Download - Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

Transcript
Page 1: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

Malware in the Mobile Device Android Environment Hintea, D, Bird, B & Walker, A Published PDF deposited in Coventry University’s Repository Original citation: Hintea, D, Bird, B & Walker, A 2016, 'Malware in the Mobile Device Android Environment' Paper presented at 11th Annual ADFSL Conference on Digital Forensics, Security and Law, Florida, United States, 24/05/16 - 26/05/16 http://commons.erau.edu/adfsl/2016/wednesday/6/ Publisher: Scholarly Commons This article is under a CC BY-NC-ND 4.0 license Copyright © and Moral Rights are retained by the author(s) and/ or other copyright owners. A copy can be downloaded for personal non-commercial research or study, without prior permission or charge. This item cannot be reproduced or quoted extensively from without first obtaining permission in writing from the copyright holder(s). The content must not be changed in any way or sold commercially in any format or medium without the formal permission of the copyright holders.

Page 2: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

Annual ADFSL Conference on Digital Forensics, Security and Law 2016

May 25th, 10:30 AM

Malware in the Mobile Device AndroidEnvironmentDiana HinteaCoventry University, School of Computing, Electronics and Maths, [email protected]

Robert BirdCoventry University, School of Computing, Electronics and Maths, [email protected]

Andrew WalkerBAE Systems Applied Intelligence Guildford, [email protected]

Follow this and additional works at: http://commons.erau.edu/adfsl

Part of the Aviation Safety and Security Commons, Computer Law Commons, Defense andSecurity Studies Commons, Forensic Science and Technology Commons, Information SecurityCommons, National Security Law Commons, OS and Networks Commons, Other ComputerSciences Commons, and the Social Control, Law, Crime, and Deviance Commons

This Peer Reviewed Paper is brought to you for free and open access by theConferences at Scholarly Commons. It has been accepted for inclusion inAnnual ADFSL Conference on Digital Forensics, Security and Law by anauthorized administrator of Scholarly Commons. For more information,please contact [email protected]. (c)ADFSL

Scholarly Commons CitationHintea, Diana; Bird, Robert; and Walker, Andrew, "Malware in the Mobile Device Android Environment" (2016). Annual ADFSLConference on Digital Forensics, Security and Law. 6.http://commons.erau.edu/adfsl/2016/wednesday/6

Page 3: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

Malware in the Mobile Device Android … CDFSL Proceedings 2016

© 2016 ADFSL Page 155

MALWARE IN THE MOBILE DEVICEANDROID ENVIRONMENT

Diana HinteaCoventry University

School of Computing, Electronics and MathsCoventry, CV1 2JH

[email protected]

Robert BirdCoventry University

School of Computing, Electronics and MathsCoventry, CV1 2JH

[email protected]

Andrew WalkerBAE Systems Applied Intelligence

Guildford, GU2 [email protected]

ABSTRACTConsequent to the world wide increase of smartphone use, the incidence of malware developed toexploit smartphone operating systems has exponentially expanded. Android has become the maintarget to exploit due to having the largest install base amongst the smartphone operating systemsand owing to the open access nature in which application installations are permitted. ManyAndroid users are unaware of the risks associated with a malware infection and to what levelcurrent malware scanners protect them. This paper tests how efficient the currently availablemalware scanners are. To achieve this, ten representative Android security products were selectedand tested against a set of 5,560 known and categorized Android malware samples. The tests werecarried out using a digital-forensically rigorous testing framework and methodology, which ensuresthe scientific validity of the results. The detection rates of the tested malware scanners variedwidely with half unable to detect any samples at all during initial testing. The malware scannersthat were able to detect the samples scored highly with the top four between 97-99% and a fifthscanner scoring 87%. The results emphasise the need for more complex detection mechanisms andprotections in future versions of Android and the next generation of malware scanners.Keywords: malware, mobile forensics, Android

