**4. Android malware**

Android malware can be characterized in different ways: in [12], a systematic characterization is proposed ranging from their installation, activation, to the carried malicious payloads. Thus, malware installation can be generalized into three main social engineering-based techniques: repackaging, update attack, and drive-by download. Repackaging is one of the most common techniques that malware authors use to piggyback malicious payloads into applications. In essence, malware authors get an application file, disassemble them, enclose malicious payloads, reassemble, and submit the new application to an official or alternative market. Users could be vulnerable by being enticed to download and install these infected applications. In the case of the update attack, instead of enclosing the payload as a whole only an update component is included, which will fetch or download the malicious payloads at runtime. Because the malicious payload is in the "updated" application, not the original application itself, it is stealthier than the malware installation technique that directly includes the entire malicious payload in the first place. The third technique applies the traditional drive-by download attack to mobile space. Though they are not directly exploiting mobile browser vulnerabilities, they are essentially enticing users to download "interesting" or "feature-rich" applications. This is only a set of common techniques, other threats include combinations of the previous techniques, as well as approaches such as "spyware," which intend to be installed to victim's phones on purpose; fake apps that masquerade as the legitimate applications but stealthily perform malicious actions, such as stealing users' credential; applications that provide the functionality they claimed, they are not fake ones, but that intentionally include malicious functionality, which is unknown to users. At last, a group of applications that rely on the root privilege to function well. The leverage known root exploits to escape from the builtin security sandbox [12].
