1. Android Malware Detection
Mechanisms
Talha KABAKUŞ
talhakabakus@gmail.com

2. Agenda
● Android Market Share
● Malware Types
● Android Security Mechanism
● User Profiles
● Static Analysis
● Signature Based Analysis & Protection
● Encrypted Data Communication

3. Android Users
more than
1 billion
users
Surdar Pichai
Q4 2013

4. Applications
more than
1 million
applications
Hugo Barra
Temmuz 2013

5. Android Market Share
Source: Strategy Analytics
81.3%
Q3 2013

6. Why Android is so popular?
● Open source
● Google support
● Free
● Linux based
● Java
● Rich SDK
● Strong third party
community ve support
○ Sony, Motorola, HTC, Samsung

7. Malware Market
99%Source: CISCO 2014 Security Report

8. Malware Stats
Source: Sophos Labs
1 million

9. Malware Types
● Backdoor
○ Access to a computer system that
bypasses security mechanisms
● Exploit
○ Modifications on operating system
○ User interface modifications
● Spyware
○ Unauthorized advertising
○ Private data collection, transmission
○ Unauthorized operations (SMS, calls)

10. Android Security Mechanism
● Permission based
○ Accept / Reject
● Public, indefensible market
○ Everyone can upload any
application
● Passive protection - feedback based
○ Applications are removed through
negative feedbacks

11. User Profiles
42%
Unaware about
permissions
83%
do not interest in
permissions
Source: Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: User
Attention, Comprehension, and Behavior. Proceedings of the Eighth Symposium on Usable Privacy and
Security - SOUPS ’12. p. 1 (2012).

12. Static Analysis Approach
● Inspection of APK files using reverse
engineering
● Manifest file
○ Permissions
○ Activities
○ Services
○ Receives
● API calls
● Source code inspection

13. Static Analysis Tools
● apktool
○ Extracts .apk archives
● aapt
○ Lists .apk archive contents
● dex2jar
○ Converts .dex files into .jar
● jd-gui
○ Converts .class files into Java sources

14. ● Equality checks
● Type conversion controls
● Static updates
● Dead code detection
● Inconsistent hashCode
and equals definitions
● null pointer controls
● Termination controls
Source Code Inspection

15. Type Conversion Sample
<EditText android:layout_width="fill_parent"
android:layout_height="wrap_content" android:
id="@+id/username"/>
EditText editText = (EditText) findViewById(R.
id.username);
XML
Java

16. null pointer control sample
Java Activity Class
Layout definition

17. Dead Code Detection Sample
Never be executed
Unreachable
code

18. Signature Based Analysis & Control
● Signature database
● Smartphone client
● Central server
● Learning based
● Classification
Bening Malware

19. Encrypted Data Communication
● All valuable data is encrypted and stored in
SQLite database; decrypted when it is
required.
● SMS
● Email
● Sensitive files
● Password
● Personal
information Pocatilu, 2011

20. System Comparisons
Ability MADAM DroidMat Julia
Manifest inspection Var Var Var
API call trace Var Var Var
Signature database Var Var Yok
Encrypted communication Yok Yok Yok
Machine learning Var Var Yok

21. References I
● Bicheno, S.: Android Captures Record 81 Percent Share of Global Smartphone Shipments in
Q3 2013, http://blogs.strategyanalytics.com/WSS/post/2013/10/31/Android-Captures-
Record-81-Percent-Share-of-Global-Smartphone-Shipments-in-Q3-2013.aspx.
● Rowinski, D.: Google Play Hits One Million Android Apps, http://readwrite.
com/2013/07/24/google-play-hits-one-million-android-apps.
● Cisco 2014 Annual Security Report, https://www.cisco.
com/web/offer/gist_ty2_asset/Cisco_2014_ASR.pdf.
● Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile malware in the wild.
SPSM ’11 Proceedings
● Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, You, Get Off of My Market: Detecting Malicious
Apps in Official and Alternative Android Markets. Proceedings of the 19th Annual Network
and Distributed System Security Symposium (NDSS) (2012).
● Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: User
Attention, Comprehension, and Behavior. Proceedings of the Eighth Symposium on Usable
Privacy and Security - SOUPS ’12. p. 1 (2012).
● Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions.
Proceeding of the WebApps’11 Proceedings of the 2nd USENIX conference on Web
application development. p. 7. USENIX Association, Berkeley, CA, USA (2011).
● Enck, W., Ongtang, M., Mcdaniel, P.: On Lightweight Mobile Phone Application Certification.
ACM conference on Computer and communications security. pp. 235–245 (2009).

22. References II
● Android Architecture, http://www.tutorialspoint.
com/android/android_architecture.htm.
● Wu, D.-J., Mao, C.-H., Wei, T.-E., Lee, H.-M., Wu, K.-P.: DroidMat: Android
Malware Detection through Manifest and API Calls Tracing. 2012 Seventh
Asia Joint Conference on Information Security. pp. 62–69 (2012).
● Payet, É., Spoto, F.: Static analysis of Android programs, (2012).
● Guido, M., Ondricek, J., Grover, J., Wilburn, D., Nguyen, T., Hunt, A.:
Automated identification of installed malicious Android applications. Digital
Investigation (2013).
● Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: A Multi-level
Anomaly Detector for Android Malware. In: Kotenko, I. and Skormin, V. (eds.)
Computer Network Security. pp. 240–253. Springer Berlin Heidelberg, Berlin,
Heidelberg (2012).
● Pocatilu, P.: Android applications security. Inform. Econ. 15, 163–171.
Retrieved from http://revistaie.ase.ro (2011).

23. Thanks...
/talhakabakus
talhakabakus@gmail.com
talhakabakus.weebly.com