INTRODUCTIONThe Android operating system and its usersare a significant target for malware developers;however, many Android users are unaware ofwhat malware is and the threats associated

with it. The first objective of this paper is toestablish whether Android is more susceptibleto malware than other mobile operatingsystems and if so, why. Android users that aremore security-conscious will often downloadand use malware scanners in the expectation

Page 4: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

ADFSL Conference Proceedings 2016 Malware in the Mobile Device Android …

Page 156 © 2016 ADFSL

that it will protect them from malware, butthe effectiveness of these scanners is yet to beinvestigated. The second part of this paperanswers this concern by testing arepresentative set of malware scanners againstknown malware, making use of both staticanalysis and virtual devices.

The paper is structured as follows: Section2 reviews the associated literature review,while Section 3 describes the researchmethodology. Section 4 presents the setupprocedure, while Section 5 provides details onthe testing methodology. The results obtainedthrough testing are given in Section 6. Finally,Section 7 concludes the paper.

LITERATURE REVIEWThis section describes the related literature inthree different areas: i) Android operatingsystem features and malware, ii) the threat ofAndroid malware, and iii) the effectiveness ofmalware scanners in Android.

Malware and theAndroidoperating system

Android is a mobile operating system based onthe Linux kernel and developed in part byGoogle. The operating system was launched inSeptember 2008 (Morrill, 2008) and has sincegrown rapidly. As of 2012, Android has thelargest installed base of any mobile platform,powers hundreds of millions of mobile devicesand has more than 1 million new deviceactivations each day (Android Open SourceProject, 2012).

Having the largest market share makesAndroid a prime target for malware developersas they seek to spread infection promiscuouslyand to maximise their impact. Moreover,Motive Security Labs identified in their H22014 report what they consider to be keyreasons why malware continues to be asignificant problem in Android, whilst alsoperforming a comparison with other mobile

platforms. The reasons mentioned are thefollowing:

1. Android apps can be downloaded fromthird-party app stores and web sites.

2. There is no control of the digitalcertificates used to sign Android apps.

3. Android apps are usually self-signedand can’t be traced to the developer.

4. It is easy to hijack an Android app,inject code into it and re-sign it.

In terms of other smartphones, such asiPhone, Blackberry or Windows Mobile, theymake up less than 1% of the infectionsobserved. The iPhone and Blackberry have amore controlled app distribution environmentand are thus less of a target (Motive SecurityLabs, 2014). Motive Security noted thatAndroid phones and tablets are responsible foraround 50% of the malware infectionsobserved. These results are based on analysisof all platforms, including both desktop andmobile operating systems.

The threat of Androidmalware

To understand why malware is so prolific inAndroid, it is important to understand what itseeks to do and the unique opportunities,exploiting a mobile operating system present tomalware developers. Zhou and Jiang (2012)discuss the threat of Android malware. In thepaper, they focus on the Android platform andaim to systematize or characterize existingAndroid malware. In order to achieve this,they collected 1,200 malware samples thatcover the majority of existing Android malware“families.” Although this appears to be a smallnumber of samples by statistical standards, atthe time these samples formed the first largecollection of Android malware sample andrepresented the majority of existing Androidmalware.

Page 5: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

Malware in the Mobile Device Android … CDFSL Proceedings 2016

© 2016 ADFSL Page 157

Their findings determine that 86% of thesamples are repackaged versions of legitimateapplications with malicious payloads and cantherefore be broadly categorised as Trojans.Android users should be aware of this statisticand should avoid downloading applicationsfrom third parties even if they appear to begenuine applications. Another finding of thisreport is that 36.7% of the collected malwaresamples leverage root-level exploits. This resultshows how important it is for Android users tokeep their operating systems “patched” or up todate. Older versions of Android are potentiallyvulnerable to root-level exploits that have sincebeen patched.

