The popularity and adoption of smartphones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions.
However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples.
In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011.
In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software.
Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset.
More specifically, in our 1260 malware samples, we find that 1083 of them (or 86.0%) are repackaged versions of legitimate applications with malicious payloads, which indicates the policing need of detecting repackaged applications in the current Android Markets.
Also, we observe that more recent Android malware families are adopting update attacks and drive-by downloads to infect users, which are more stealthy and difficult to detect. Further, when analyzing the carried payloads, we noticed a number of alarming statistics:
(1) Around one third (36.7%) of the collected malware samples leverage root-level exploits to fully compromise the Android security, posing the highest level of threats to users’ security and privacy;
(2) More than 90% turn the compromised phones into a botnet controlled through network or short messages.
(3) Among the 49 malware families, 28 of them (45.3% have the built-in support of sending out background short messages (to premium-rate numbers) or making phone calls without user awareness.
(4) Last but not least, 27 malware families (51.1% of the samples) are harvesting user’s information, including user accounts and short messages stored on the phones.
These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.
To read this external content in full download the paper from the author archives on line.