrypted code, dynamic analysis module performs behavioral
environment reactive malware. Apps are classified as resource detection. Static and dynamic analysis will be used to generate
hoggers based on the data transmitted/received. The approaches app activity reports to enable a malware analyst identify the
using Taintdroid or Droidbox have to modify Android version, suspicious sample. Finally, we conclude by highlighting the
whereas DroidAnalyst is an android platform neutral sandbox. fact that hybrid detection approaches are gaining prominence
in malware analysis.

IX. C ONCLUSION AND D ISCUSSION

A PPENDIX
Android is a core delivery platform providing ubiquitous
services for connected smartphone paradigm, thus monetary See Listing 1.
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1019

[13] GetJar, (Online; Last Accessed Mar. 1, 2014). [Online]. Available: http://
www.getjar.mobi/
[14] ESET—Trends for 2013, (Online; Last Accessed Feb. 11).
[Online]. Available: http://go.eset.com/us/resources/whitepapers/
Trends_for_2013_preview.pdf
[15] Kaspersky Security Bulletin 2013, Overall statistics for 2013, (Online;
Last Accessed Feb. 11). [Online]. Available: https://www.securelist.com/
en/analysis/204792318/Kaspersky_Security_Bulletin_2013_Overall_
statistics_for_2013
[16] McAfee Labs Threats Report: Third Quarter 2013, (Online; Last
Accessed Feb. 11). [Online]. Available: http://www.mcafee.com/uk/
resources/reports/rp-quarterly-threatq3-2013.pdf
[17] F-Secure: Mobile Threat Report Q1 2013, (Online; Last Accessed
Feb. 11). [Online]. Available: http://www.fsecure.com/static/doc/
labs_global/Research/Mobile_Threat_Report_Q1_2013.pdf
[18] F-Secure: Mobile Threat Report Q3 2013, (Online; Last Accessed Feb.
11). [Online]. Available: http://www.fsecure.com/static/doc/labs_global/
Research/Mobile_Threat_Report_Q3_2013.pdf
[19] F-Secure: Mobile Threat Report H1 2013, (Online; Last Accessed
Feb. 11). [Online]. Available: http://www.fsecure.com/static/doc/
labs_global/Research/Threat_Report_H1_2013.pdf
[20] VirusTotal, (Online; Last Accessed Feb. 11, 2014). [Online]. Available:
https://www.virustotal.com/
[21] Android.Bgserv, (Online; Last Accesed Feb. 12, 2011). [Online].
Available: http://www.symantec.com/security_response/writeup.jsp?
docid=2011-031005-2918-99
[22] Backdoor.AndroidOS.Obad.a, (Online; Last Accesed Dec. 25, 2013).
[Online]. Available: http://contagiominidump.blogspot.in/2013/06/
backdoorandroidosobada.html
[23] RageAgainstTheCage, (Online; Last Accessed Feb. 11). [Online].
Available: https://github.com/bibanon/android-development-codex/
blob/master/General/Rooting/rageagainstthecage.md
[24] Android Hipposms, (Online; 2011). [Online]. Available: http://www.csc.
ncsu.edu/faculty/jiang/HippoSMS/
[25] Android/NotCompatible Looks Like Piece of PC Botnet, (Online; Last
Accesed Dec. 25, 2013). [Online]. Available: http://blogs.mcafee.com/
mcafee-labs/androidnotcompatible-looks-like-piece-of-pc-botnet
[26] E. Fernandes, B. Crispo, and M. Conti, “FM 99.9, radio virus: Exploit-
Listing 1. AndroidManifest.xml snippet with declared components. ing FM radio broadcasts for malware deployment,” IEEE Trans. Inf.
Forensics Security, vol. 8, no. 6, pp. 1027–1037, Jun. 2013.
[Online]. Available: http://dblp.uni-trier.de/db/journals/tifs/tifs8.html#
FernandesCC13
R EFERENCES [27] R. Fedler, J. Schütte, and M. Kulicke, “On the Effectiveness of Mal-
ware Protection on Android,” Fraunhofer AISEC, Berlin, Germany,
[1] G. Inc., Android Smartphone Sales Report, 2013, (Online; Last Accessed Tech. Rep., 2013.
Mar. 17, 2014). [Online]. Available: http://www.gartner.com/newsroom/ [28] C. Jarabek, D. Barrera, and J. Aycock, “ThinAV: Truly lightweight Mo-
id/2665715 bile Cloud-based Anti-malware,” in Proc. 28th Annu. Comput. Security
[2] Android Malware Genome Project, (Online; Last Accessed Feb. 11, Appl. Conf., 2012, pp. 209–218.