The report found that 45.3% of thesamples have the built-in support oftransmitting background short messages (topremium-rate numbers) or initiating phonecalls without user awareness. This category ofmalware could cause financial penalty to a userif they are infected as they could incur a largephone bill that they are required to pay totheir provider. This result also enforces theprevious observation that the Androidoperating system should be patched regularly.This is because in Android 4.2 onwards, asecurity mechanism was introduced wherebythe operating system will alert the user beforesending a premium rate SMS message (Eitzen,2012). The final finding of this report is that51.1% of the malware samples are harvestingusers’ information, including user accounts andshort messages stored on the phones (Zhou andJiang, 2012). The information gathered by thistype of malware could be personally orcommercially compromising and could lead tocrimes such as identify theft for the individual,or intellectual property and theft ofcommercial secrets for a business.

This paper identifies the key threats ofAndroid malware - information theft and fraudthrough the misuse of premium rate texts andcalls. Mobile operating systems, such as

Android, store significant amounts of personaland business information that is potentiallyvaluable to malware developers. Secondly, itfinds that mobile operating systems frequentlyrun on devices that contain SIM cards, makingit possible for malware developers to obtainmoney directly through fraudulent phonecharges.

The effectiveness of malwarescanners in Android

A recent paper that discusses the effectivenessof malware scanners in Android is: “DREBIN:Effective and Explainable Detection of AndroidMalware in Your Pocket” (Arp et al. 2014);hence-forth referred to as the DREBIN paper.In the DREBIN paper ten “anti-virus” scannerswere tested “(AntiVir, AVG, Bit-Defender,ClamAV, ESET, F-Secure, Kaspersky, McAfee,Panda, Sophos)” against a set of 5,560 malwaresamples; the same malware set used in thisresearch. The paper discusses the creation ofan Android application called DREBIN whichis a lightweight method for detection ofAndroid malware that enables identifyingmalicious applications directly on thesmartphone.

The application was tested on Android anddetects 94% of the malware; however, theother “anti-virus” products’ detections rateswere checked by uploading the samples to theVirusTotal website (VirusTotal, 2015) andrecording the result returned by the service.This disparity of methods renders comparingresults accurately impossible. This is becauseVirusTotal does not differentiate betweendifferent products from the same vendor. Forexample, the AVG product for Windowsdesktop and Android may work differently andreport a different detection rate, butVirusTotal only outputs a detection result forAVG as a single result. Further, VirusTotaldoes not recommend that its service is used forthis purpose. Under the heading “BAD IDEA:

Page 6: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

ADFSL Conference Proceedings 2016 Malware in the Mobile Device Android …

Page 158 © 2016 ADFSL

VirusTotal for antivirus/URL scanner testing”on their website’s about page they state:

“At VirusTotal we are tired of repeatingthat the service was not designed as a tool toperform antivirus comparative analyses…”Those who use VirusTotal to perform antiviruscomparative analyses should be aware thatthey are introducing many implicit errors intheir methodology, the most obvious being:

1. VirusTotal's antivirus engines arecommand line versions, so dependingon the product, they will not behaveexactly the same as the desktopversions: for instance, desktop solutionsmay use techniques based onbehavioural analysis and count withpersonal firewalls that may decreaseentry points and mitigate propagation,etc.”

2. Some of the solutions included inVirusTotal are parametrized (incoherence with the developercompany's desire) with a differentheuristic/aggressiveness level than theofficial end-user default configuration(VirusTotal, 2015).

For the above stated reasons, the authorsdecided to test the detection rates of malwarescanners available on the Android operatingsystem using the same malware samples. Usingthis method will give an accuraterepresentation of the detection rates userswould experience if they were to come intocontact with that malware on their Androiddevice.

RESEARCHMETHODOLOGY

The key questions this research addresses arethe following:

1. If Android is a particular target ofmalware, are there any protections

against malware within the operatingsystem itself?

2. What are the threats it poses? Thissection of the question seeks tounderstand the goals of malwarecreated for Android and the threat itposes to users, their devices and data.

3. How effective are malware scanners indetecting and addressing those threats?This section of the question focuses onmalware defense and the malwareproducts created by vendors to protectagainst malware.

