This is the first part of a two-part blog based on my paper for AVAR 2012 that discusses the complications in automating the analysis of Android malware.

With increasing popularity comes the danger of threats. Android malware is growing at a massive rate in parallel with the rise in Android smartphone usage. Malware writers have been very successful in spreading Android malware by availing of the relatively weak registration and signing policy for third-party markets, and the official Android market as well.
The exponential rise of malware for the PC necessitated the incorporation of automated detection infrastructure, and one predicts the same requirements for Android malware. Via automation it is possible to make intelligent decisions on an Android application’s functionality to determine its status as good or bad, as performed by Google’s Bouncer, a behavioural decision-maker.
Unfortunately, recent studies show that, in similarity to the PC, Android adware applications can be found in the wild. These Android Potentially Unwanted Applications (aka PUAs), apart from being a nuisance to the smartphone user, would also complicate decision-making in the automated analysis of Android malware. There is little doubt that the number of Android PUAs will rise dramatically over time, and, like their PC counterparts, they will muddy the waters, introducing a lot of grey between the black and white. To decide if an application is a PUA or malware has never been so easy in the PC world since opinions can always differ.
This paper charts the rise of Android malware and Android PUAs. It describes the automated analysis of an Android application, focussing on the malware decision-making criteria, and discusses the difficulties in decision-making posed by Android PUAs.
Android Malware Growth 
There was an explosive increase in the number of Android malware till November 2011, and the numbers continue to grow. Malware authors have made good use of the third-party Android markets to spread far and wide, and have at times infiltrated even Google Play (formerly known as The Android Marketplace).
Fig. 1 below charts the rise in Android malware since November 2011 till the time of writing.

Fig. 1, Android Malware Growth [1]
Even though the chart above depicts a slight dip in-between, the mal-packages released in that period had no compromise on the severity of the data or monetary loss for the victim. There were major outbreaks as well that had a huge impact on Android mobile users. For example Android.MMarketPay places orders for items in China Mobile’s online market without the user’s knowledge, and is coded to manage the response from the online market, whether it be either SMS or Captcha. Another major outbreak, AndroidOS.Counterclank, that dropped a search icon to direct the user to a fake Google search page, had a big number of infection hits.
Focussing on improving the propagation methods, malware authors also started investing time in discovering new ways to spread their applications and to trick the user into installing their packages.
Studies show that most of the Android malware aim at monetary benefits and stealing the victim’s personal information. Interestingly, in recent times, there have been malware that avail of the route of targeted attacks [2], either a region or country, to achieve monetary benefits. For instance, the newly found, Android.SMSZombie, attacks Chinese users by exploiting a vulnerability in the mobile payment process of China Mobile [3]. The case of regional or targeted attacks implies that there could be several instances of malware world-wide which we do not even know about, therefore the real malware count could be somewhat higher than that shown in the Fig. 1 above.
In addition, the technique of polymorphism employed by the malware writers to create multiple variants of the same malware, contributes significantly to the rise in Android malware.
All these factors considered within the Android malware space, it is expected that the raw malware count would increase manifold in future.
Android Malware Growth by Trend 
As per Darwin’s “Survival of the Fittest”, even malware compete with one other in terms of the complexity of behaviour and detection-evasion techniques. Indeed, the behaviour of one malware family could interfere with that of another malware family. The lifecycle of any malware ends at the moment it is identified by security software. Bearing this in mind, malware authors engage new strategies to enter and compromise the user’s device.
Even though old-fashioned SMS Trojans still exist, Android malware can be seen to have evolved from the usual malware behaviour of sending out SMS messages. From several new malware behaviours the example of Android.Nickispy, found to record user conversations and send it to a remote C&C server, stands out.
Let us explore a few of the other notable behaviours of Android malware in the recent times:
Botnets. These malware applications will be controlled by a remote server through the issuance of commands. The latest malware of this kind, Android.Tigerbot, is controlled via SMS messages from a remote server. This mal-package checks if the SMS message is from the remote server even before the concerned service is aware of it. Thus the remote attacker is able to control the device.
Work as a Group. A single application drops two or more components from itself to accomplish the malware activity. A couple of examples are Trojan-Dropper.AndroidOS.Foncy.a and Android.OSSpy.
Fake Applications. As in the case of the Windows OS, Android malware too have been found to display fake scan results [4] with a link to websites that may host other malware applications or phish for the user’s personal information.
AV Killer. In recent times, there have been Android malware that search for the known existence of a running security software service and kill it to escape being detected. An instance of this is Android.UpdtKiller.
Image Modifiers. Some Android applications that are doing the rounds check for images in the SD card and modify them, exhausting the memory card with fewer but larger images.
Polymorphism.Android malware execute the concept of polymorphism by either modifying the data folder, changing the order of files, or adding files to the package that are in no way connected to the malware behaviour of the application. It is only a matter of time before the main binary malware components begin to incorporate junk content, including code within the execution chain.

Zitmo / Spitmo. This kind of malware, though seen earlier, is still highly dangerous, as they intrude on the online banking transactions of the user. By collecting the mTAN (mobile Transaction Authentication Number) that is being sent to the customer’s device from the bank, hackers can conduct money transactions on the victim’s account.
PUPs or PUAs. Also on patrol nowadays are applications with activities of dubious intent, e.g. displaying pop-ups, etc. These applications may be referred to as Potentially Unwanted Applications (PUAs) or Potentially Unwanted Programs (PUPs) given that certain users may not consider them to be undesirable. Decision making on this category of applications can be really complex and error-prone.
The evolution in the severity and malicious nature of Android malware bears a striking similarity with that of PC malware, but over a far shorter timeframe. It seems that one can predict the trends in Android malware by comparison with those of PC malware, including the proliferation of borderline PUAs and other “tools”. Thus it is possible to better prepare the security response to Android malware based on the lessons learned in the PC malware domain.
During the early stages of computer insecurity, most of the threats were intended to deteriorate the computer. Later, however, malware writers shifted their focus from crashing the computer to attaining financial gain. At this point there was an enormous increase in the count of Trojans and spyware in the threat landscape over a period of time, which demanded automated detection systems to protect the users in a timely fashion. Similarly, Android malware at the initial stages were primitively aimed at sending out premium rated SMS, but now they involve behaviours like stealing user’s personal information, redirecting messages from banks, drive by downloads, zombies, and so on.
Within a short span of time, Android malware behaviour have progressed quickly whereas computer malware took a considerable time period to evolve their functionality. Studies on Android mobile security reveal that the number and variety of Android threats is increasing year on year, and the same is expected to continue in future. Despite the user’s awareness about Android malware, the number of infections continues to increase unabated. This alarming situation drives the need to automate the detection of Android threats for quick response. There is also an emphasis on the need for proactive protection for Android malware. It ultimately becomes the responsibility of security software to protect the user by providing the right solutions at the right time.
                                                                                                                                               To be continued…
Images courtesy of:
Malware Analyst, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader:

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.