2014). [Online]. Available: http://www.malgenomeproject.org/ [29] Kaspersky Internet Security for Android, (Online; Last Accessed
[3] C. A. Castillo, “Android malware past, present, future,” Mobile Work- Feb. 11). [Online]. Available: http://www.kaspersky.com/
ing Security Group McAfee, Santa Clara, CA, USA, Tech. Rep., android-security
2012. [30] M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang, “RiskRanker: Scal-
[4] W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting repackaged smart- able and accurate zero-day Android malware detection,” in Proc. 10th
phone applications in third-party android marketplaces,” in Proc. 2nd Int. Conf. MobiSys, New York, NY, USA, 2012, pp. 281–294. [Online].
ACM CODASPY, New York, NY, USA, 2012, pp. 317–326. [Online]. Available: http://doi.acm.org/10.1145/2307636.2307663
Available: http://doi.acm.org/10.1145/2133601.2133640 [31] G. Suarez-Tangil, J. Tapiador, P. Peris-Lopez, and A. Ribagorda, “Evo-
[5] AppBrain, Number of applications available on Google Play, (Online; lution, detection and analysis of malware for smart devices,” IEEE
Last accessed Oct. 10, 2014). [Online]. Available: http://www.appbrain. Commun. Surveys Tuts., vol. 16, no. 2, pp. 961–987, 2014.
com/stats/number-of-android-apps [32] M. La Polla, F. Martinelli, and D. Sgandurra, “A survey on security for
[6] Google Bouncer: Protecting the Google Play market, (Online; Last Ac- mobile devices,” IEEE Commun. Surveys Tuts., vol. 15, no. 1, pp. 446–
cessed Oct. 15, 2013). [Online]. Available: http://blog.trendmicro.com/ 471, 2013.
trendlabs-security-intelligence/a-lookat-google-bouncer/ [33] W. Enck, “Defending users against smartphone apps: Techniques
[7] Android and security: Official mobile google blog, (Online; Last Ac- and future directions,” in Proc. 7th ICISS, 2011, pp. 49–70. [Online].
cessed Oct. 15, 2013). [Online]. Available: http://googlemobile.blogspot. Available: http://dx.doi.org/10.1007/978-3-642-25560-1n_3
in/2012/02/android-and-security.html [34] Android Security Overview, (Online; Last Accesed Dec. 25, 2013).
[8] E. Chin, A. P. Felt, K. Greenwood, and D. Wagner, “Analyzing inter- [Online]. Available: http://source.android.com/devices/tech/security
application communication in Android,” in Proc. 9th Int. Conf. MobiSys, [35] W. Enck, M. Ongtang, and P. McDaniel, “Understanding android secu-
New York, NY, USA, 2011, pp. 239–252. [Online]. Available: http://doi. rity,” IEEE Security Privacy, vol. 7, no. 1, pp. 50–57, Jan./Feb. 2009.
acm.org/10.1145/1999995.2000018 [Online]. Available: http://dx.doi.org/10.1109/MSP.2009.26
[9] PandaApp, (Online; Last Accessed Mar. 1, 2014). [Online]. Available: [36] Android Kernel Features, (Online; Last Accessed Mar. 9, 2014).
http://www.pandaapp.com/ [Online]. Available: http://elinux.org/Android_Kernel_Features
[10] Baidu, (Online; Last Accessed Mar. 1, 2014). [Online]. Available: http:// [37] permission, (Online; Last Accessed Feb. 11). [Online].
as.baidu.com/ Available: http://developer.android.com/guide/topics/manifest/
[11] Opera Mobile App Store, (Online; Last Accessed Mar. 1, 2014). permission-element.html
[Online]. Available: http://apps.opera.com/en_in/ [38] B. Sanz et al., “PUMA: Permission Usage to detect Malware in An-
[12] AppChina, (Online; Last Accessed Mar. 1, 2014). [Online]. Available: droid,” in Proc. Int. Joint Conf. CISIS-ICEUTE-SOCO’Spec. Sessions,
http://www.appchina.com/ 2013, pp. 289–298.