The first section is best addressed by usingthe literature review. Sources that discuss theevolution of the Android operating system andmalware created were used. The authors alsobelieve that a literature review is mostappropriate for the second section of thequestion. Sources that analyse the goal ofAndroid malware and the threat it poses willbe used. For the third section the authorschose to use a testing methodology. We test aknown set of malware samples against tenrepresentative Android malware scanningproducts using static analysis. The results willbe used to determine a detection rate for eachproduct. The testing methodology was chosenfor the following reasons:

1. The Android operating system isconstantly updated. It is difficult tofind sources that test malware in thelatest versions of Android.

2. Malware scanners and their definitionsare continuously updated. Newmalware scanners that may not havepreviously been tested against a datasetmay have become available since thesource published, or a product mayhave improved its detection rate.

3. Any source that carried out testingpreviously is quickly out of date asdefinitions in malware scanners areupdated; in most cases daily. By

Page 7: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

Malware in the Mobile Device Android … CDFSL Proceedings 2016

© 2016 ADFSL Page 159

carrying out our own testing we willhave an accurate, up-to-date snapshotof the latest products and theirdefinitions.

4. Using data from third party sourcessuch as VirusTotal may not giveaccurate results.

SETUP PROCEDURESelection of malware samples

The authors used the DREBIN malwaredataset (Arp et al., 2014) for testing. This is awell-defined and ample database of malwaresamples. The DREBIN dataset contains 5,550malware samples collected in the period fromAugust 2010 to October 2012. Each samplewas uploaded to the VirusTotal (VirusTotal2015) service and checked against the tenmost common malware scanners, namelyAntiVir, AVG, BitDefender, ClamAV, ESET,F-Secure, Kaspersky, McAfee, Panda, andSophos. Applications were categorised asmalicious only if they were detected as so by atleast two of the products. The dataset alsoincludes all 1260 samples from the AndroidMalware Genome Project (Zhou and Jiang,2012). Additionally, any samples that wereidentified as adware were excluded from thedataset. The dataset contains malware from178 different identified malware families with81.15% of the malware belonging to the toptwenty families in the dataset.

The authors selected the DREBIN datasetas it contains a large number of samples acrossa substantial number of malware families,facilitating a comprehensive comparative test.The dataset was collected over a long period oftime and is therefore likely to contain samplestargeting devices running both newer and olderversions of Android. The DREBIN paper itselfstates that “To the best of our knowledge, thisis one of the largest malware datasets that hasbeen used to evaluate a malware detectionmethod on Android” (Arp et al., 2014). Whencreating the malware set, a number of stepshave been taken to make the samples morereliable by requiring the samples to becategorised as malicious by more than one ofthe tested antivirus products and by excludingadware as it exists in a “twilight zone betweenmalware and benign functionality” (Arp et al.,2104).

Table 1The Android Application Package install files.

Reference APK Name Version APK MD51CM com.cleanmaster.security.apk 2.4.9 114a64167a7e59edc94d708ac2795c012Q360 com.qihoo.security-67.apk 3.2.1 fa8a0eab6bd5979a8cc13db83d7ffcfe3AVG com.antivirus.apk 4.3 75d2ee1597a6ed056e9fdee297774fa5

4McAfee com.wsandroid.suite.apk 4.4.0.392 c44c8dc58fb85fa4d935abb0f17370b75AVAST com.avast.android.mobilesecurity.apk 4.0.7880 b9a8e4a1ca3fa4414f4b192bb7f09e356Norton com.symantec.mobilesecurity 3.10.0.2360 ca366bd072ef1e71598b32a81f8ca8d27Lookout com.lookout 9.15-26a3b5f 900cc7207cd4bc44aadf1184cfa2b60e

8NQ com.zrgiu.antivirus 7.3.12.02 7820cbc011ad8a99b76166557b8e2ed39Malwarebytes org.malwarebytes.antimalware 1.05.1.1000 8740049b991021df6c42f10ea1102aa610Kaspersky com.kms.free-84.apk 11.8.4.474 7c7eef4f24aed445d97f6d21c5319559

Figure 1. DREBIN Dataset, top malware families(Arp et al. 2014)

Page 8: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

ADFSL Conference Proceedings 2016 Malware in the Mobile Device Android …

Page 160 © 2016 ADFSL

Selection of malware scannersThe authors selected applications to test fromthe Google Play Store based on the followingcriteria:

Any application that identifies itselfas an antimalware or antivirusproduct and appears in Google’sPlay store as one of their “TopApps.” Google lists 540 suchapplications.

