**5. Trends of android malware detection**

**4. Android malware**

204 Smartphones from an Applied Research Perspective

**Figure 4.** Android's main attack surfaces, based on descriptions in [9].

Android malware can be characterized in different ways: in [12], a systematic characterization is proposed ranging from their installation, activation, to the carried malicious payloads. Thus, malware installation can be generalized into three main social engineering-based techniques: repackaging, update attack, and drive-by download. Repackaging is one of the most common techniques that malware authors use to piggyback malicious payloads into applications. In essence, malware authors get an application file, disassemble them, enclose malicious payloads, reassemble, and submit the new application to an official or alternative market. Users could be vulnerable by being enticed to download and Malware detection as a discipline combines multiple techniques and principles; Zaki Mas'ud et al. [13] have proposed a general classification including four main categories, see **Figure 5**.

Detection techniques can be classified into three detection techniques: signature-based (SB), anomaly-based (AB), and specification-based (SPB) detection. Signature-based detection refers to the malware detection by comparing the application signature or pattern captured with a database of known attacks or threats. AB detection monitors regular activities in the devices and looks for any behavior that deviates from the normal pattern. Similar to AB detection, SPB detection also monitors for any deviation but rather than detecting the occurrence of specific attack patterns; it monitors for deviation of their behavior from the normal specification. The detection analysis category involves reverser engineering techniques aimed to obtain information about the behavior of a malware in its environment. On the one hand, in static analysis, detection is done through the source code, binary, or the API level without the execution of the Android malware. On the other hand, dynamic detection detects malware through the execution behavior of the malware. In this case, the detection is done through monitoring the execution of Android malware activity at runtime. The detection deployment platform category helps to identify whether the malware detection is deployed in the host or on a remote server. In host detection, all the activity of the device is monitored, analyzed, and processed in the device itself. Meanwhile remote deployment requires a remote server, which monitors the activity of the device on the device but performs the analysis and detection process on the remote server. Another important category is the audit data source monitored in the detection process. The data source collected in the Android malware detection can be traced within the five Android framework layers (i.e. application, application framework, Android runtime, libraries, and Linux kernel layers). In addition, network traffic data can also be monitored for any malicious communication activity through the network [13]. Multiple

**Figure 5.** Classification of Android malware detection approaches.

researchers have analyzed different approaches; **Figures 6** and **7** provide an overview, based on the descriptions presented in [14], of different features and algorithms utilized for static and dynamic malware analysis in different research works.

Nowadays, most detection techniques for Android malware use statically extracted data from the AndroidManifest.xml file or Android API function calls, as well as dynamically obtained information from network traffic and system call tracing [15]. Moreover, most current detection systems equipped with a database of regular expressions that specify byte or instruction sequences that are considered malicious are largely based on syntactic signatures and employ static analysis techniques. Unfortunately, static and signature-based analysis techniques can be evaded by malware applications using techniques, such as polymorphism, metamorphism, and dynamic code loading [16].

Dynamic analysis defines a set of rules for the application behavior, which are challenged for an application according to a possible attack. An event is simulated for each rule and the triggered behaviors are checked to detect malware applications. In some cases, modern malicious applications are capable to evade dynamic analysis as they become aware of the analysis environment, or due to the inability of the malware sample to obtain some required external data or service [16].

As security threats evolve, static and dynamic analysis techniques are less capable to identify malware code by their own. Thus, hybrid approaches combine aspects of both static and dynamic


researchers have analyzed different approaches; **Figures 6** and **7** provide an overview, based on the descriptions presented in [14], of different features and algorithms utilized for static

Nowadays, most detection techniques for Android malware use statically extracted data from the AndroidManifest.xml file or Android API function calls, as well as dynamically obtained information from network traffic and system call tracing [15]. Moreover, most current detection systems equipped with a database of regular expressions that specify byte or instruction sequences that are considered malicious are largely based on syntactic signatures and employ static analysis techniques. Unfortunately, static and signature-based analysis techniques can be evaded by malware applications using techniques, such as polymorphism, metamorphism,

Dynamic analysis defines a set of rules for the application behavior, which are challenged for an application according to a possible attack. An event is simulated for each rule and the triggered behaviors are checked to detect malware applications. In some cases, modern malicious applications are capable to evade dynamic analysis as they become aware of the analysis environment, or due to the inability of the malware sample to obtain some required external

As security threats evolve, static and dynamic analysis techniques are less capable to identify malware code by their own. Thus, hybrid approaches combine aspects of both static and dynamic

and dynamic malware analysis in different research works.

**Figure 5.** Classification of Android malware detection approaches.

206 Smartphones from an Applied Research Perspective

and dynamic code loading [16].

data or service [16].


	-
	-
	-
	-
	-
	-
	-
	-

**Figure 6.** Some common static analysis features and algorithms that are used to process them for different research approaches, based on [14].

analysis [17]. The implementation of hybrid solutions for malware analysis and detection is not a new approach in the PC anti-malware literature [18]. However, the particular characteristics and constraints of mobile devices have defined a new area for their own. In this sense, for example, even when malware analysis and detection schemes can be deployed either on a local basis or offloaded to an external equipment, like a remote server, differences between the mobile and PC ecosystems imply a totally different approach to solve this challenge in both cases. In the particular case of mobiles devices, most current client side security solutions include anti-virus or anti-malware applications installed on the devices to protect them against known applications installed on the mobile devices based on known signatures of malicious applications [19]. On the other hand, cloud-based systems are mainly designed to offload a significant part of the operation to the cloud. Both approaches entail performance constraints and disadvantages. As an example, in applications installed on mobile devices aiming to provide real-time protection, there is an associated decrement in the device's performance and battery life, while cloud-based approaches making use of high end resources cannot offer real-time protection by their own, as they can leave devices vulnerable when connectivity with the server is poor [20].

**Figure 7.** Some common dynamic analysis features and algorithms that are used to process them for different research approaches, based on [14].

Unlike hybrid detection and analysis schemes taking advantage of both static and dynamic analysis, as well as from local and remote combined implementation or execution, are generally common for PC equipment, these schemes are not common for mobile devices. Most solutions combine static and dynamic analysis methods or local and remote deployments but not both of them, as this would require too many compromises to be achieved with the current technologies [18].