1020 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

[39] J. Oberhide, Dissecting the Android Bouncer, (Online; Last Accessed [66] F. Shahzad, M. A. Akbar, and M. Farooq, “A survey on recent ad-
Jun. 1, 2012). [Online]. Available: http://jon.oberheide.org/blog/2012/ vances in malicious applications analysis and detection techniques
06/21/dissecting-the-android-bouncer/ for smartphones,” National Univ. Comput. Emerging Sci., Islamabad,
[40] Exercising Our Remote Application Removal Feature, (Online; Last Ac- Pakistan.
cessed Feb. 11). [Online]. Available: http://androiddevelopers.blogspot. [67] Spitmo vs Zitmo: Banking Trojans Target Android, (Online; Last
in/2010/06/exercising-our-remote-application.html Accessed Feb. 11). [Online]. Available: https://blogs.mcafee.com/
[41] CVE, (Online; Last Accessed Feb. 11). [Online]. Available: http://cve. mcafee-labs/spitmo-vs-zitmo-banking-trojans-target-android
mitre.org/ [68] Fakedefender.B—Android Fake Antivirus, (Online; Last Accesed
[42] G. Andre and P. Ramos, “Boxer SMS Trojan,” ESET Latin American Dec. 25, 2013). [Online]. Available: http://contagiominidump.blogspot.
Lab, Bratislava, Slovakia, Tech. Rep., 2013. in/2013/11/fakedefenderb-android-fake-antivirus.html
[43] Android Version History, (Online; Last Accessed Mar. 11, 2014). [69] avast! Free Mobile Security, (Online; Last Accessed Dec. 25, 2013).
[Online]. Available: http://en.wikipedia.org/wiki/Android_version_ [Online]. Available: http://www.avast.com/freemobile-security-c?
history utmexpid=22755838-21.bXJmQHnQA6pakUW6PaLQQ.2&
[44] L. Xing, X. Pan, R. Wang, K. Yuan, and X. Wang, “Upgrading your utmreferrer=https%3A%2F%2Fround-lake.dustinice.workers.dev%3A443%2Fhttps%2Fwww.google.com%2F
android, elevating my malware: Privilege escalation through mobile OS [70] APKTool, Reverse Engineering with ApkTool, (Online; Accessed
updating,” in Proc. IEEE Symp. Security Privacy, 2014, pp. 393–408. Mar. 20, 2013). [Online]. Available: https://code.google.com/android/
[45] z4Root, (Online; Last Accessed Feb. 11). [Online]. Available: https:// apk-tool
github.com/bibanon/android-developmentcodex/blob/master/General/ [71] A. Inc., Class to Dex Conversion with Dx, (Online; Last Accessed
Rooting/z4root.md Mar. 5, 2013). [Online]. Available: http://developer.android.com/tools/
[46] Android Trickery, (Online; Last Accessed Feb. 11). [Online]. Available: help/index.html
http://c-skills.blogspot.com/2010/07/androidtrickery.html [72] Remote Access Tool Takes Aim with Android APK Binder, (Online; Last
[47] Zimperlich Sources, (Online; Last Accessed Feb. 11). [Online]. Accessed Dec. 25, 2013). [Online]. Available: http://www.symantec.
Available: http://c-skills.blogspot.in/2011/02/zimperlichsources.html com/connect/blogs/remote-access-tool-takes-aimandroid-apk-binder
[48] GingerBreak, (Online; Last Accessed Feb. 11). [Online]. Available: [73] V. Rastogi, Y. Chen, and X. Jiang, “Droidchameleon: Evaluating An-
http://forum.xda-developers.com/showthread.php?t=1044765 droid anti-malware against transformation attacks,” in Proc. 8th ACM
[49] zergrush, (Online; Last Accessed Feb. 11). [Online]. Available: http:// SIGSAC Symp. Inf., Comput. Commun. Security, 2013, pp. 329–334.
forum.xda-developers.com/showthread.php?t=1296916 [74] M. Zheng, P. P. C. Lee, and J. C. S. Lui, “ADAM: An automatic and
[50] Z. Yajin and J. Xuxian, “Dissecting android malware: Characterization extensible platform to stress test Android anti-virus systems,” in Proc.
and evolution,” in Proc. 33rd IEEE Symp. Security Privacy, Oakland, DIMVA, 2012, pp. 82–101.