Any application that identifies itselfas an antimalware or antivirusproduct and appears in Google’sPlay Store as one of the top

applications for a category, forexample “Top Tools Apps.”

This selection process was limited to thetop 100 applications in each category. TheGoogle Play store contains the followingcategories: Books & Reference, Business,Comics, Communication, Education,Entertainment, Finance, Health & Fitness,Libraries & Demo, Lifestyle, Live Wallpaper,Media & Video, Medical, Music & Audio,News & Magazines, Personalisation,Photography, Productivity, Shopping, Social,Sports, Tools, Transport, Travel & Local,Weather, and Widgets.

Figure 2 -Creating Android Virtual Devices

Page 9: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

Malware in the Mobile Device Android … CDFSL Proceedings 2016

© 2016 ADFSL Page 161

Table 2MD5 and SHA1 hashes

MD5 SHA18GB SD – No malware 2bd9ab33caeb1a4a395fbeeb5c3ef66b 12418e0c1428dcff432b4dbbb0a46923a6a74d

7f8GB SD - With

DREBIN malwareSamples

ed3c60da24fa4f57def5e27a339316ad 872f15461eacb225d56f1ae665960f84f540f373

Table 3Malware applications selected

Reference Application Title Developer Version1CM CM Security Antivirus

AppLockCheetah Mobile

(AntiVirus & AppLock)2.4.9

2Q360 360 Security - Antivirus FREE Qihoo 360 (NYSE:QIHU) 3.2.13AVG AntiVirus Security - FREE AVG Mobile 4.3

4McAfee Security & Antivirus -FREE McAfee (Intel Security) 4.4.0.3925AVAST Antivirus & Security AVAST Software 4.0.78806Norton Norton Security and Antivirus NortonMobile 3.10.0.23607Lookout Security & Antivirus | Lookout Lookout Mobile Security 9.15-26a3b5f

8NQ Antivirus Free-Mobile Security NQ Security Lab 7.3.12.029Malwarebytes Malwarebytes Anti-Malware Malwarebytes 1.05.1.100010Kaspersky Kaspersky Internet Security Kaspersky Lab 11.8.4.474

The rationale behind this selection processis that users will browse the “Top Apps” whenselecting a malware scanning product. Anothermethod would be to use search terms withinthe Play Store, such as “antivirus” and“malware”. This is problematic due to thenaming conventions of applications, key wordsand the search algorithm used by the PlayStore. This would also introduce bias, as keywords and terms we associate with malwarescanners are likely to differ from that of theaverage user. The applications listed in Table 3were selected.

The APK (Android Application Package)install files were then downloaded for theselected applications from the Google PlayStore.

Using AVD (Android VirtualDevice)

For testing, the authors decided to usevirtualised Android phones by using AVD(Android Virtual Device) which is included inthe Android SDK. A virtual Android phonewas used for testing each malware scanner.Each phone was configured in AVD asillustrated in Figure 2.

Each virtual device is named with thereference of the scanner to be tested on thatdevice. The Nexus 5 device template waschosen and the device was set to run the latestversion of Android (5.1.1 13/04/2015). For theCPU architecture ARM was chosen so as toreplicate the architecture found on the physicalNexus 5 phone. Cameras for the device wereemulated, 2048MB of RAM (default) and200MB of internal storage (default) wereallocated. The virtual SD card (Section 6.4)containing the malware samples for each deviceis attached.