CA, USA, 2012, pp. 95–109. [75] ProGuard, (Online; Last Accessed Feb. 11). [Online]. Available: http://
[51] Security Enhancements in Android 4.3, (Online; Last Accesed proguard.sourceforge.net/
Dec. 25, 2013). [Online]. Available: http://source.android.com/devices/ [76] DexGuard, (Online; Last Accessed Feb. 11). [Online]. Available: http://
tech/security/enhancements43.html www.saikoa.com/dexguard
[52] Security Enhancements in Android 4.2, (Online; Last Accesed [77] P. Faruki et al., “Evaluation of android anti malware techniques against
Dec. 25, 2013). [Online]. Available: http://source.android.com/devices/ Dalvik bytecode obfuscation,” in Proc. 13th IEEE Int. Conf. TrustCom,
tech/security/enhancements42.html Beijing, China, Sep. 26–28, 2014.
[53] G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos, “Paranoid [78] Dalvik Bytecode Obfuscation on Android, (Online; Last Ac-
android: Versatile protection for smartphones,” in Proc. 26th ACSAC, cessed Feb. 11). [Online]. Available: https://dexlabs.org/blog/
New York, NY, USA, 2010, pp. 347–356. [Online]. Available: http:// bytecode-obfuscation
doi.acm.org/10.1145/1920261.1920313 [79] BlackHat, Reverse Engineering with Androguard, (Online; Accessed
[54] Validating Security-Enhanced Linux in Android, (Online; Last Accesed Mar. 29, 2013). [Online]. Available: https://code.google.com/androguard
Dec. 25, 2013). [Online]. Available: http://source.android.com/devices/ [80] W. Zhou, Y. Zhou, and X. Jiang, “Hey, you get off my market: Detecting
tech/security/se-linux.html malicious apps in official and third party android markets,” in Proc.
[55] M. Conti, B. Crispo, E. Fernandes, and Y. Zhauniarovich, “CRêPe: A Annu. NDSS, New York, NY, USA, 2012, pp. 1–13.
system for enforcing fine-grained context-related policies on android,” [81] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss, “‘Andro-
Information Forensics and Security, IEEE Trans., vol. 7, no. 5, pp. 1426– maly’: A behavioral malware detection framework for android devices,”
1438, Oct. 2012. J. Intell. Inf. Syst., vol. 38, no. 1, pp. 161–190, 2012. [Online]. Available:
[56] M. Nauman, S. Khan, and X. Zhang, “Apex: Extending android per- http://dblp.uni-trier.de/db/journals/jiis/jiis38.html#ShabtaiKEGW12
mission model and enforcement with user-defined runtime constraints,” [82] Y. Feng, S. Anand, I. Dillig, and A. Aiken, “Apposcopy: Semantics-
in Proc. ASIACCS, D. Feng, D. A. Basin, and P. Liu, Eds., 2010, based detection of android malware,” in Proc. SIGSOFT FSE, 2014,
pp. 328–332. [Online]. Available: http://dblp.uni-trier.de/db/conf/ccs/ pp. 1–12.
asiaccs2010.html#NaumanKZ10 [83] P. Faruki, V. Ganmoor, V. Laxmi, M. S. Gaur, and A. Bharmal, “An-
[57] S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi, droSimilar: Robust statistical feature signature for Android malware
“Xmandroid: A new android evolution to mitigate privilege escala- detection,” in Proc. SIN, A. Eli, M. S. Gaur, M. A. Orgun, and
tion attacks,” Technische Universität Darmstadt, Darmstadt, Germany, O. B. Makarevich, Eds., 2013, pp. 152–159. [Online]. Available: http://
Tech. Rep. TR-2011-04, 2011. dblp.uni-trier.de/db/conf/sin/sin2013.html#FarukiGLGB13
[58] M. Ongtang, S. E. McLaughlin, W. Enck, and P. D. McDaniel, “Se- [84] A. P. Fuchs, A. Chaudhuri, and J. S. Foster, SCanDroid: Automated
mantically rich application-centric security in android,” in Proc. ACSAC, security certification of Android applications, Manuscript. [Online].
2009, pp. 340–349. [Online]. Available: http://dblp.uni-trier.de/db/conf/ Available: http://www.cs.umd.edu/~avik/projects/scandroidascaa
acsac/acsac2009.html#OngtangMEM09 [85] L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang, “CHEX: Statically vetting An-
[59] Android Security Analysis Challenge: Tampering Dalvik Bytecode Dur- droid apps for component hijacking vulnerabilities,” in Proc. ACM Conf.
ing Runtime, (Online; Last Accessed Feb. 11, 2013). [Online]. Available: Comput. Commun. Security, T. Yu, G. Danezis, and V. D. Gligor, Eds.,
http://bluebox.com/labs/android-security-challenge/ 2012, pp. 229–240. [Online]. Available: http://dblp.uni-trier.de/db/conf/
[60] “State of mobile security,” Lookout Mobile Security, Tech. rep., 2012. ccs/ccs2012.html#LuLWLJ12
[61] “Current world of mobile threats,” Lookout Mobile Security, San [86] B. P. Sarma et al., “Android permissions: A perspective combining risks
Francisco, CA, USA, Tech. rep., 2013. and benefits,” in Proc. 17th ACM Symp. Access Control Models Technol.,
[62] C. Lever, M. Antonakakis, B. Reaves, P. Traynor, and W. Lee, “The core 2012, pp. 13–22.
of the matter: Analyzing malicious traffic in cellular carriers,” in Proc. [87] D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji, “A
NDSS, 2013, vol. 13, pp. 1–16. methodology for empirical analysis of permission-based security models
[63] H. T. T. Truong et al., “The company you keep: Mobile malware in- and its application to android,” in Proc. 17th ACM Conf. CCS, 2010,
fection rates and inexpensive risk indicators,” in Proc. 23rd Int. Conf. pp. 73–84.
WWW, 2013, pp. 39–50. [88] C.-Y. Huang, Y.-T. Tsai, and C.-H. Hsu, “Performance evaluation on
[64] Carat: Collaborative Energy Diagnosis, (Online; Last Accesed Dec. 25, permission-based detection for android malware,” in Proc. Adv. Intell.
2013). [Online]. Available: http://carat.cs.berkeley.edu/ Syst. Appl.-Vol. 2, 2013, vol. 2, pp. 111–120.
[65] Fake Netxflix—Android trojan info stealer, (Online; Last Accessed [89] W. Enck, M. Ongtang, and P. McDaniel, “On lightweight mobile phone
Feb. 11). [Online]. Available: http://contagiominidump.blogspot.in/ application certification,” in Proc. 16th ACM Conf. Comput. Commun.
2011/10/fake-netxflix-adtroid-trojan-info.html Security, 2009, pp. 235–245.
FARUKI et al.: ANDROID SECURITY: A SURVEY OF ISSUES, MALWARE PENETRATION, AND DEFENSES 1021

[90] J. Kim, Y. Yoon, K. Yi, J. Shin, and S. Center, “ScanDal: Static analyzer [113] L. K. Yan and H. Yin, “DroidScope: Seamlessly reconstructing the OS
for detecting privacy leaks in Android applications,” in Proc. Workshop and Dalvik semantic views for dynamic Android malware analysis,” in
MoST, 2012, in conjunction with the IEEE Symposium on Security and Proc. 21st USENIX Security Symp., 2012, p. 29.
Privacy. [114] BakSmali, Reverse Engineering with Smali/Baksmali, (Online; Ac-
[91] H. S. Karlsen, E. R. Wognsen, M. C. Olesen, and R. R. Hansen, “Study, cessed Mar. 20, 2013). [Online]. Available: https://code.google.com/
formalisation, analysis of Dalvik bytecode,” in Proc. 7th Workshop smali
BYTECODE, 2012, pp. 1–9. [115] DARE: Dalvik Retargeting, (Online; Last Accessed Feb. 11, 2013).
[92] Y. Aafer, W. Du, and H. Yin, “DroidAPIminer: Mining API-level [Online]. Available: http://siis.cse.psu.edu/dare/
features for robust malware detection in Android,” in Proc. Se- [116] Dedexer, (Online; Last Accessed Feb. 11, 2013). [Online]. http://dedexer.
cureComm, vol. 127, Lecture Notes of the Institute for Computer Sci- sourceforge.net/
ences, Social Informatics and Telecommunications Engineering, T. Zia, [117] JEB Decompiler, (Online; Last Accessed Feb. 11, 2013). [Online].
A. Y. Zomaya, V. Varadharajan, and Z. M. Mao, Eds., Springer, Available: http://www.android-decompiler.com/
2013, pp. 86–103. [Online]. Available: http://dblp.uni-trier.de/db/conf/ [118] Similarities for Fun & Profit.
securecomm/securecomm2013.html#AaferDY13 [119] V. Roussev, “Data fingerprinting with similarity hashes, advances in
[93] M. Zheng, M. Sun, and J. C. S. Lui, “DroidAnalytics: A signa- digital forensics,” in Proc. Int. Conf. Digit. Forensics, 2010, pp. 207–
ture based analytic system to collect, extract, analyze and associate 226.
android malware,” in Proc. 12th IEEE Int. Conf. TrustCom, 2013, [120] V. Roussev, “Building a better similarity trap with statistically improba-
pp. 163–171. ble features,” in Proc. 42nd HICSS, 2009, pp. 1–10.