Virtual SD Card

Page 10: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

ADFSL Conference Proceedings 2016 Malware in the Mobile Device Android …

Page 162 © 2016 ADFSL

Once the decision to use virtual devices fortesting was made, the authors decided tocreate an SD card image for each device usingthe Android SDK tool “mksdcard” in order toload the malware samples onto each virtualdevice. The authors created a blank 8GB SDcard using the command: “mksdcard.exe 8G8GBSD” and mounted the image in Ubuntuand copied all 5560 malware samples onto theSD card image, followed by un-mounting theimage. The created image served as the masterfile for all the virtual device’s SD cards andwas not used in testing. An SD card image wasmade for each virtual device and named afterits reference number used in the test. A virtualSD card was used, as it was easy to verify allthe samples to be loaded by checking the hashof the SD card image. Furthermore, using avirtual SD card is a lot faster than booting thephone and copying each malware sampleindividually.

TESTINGThe following steps were followed to test eachmalware scanner. It is important that testingoccurs in a forensically-sound environment sothat a third party performing the same testswould achieve the same results. When carryingout the testing, the authors adhered to the UKACPO (Association of Chief Police Officers)principles (ACPO, 2012) which providesguidelines on the handling of digital evidence.

Although these principles are aimed at lawenforcement and admissibility of evidence incourt, they serve as a solid framework for thistype of testing. ACPO Principle 3 will befollowed and states: “An audit trail or otherrecord of all processes applied to digitalevidence should be created and preserved. Anindependent third party should be able toexamine those processes and achieve the sameresult” (ACPO 2012).

Steps to reproduce:

1. Verify the SD card image to be tested.The MD5 and SHA1 hash shouldmatch that of the original SD cardimage.

2. Configure the Android Virtual deviceand attach the applicable virtual SDcard containing the malware samples.

3. Select the device in AVD manager andselect “Start” to power on the device.

4. Locate “adb.exe,” installed as part ofthe Android SDK.

5. At the command line, call “adb.exeshell.” This will provide shell access tothe device.

a. At the shell, navigate to themounted SD card using “cd/storage/sdcard.”

b. Use the ls command to list themounted files “ls –la.” If thesamples are listed, the SD cardhas mounted successfully.

c. Exit the shell “exit.”6. Install the malware scanning product to

be tested.7. Within the emulator window, find and

launch the application.8. Within the application, ensure that the

most aggressive scanning option isenabled and that that the definitionsare up to date. This will vary betweenapplications.

9. Put the device in Airplane mode toprevent further updating.

10. Begin the scan.11. Record the result. The detection rate is

calculated based on how many of the5560 samples are detected.

As it can be seen from Table 4, five of themalware scanners were unable to detect anymalware samples. The authors decided to carryout further testing to investigate the possiblecause by appending the .apk extension to asmall set of the samples on the SD card.Removing the file extension is common

Page 11: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

Malware in the Mobile Device Android … CDFSL Proceedings 2016

© 2016 ADFSL Page 163

practice when sharing malware samples as it isthought to help prevent accidental installationof the malware. The samples selected were:

000a067df9235aea987cd1e6b7768bcc1053e640b267c5b1f0deefc18be5dbe1.apk

000e0948176bdec2b6e19d0f03e23f37910676a9b7e7709954614bac79269c36.apk

00c8de6b31090c32b65f8c30d7227488d2bce5353b31bedf5461419ff463072d.apk

00ceaa5f8f9be7a9ce5ffe96b5b6fb2e7e73ad87c2f023db9fa399c40ac59b62.apk

00cf11a8b905e891a454e5b3fcae41f3ed405e3c5d0f9c1fce310de4a88c42d0.apk

The five samples were chosenalphabetically when the malware set waslisted. The results on this additional testing areshown in Table 4.

Table 4Main results

Reference DetectedMalware

Detection Rate(%)

1CM 5532 99.496402877697842Q360 0 03AVG 5546 99.74820143884892

4McAfee 5468 98.345323741007195AVAST 4846 87.158273381294966Norton 0 07Lookout 0 0

8NQ 0 09Malwarebytes 0 010Kaspersky 5420 97.48201438848921

Table 5Drebin testing results

AV1 AV2 AV3 AV4 AV5 AV6 AV7 AV8 AV9 AV10Product AntiVir AVG Bit-Defender ClamAV ESET F-Secure Kaspersky McAfee Panda Sophos

Detectionrate

96.41 93.71 84.66 84.54 78.38 64.16 48.50 48.34 9.84 3.99

RESULTS ANDANALYSIS

The results obtained are illustrated in Table 4.Both AVG and CM scored over 99%; onlyfailing to detect 16 and 28 pieces of malwarerespectively out of the 5560 samples. McAfeeand Kaspersky had lower, but still highdetection rates. Of the malware scanners thatdetected the malware, AVAST scored theworst, failing to detect over 1 in 10 (87%) ofthe malware samples. Q360, Norton, Lookout,NQ and Malwarebytes were unable to detectany of the malware samples.

The DREBIN paper tested ten antivirusscanners “(AntiVir, AVG, Bit-Defender,ClamAV, ESET, F-Secure, Kaspersky, McAfee,Panda, Sophos)” (Arp et al., 2014) against thesame set of malware samples; their detectionrate findings for these products aresummarised in the table below. It is importantto note that the VirusTotal (VirusTotal 2015)website was used to calculate detection rates inthis case.

Direct comparisons to the DREBIN resultscannot be made as VirusTotal does notdifferentiate between vendors’ offered

Page 12: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

ADFSL Conference Proceedings 2016 Malware in the Mobile Device Android …

Page 164 © 2016 ADFSL

products. Malware scanning engines fromAVG, Kaspersky, and McAfee were, however,tested in both experiments. The results arecompared in Table 6 for completeness.Table 6Additional testingProdu

ctAVG/3A

VGKaspersky/10

KasperskyMcAfee/4McAfee

DREBIN

Paper

93.71 48.50 48.34

ExperimentResult

99.74820143884892

97.48201438848921

98.34532374100719

Difference+/-

+6.03820143884892

+48.98201438848921

+50.00532374100719

Further testing, using a set of malwaresamples appended with the .apk extension,gave the results presented in Table 7 whentested against the malware scanners that wereunable to detect any of the malware samples(2Q360, 6Norton, 7Lookout, 8NQ and9Malwarebytes).

Table 7Testing using a set of malware samples appended with the.apk extensionReference Detected

MalwareDetectionRate (%)

2Q360 0 06Norton 4 807Lookout 5 1008NQ 0 09Malwarebytes 5 100

As Table 7 shows, two out of the fivemalware scanners (2Q360, 8NQ) showed noimprovement in their detection rate whentested against the “apk malware samples.”Three out of the five tested malware scanningproducts (6Norton, 7Lookout, 9Malwarebytes)began detecting the samples as malware oncethe apk extension had been added to thesamples’ filename. This demonstrates thatthese products are not scanning the samplesthat do not have an apk file extension. This is

a critical security risk as Android does notrequire a file extension to install anapplication. With some basic testing usingAndroid virtual devices, the authors discoveredthat when a user opens an application filewithout an extension, the Android operatingsystem prompts the user to choose anapplication to launch that file. The top (anddefault option) in this case is the Androidpackage installer. It appears as thoughAndroid uses the file header rather than theextension to ascertain this. As arecommendation, the developers of theseproducts should carry out the following toremedy the situation:

Malware scanning products shouldscan all files by default andexamine the file header to ascertainthe file type. The filename andextension should not be relied upon.

Malware scanning products shouldcheck these files against a set ofknown malware signatures; againthe filename and extension shouldnot be relied upon to do this asthey are easily changed.