[94] JD-GUI, Android Decompiling with JD-GUI, (Online; Last Ac- [121] Andrubis, 2012. [Online]. Available: http://anubis.iseclab.org/
cessed Mar. 1, 2014). [Online]. Available: http://java.decompiler.free.fr/? [122] A. Desnos and P. Lantz, “Droidbox: An android application sandbox for
q=jdgui dynamic analysis, 2011. [Online]. Available: https://code.google.com/p/
[95] JAD, JAD Java Decompiler, (Online; Last Accessed Mar. 1, 2014). droidbox/
[Online]. Available: http://varaneckas.com/jad/ [123] APKInspector, 2013. [Online]. Available: https://github.com/honeynet/
[96] H. van Vliet, Mocha, The Java Decompiler, (Online; Last Accessed apkinspector/
Mar. 1, 2014). [Online]. Available: http://www.brouhaha.com/_eric/ [124] ded: Decompiling Android Applications, (Online; Last Accessed
software/mocha/ Feb. 11). [Online]. Available: http://siis.cse.psu.edu/ded/
[97] SOOT, Soot: A Java optimization framework, (Online; Accessed Mar. 1, [125] R. Xu, H. Saïdi, and R. Anderson, “Aurasium: Practical policy enforce-
2014). [Online]. Available: http://www.sable.mcgill.ca/soot/ ment for Android applications,” in Proc. 21st USENIX Conf. Security
[98] WALA, T. J. Watson Libraries for Analysis (WALA), (Online; Ac- Symp., 2012, pp. 27–27, USENIX Association.
cessed Mar. 1, 2014). [Online]. Available: http://wala.sourceforge.net/ [126] Google Bouncer: Bad guys may have an app for that, Feb. 2012.
wiki/index.php/ [Online]. Available: http://www.techrepublic.com/blog/it-security/
[99] H. Inc., Fortify static code analyzer, (Online; Accessed Mar. 1, 2014). google-bouncer-badguys-may-have-an-app-for-that/7422/
[Online]. Available: http://www8.hp.com/us/en/softwaresolutions/ [127] CopperDroid, Feb. 2012. [Online]. Available: http://copperdroid.isg.
software.html?compURI=1338812 rhul.ac.uk/copperdroid/index.php
[100] E. William, O. Damien, M. Patrick, and C. Swarat, “A study of Android [128] J. Kornblum, “Identifying almost identical files using context triggered
application security,” in Proc. USENIX, San Francisco, CA, USA, 2011, piecewise hashing,” Digit. Investigation, vol. 3, pp. 91–97, Sep. 2006.
p. 163. [Online]. Available: http://dx.doi.org/10.1016/j.diin.2006.06.015
[101] D. Octeau, S. Jha, and P. McDaniel, “Retargeting Android applications [129] Drozer—A Comprehensive Security and Attack Framework for Android,
to Java bytecode,” in Proc. ACM SIGSOFT 20th Int. Symp. Found. Softw. (Online; Last Accessed Feb. 11, 2013). [Online]. Available: https://www.
Eng., 2012, p. 6. mwrinfosecurity.com/products/drozer/
[102] A. Bartel, J. Klein, Y. Le Traon, and M. Monperrus, “Dexpler: Convert- [130] M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi, “Unsafe exposure
ing Android Dalvik bytecode to Jimple for static analysis with Soot,” analysis of mobile in-app advertisements,” in Proc. 5th ACM Conf.
in Proc. ACM SIGPLAN Int. Workshop State Art Java Program Anal., WISEC, New York, NY, USA, 2012, pp. 101–112. [Online]. Available:
2012, pp. 27–38. http://doi.acm.org/10.1145/2185448.2185464
[103] C. Gibler, J. Crussell, J. Erickson, and H. Chen, “Androidleaks: Auto- [131] A. Narayanan, L. Chen, and C. K. Chan, “Addetect: Automated detection
matically detecting potential privacy leaks in Android applications on a of android ad libraries using semantic analysis,” in Proc. IEEE 9th Int.
large scale,” in Proc. Trust Trustworthy Comput., 2012, pp. 291–307. Conf.ISSNIP, Singapore, Apr. 21–24, 2014, pp. 1–6. [Online]. Available:
[104] Dex2Jar, Android Decompiling with Dex2jar, (Online; Last Accessed http://dx.doi.org/10.1109/ISSNIP.2014.6827639
May 15, 2013). [Online]. Available: http://code.google.com/p/dex2jar/ [132] H. Dong, J. Kang, J. Schafer, and A. Ganz, “Android-based visual tag
[105] UI/Application Exercise Monkey, (Online; Last Accessed Feb. 11). detection for visually impaired users: System design and testing,” Int.