Previous major work (DREBIN) had reliedon the use of VirusTotal, a third party analysissite, which the site owners themselves state isnot fit for the purpose used. In regards to thestatic analysis we performed, in which themalware is not executed, the only factoraffecting the detection rate would be the anti-malware application malfunctioning when runon a virtual device as opposed to a physicalone. In all cases the applications did not reporterrors when installed, executed, or whenperforming scanning on the virtual device.

CONCLUSIONS ANDFUTURE WORK

This paper presents the threats of malware inthe Android environment. The results show

Page 13: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

Malware in the Mobile Device Android … CDFSL Proceedings 2016

© 2016 ADFSL Page 165

that half of the Android malware scannerswere initially unable to detect any of the 5560malware samples. Further testing proved thatthe reason for this in three of those productswas that the file extension was used, in part,to regulate the scanning. This is a substantialsecurity risk for two reasons: i) a file extensionis easily changed and ii) Android does notrequire a file to have an .apk extension toinstall it as an application. This paper providesa snapshot of the current detection rates of thetested products and identifies a number of keyflaws that could be abused by malwarecreators.

In terms of future work, it would be usefulto investigate those products that showed noimprovement in detection rate during thesecond part of the experiment. The authorswould also like to further analyse the results ofthe top five malware scanners tested in thispaper. It would be interesting to see if thereare any commonalities amongst the samplesthat those scanners were unable to detect.

Finally, this paper focused on staticanalysis of the malware samples. Staticanalysis is the first line of defense againstmalware before it is installed or has the chanceto be propagated by users. Many of theproducts tested claim that they will performanalysis of samples at runtime - detecting andblocking malicious behaviour. By testing boththe static and dynamic capabilities of malwarescanners, a more comprehensive detection ratecould be calculated.

Page 14: Malware in the Mobile Device Android Environment · PDF fileAnnual ADFSL Conference on Digital Forensics, Security and Law 2016 May 25th, 10:30 AM Malware in the Mobile Device Android

ADFSL Conference Proceedings 2016 Malware in the Mobile Device Android …

Page 166 © 2016 ADFSL

REFERENCES

[1] ACPO (2012) ACPO Good Practice Guidefor Digital Evidence. [online] available from<http://www.digital-detective.net/digital-forensics-documents/ACPO_Good_Practice_Guide_for_Digital_Evidence_v5.pdf>

[2] Android Open Source Project (2012)Android, the World’s Most Popular MobilePlatform [online] available from<http://developer.android.com/about/index.html>

[3] Arp, D., Spreitzenbarth, M., Malte, H.,Gascon, H., and Rieck, K. (2014) ‘Drebin:Effective and Explainable Detection ofAndroid Malware in Your Pocket.’Symposium on Network and DistributedSystem Security (NDSS) 23–26

[4] Eitzen, C. Von (2012) Android 4.2 Warnsagainst Malicious Apps and Premium RateTexts [online] available from<http://www.h-online.com/security/news/item/Android-4-2-warns-against-malicious-apps-and-premium-rate-texts-1744110.html> [20April 2015]

[5] Morrill, D. (2008) Announcing the Android1.0 SDK, Release 1 [online] available from<http://android-developers.blogspot.in/2008/09/announcing-android-10-sdk-release-1.html> [10 April2014]

[6] Motive Security Labs (2014) MotiveSecurity Labs Malware Report – H2 2014[online] available from<https://resources.alcatel-lucent.com/asset/184652>

[7] University of Göttingen (2014) TheDREBIN Dataset [online] available from<http://user.informatik.uni-goettingen.de/~darp/drebin/> [10 April2015]

[8] VirusTotal (2015) About VirusTotal [online]available from<https://www.virustotal.com/en/about/>[27 April 2015]

[9] VirusTotal (2015) VirusTotal [online]available from<https://www.VirusTotal.com/> [10 April2015]

[10] Zhou, Y. and Jiang, X. (2012) ‘DissectingAndroid Malware: Characterization andEvolution.’ Proceedings - IEEE Symposiumon Security and Privacy (4), 95–109