[Online]. Available: http://developer.android.com/tools/help/monkey. J. E-Health Med. Commun., vol. 5, no. 1, pp. 63–80, 2014. [Online].
html Available: http://dx.doi.org/10.4018/ijehmc.2014010104
[106] T. Vidas and N. Christin, “Evading android runtime analysis via sandbox [133] P. Faruki, V. Ganmoor, L. Vijay, M. Gaur, and M. Conti, “Android
detection,” in Proc. 9th ACM ASIA CCS, New York, NY, USA, 2014, Platform Invariant Sandbox for Analyzing Malware and Resource
pp. 447–458. [Online]. Available: http://doi.acm.org/10.1145/2590296. Hogger apps,” in Proc. 10th IEEE Int. Conf. SecureComm, Beijing,
2590325 China, Sep. 26–28, 2014, pp. 1–6.
[107] A. Reina, A. Fattori, and L. Cavallaro, “A system call-centric analysis [134] G. Suarez-Tangil, M. Conti, J. E. Tapiador, and P. Peris-Lopez,
and stimulation technique to automatically reconstruct Android malware “Detecting targeted smartphone malware with behavior-triggering
behaviors,” in Proc. EUROSEC, Prague, Czech Republic. stochastic models,” in Proc. Eur. Symp. Res. Comput. Security, 2014,
[108] D. Damopoulos, G. Kambourakis, and G. Portokalidis, “The best of both pp. 183–201.
worlds: A framework for the synergistic operation of host and cloud [135] Dendroid malware can take over your camera, record audio, sneak into
anomaly-based IDS for smartphones,” in Proc. 7th EuroSec, New York, Google Play, (Online; 2014). [Online]. Available: https://blog.lookout.
NY, USA, 2014, pp. 6:1–6:6. [Online]. Available: http://doi.acm.org/10. com/blog/2014/03/06/dendroid/
1145/2592791.2592797 [136] S. Neuner et al., “Enter sandbox: Android sandbox comparison,” in Proc.
[109] E. William, G. Peter, C. Byunggon, and C. Landon, “TaintDroid: An IEEE MoST, 2014.
information flow tracking system for realtime privacy monitoring on [137] P. Ratazzi et al., “A systematic security evaluation of android’s multi-
smartphones,” in Proc. USENIX, 2011. user framework,” in Proc. IEEE MoST, 2014, pp. 1–10.
[110] I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid: [138] T. Petsas, G. Voyatzis, E. Athanasopoulos, M. Polychronakis, and
Behavior-based malware detection system for Android,” in Proc. 1st S. Ioannidis, “Rage against the virtual machine: Hindering dynamic
ACM Workshop Security Privacy Smartphones Mobile Devices, 2011, analysis of android malware,” in Proc. 7th Eur. Workshop Syst. Security,
pp. 15–26. 2014, Art. ID. 5.
[111] K. O. Elish, D. (Daphne) Yao, and B. G. Ryder, “User-centric depen- [139] M. Lindorfer, Andrubis: A tool for analyzing unknown android ap-
dence analysis for identifying malicious mobile apps,” in Proc. Work- plications. [Online]. Available: http://www.seclab.tuwien.ac.at/papers/
shop MoST, 2012. andrubis_badgers14.pdf
[112] J. Huang, X. Zhang, L. Tan, P. Wang, and B. Liang, “AsDroid: Detecting [140] M. Lindorfer et al., “Andrubis—1,000,000 apps later: A view on current
stealthy behaviors in android applications by user interface and program Android malware behaviors,” in Proc. 3rd Int. Workshop BADGERS,
behavior contradiction,” in Proc. ICSE, 2014, pp. 1036–1046. 2014, pp. 1–15.
1022 IEEE COMMUNICATION SURVEYS & TUTORIALS, VOL. 17, NO. 2, SECOND QUARTER 2015

[141] L. Weichselbaum et al., “Andrubis: Android malware under the magnify- Vijay Ganmoor is an M.Tech Scholar working on
ing glass,” Vienna University of Technology, Wien, Austria, Tech. Rep. Android malware analysis with the CSE Department,
TR-ISECLAB-0414-001, 2014. Malaviya National Institute of Technology, Jaipur,
[142] T. Bläsing, L. Batyuk, A.-D. Schmidt, S. A. Çamtepe, and S. Albayrak, India. He has been actively involved in mobile plat-
“An android application sandbox system for suspicious software detec- form security research since 2012.
tion,” in Proc. MALWARE, 2010, pp. 55–62.
[143] C. Zheng et al., “SmartDroid: An automatic system for revealing UI-
based trigger conditions in android applications,” in Proc. 2nd ACM
Workshop SPSM, New York, NY, USA, 2012, pp. 93–104. [Online].
Available: http://doi.acm.org/10.1145/2381934.2381950

Manoj Singh Gaur received the BE(ECE) degree

from JNV University, Rajasthan, India, in 1988, the
Parvez Faruki received the bachelor’s degree ME(CSE) degree from IISc Bangalore, Bangalore,
in computer engineering from L.D. Engineering, India in 1994, and the Ph.D. degree in ECS from the
Ahmedabad, India, in 2000 and the M.Tech degree University of Southampton, Southampton, U.K., in
from the Malaviya National Institute of Technology 2004. He has been teaching for the past 25 years. He
(MNIT), Jaipur, India, in 2012, where he is pursuing is a Professor in computer science and engineering
doctoral research on android security with the CSE at the Malaviya National Institute of Technology,
Department. He has conceptualized DroidAnalyst Jaipur, India. He has supervised seven Ph.D. candi-
and proposed AbNORMAL and AndroSimilar anal- dates, four covering different aspects of information
ysis techniques. His research interests include mal- security. He has also successfully completed six re-
ware analysis, mobile platform security, and machine search projects. His research interests include information security, particularly
learning techniques. malware analysis.

Mauro Conti (SM’10) received the Ph.D. degree

from the Sapienza University of Rome, Rome, Italy,
in 2009. After his Ph.D., he was a Postdoctoral Re-
Ammar Bharmal is an M.Tech Scholar working on searcher at Vrije Universiteit Amsterdam, Amster-
Android malware analysis with the CSE Department, dam, The Netherlands. He was a Visiting Researcher
Malaviya National Institute of Technology, Jaipur, at GMU (2008), UCLA (2010), UCI (2012–2014),
India. He has been actively involved in mobile plat- and TU Darmstadt (2013). He is an Associate Pro-
form security research since 2012. fessor at the University of Padua, Padua, Italy. His
main research interest is in the area of security and
privacy. In this area, he published more than 80 pa-
pers in topmost international peer-reviewed journals
and conferences. Dr. Conti was a recipient of a Marie Curie Fellowship (2012)
from the European Commission and a Fellowship from the German DAAD
(2013). He served as a Program Committee Member of several conferences. He
served as a Panelist at the ACM CODASPY 2011 and the General Chair for
SecureComm 2012 and ACM SACMAT 2013.

Vijay Laxmi received the BTech degree in ECE Muttukrishnan Rajarajan received the Ph.D. de-
from JNV University, Rajasthan, India, in 1991, the gree from the City University London, London,
MTech degree in CSE from IIT Delhi, New Delhi, U.K., in 2001. He is a Professor in security engi-
India, in 1992, and the Ph.D. degree in ECS in 2003 neering at the City University London. His research
from the University of Southampton, Southampton, expertise is in the areas of mobile security, intrusion
U.K., under Commonwealth Scholarship and Fel- detection, and privacy techniques. He has chaired
lowship. She is an Associate Professor in computer several international conferences in the area of infor-
science and engineering at the Malaviya National mation security and involved in the editorial boards
Institute of Technology, Jaipur, India. As a Princi- of several security and network journals. He is also
pal Investigator, she has completed three research a Visiting Research Fellow at the British Telecom-
projects. She is actively involved in malware re- munications UK and is currently actively engaged in
search. She has supervised seven Ph.D. candidates, four covering different the U.K. Government’s Identity Assurance Program. He is a Member of the
aspects of information security. To date, she has more than 60 papers in refereed ACM and an Advisory Board Member of the Institute of Information Security
conferences/journals in the area of information security. Professionals UK.