Analysis of Malware Families on Android Mobiles: Detection Characteristics Recognizable by Ordinary Phone Users and How to Fix It ()
1. Introduction
In recent years, Sales of products using Android phones have continued to accelerate. Specifically in 2012, phones which use the android operating system rose from 52.5% to 72.4% compared to 2011, while the IOS operating system fells from 15% to 13.9% compared to 2011, according to Gartner [1]. Some applications of the android operating system from Android Market are growing to compete with the largest application. Now Apps store is developed by third—party market, not to mention the thousands of everyday applications. According to Xyologic: “Android to overtake Apple soon”, Apple’s App store has now reached 25 billion downloads, Android’s App store has now reached 10 billion downloads, but both tracked at 1 billion downloads a month [2].
This increases the amount of malicious software on the Android operating system. According to security Kaspersky Labs, in the second quarter of 2012 the mobile malware increased in three folds. In 2012, 99% of all the mobile malware they detected every month was designed for Android. The most widespread malicious objects detected on Android smartphones can be divided into three main groups: SMS Trojans, advertising modules and exploits to gain root access to smartphones [3]. Specifically, 40% of modern smartphone owners do not use antivirus software [4].
Whilst malware is growing rapidly, a number of ordinary users that have easy access to the smartphone device do not have basic understanding of the potential danger. So we need to have the classification of samples according to similar characteristics, as well as collect more new malware to create malware families. Then, we can analyze it fully to make recognizable signs from ordinary users and guard solutions to mitigate the threats of the impact and risk of malwares before installing it from official android market or third-party market.
In this paper, the author first discussed the feature to select a sample of malware families and method to analysis them. Next, in Section 2, the author presented methods and tools to analyse malware samples. In section 3, the author presented some selected results of the features that ordinary users can easily recognize. From the analysis on the samples, the author collected the list from the project, blog and threat reports of antivirus companies [5,6] (including existing malware families and add them every day) and the threats that malicious applications can do. Section 4 shows the detection results with ten representatives of mobile phone antivirus software. In Section 5, the author discussed six (6) steps to security android phones. Finally, Section six (6) is the summary.
2. Methods and Tools to Analyze Malware Samples
In this section, the author first discussed the feature to select a sample of malware families and methods to analyses them.
2.1. Malware Family
Malware family feature that comes to notice is that of closeness which certain traits are preserved, including: similar activation, facial features, hereditary diseases and a host of other commonalities.
One of the variations which is most harmful is KungFu malware family. There are variations with different names KungFuA (KungFu1), KungFuB (KungFu2), KungFuC (KungFu3), KungFuD (KungFu4), KungFuE (KungFu Sapp) or KungFu Lena (Legacy Native ) with properties which are analysed as follows:
All KungFu malwares are packaged and downloaded from third markets and fora. It adds into applications a new service and a new receiver. With privilege root exploits, it automatically launches the service so that it doesn’t interact with the user. KungFu can collect information on the infected mobile phone, including IMEI number, phone model, version of Android OS. The first variant, KungFuA exploits Dalvik codes based on Java and a single C&C server and payload is encrypted with AES. Differently, KungFuB exploits native code and three C&C servers. KungFuC inherits from KungFuB, it exploits vulnerability to allow local users to gain privilege by sending a NETLINK message (CVE-2009-1185) [7]. KungFuD inherits from KungFuA and encrypted its native binaries. KungFuE inherits from KungFuD and encrypting a few strings to obfuscate its code and use a custom certificate in official market [8-10]. “DroidKungFu” variants structure mentioned in Figure 1.
Its purpose is to evade the detection of mobile antivirus software. So the virus software is difficult to effectively detect variants with a rate of 100%.
2.2. Methods and Tools to Analyze Android Mobile Malware Sample
Common method for analysing malware in android OS is reverse engineering. Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation [10]. Android OS was developed by Google and is based upon the Linux kernel and GNU software in which the malware application package files use the apk extension. They include all of the application’s code (.dex files), resources, assets, and manifest file. Dex file (Dalvik Executable) is compiled Android application code file. Tools that focus three groups on examining inner-workings of Android mobile applications:
1) Command line:
• Tool to unpack the .apk file: Winzip, Rar
• Tool to get the bytecode from the .dex file: for example, smali to compile and baksmali to decompile (or dex2jar and jd-gui), dexdump…
The author analysed a sample (RU .apk) below:
Step 1: The malware is an apk package extract of its content, show example Figure 2.
Step 2: Use smali .rar to compile smali file: extracted the byte code from classes .dex file, show example Figure 3.
Step 3: Open code contained in the MoviePlayer.smali file. You can discover the purpose of it, show example Figure 4.
2) Software to compile and decompile:
• Compile: Java code, smalicode and .dex: for example APKtoJava.
We analysed a sample (RU .apk) below:
Step 1: open APKtoJava (show Figure 5).
Step 2: open class java to read program file (show example Figure 6).
3) Using website: for example http://anubis.iseclab.org He analysed a sample (RU .apk) below:
Choose file apk website to analyse, show example Figure 7.
Figure 2. Classes is dex file to analyze.
Figure 3. Movie player. Smali is main code of malware.
Figure 4. Malware send a message to phone number 3354.
Figure 5. Screen of APK tool to decompile to java sources.
Figure 6. A Class java sources after decompile by APK tool.
Figure 7. An analysis result for file RU .apk from website.
3. Results of the Features That Ordinary Users Easily Recognize
In the process of analysing the samples the author collected, the author had encountered difficulties with different names of the first authors found it. So his statistics record all the different names for easy sorting into their malware families. In addition to describing the visible symptoms, the author used illustrations or icons in Table 1.
Besides, Symptoms of malware which exploits the device to gain root privilege are not easily visible. So we propose to use mobile Security software solutions in the next chapter, with some assessment test results with our samples set.
Statistical results below with reference from the first detection of the authors in manufacturer’s anti—virus software: Symantec, NQMobile, F-secure, Lookout, Kaspersky, AVG, … and projects related links, Blog: http://www.csc.ncsu.edu/faculty/jiang, http://www.fortiguard.com,http://androguard.blogspot.com, http://blog.fortinet.com/... [10-52].
In the first column of Table 4, the author collected the different names of the same malware families [5,52] by different anti-virus companies, based on installation methods, activation mechanisms or the name of the mali-
Table 1. Describes characterization and area of the effects of malware families.
(*): Details Table 1 are described in Table 2. (**): Details Table 1 are described in Table 3.
Table 2. Gives detailed explanation of stolen information activities of malware.
cious packaged applications added. This solved problem of naming schemes of malware families such as [5]: “Last but not least, during the process of collecting malware samples into our current dataset, we felt confusions
Table 3. Abbreviated name of areas.
from disorganized or confusing naming schemes”.
From visible symptoms malware families in Table 5, the author proposes some specific criterion for identifying the mobile malware:
Ordinary phone users can recognize several features such as: premium-rate services and phone bill abnormal increase, display of a black screen, automatically install a software in which its users has not requested, or without a launcher icon after installation in applications list, warning requirements application not licensed and crack
them, …
However, malicious software is not a software bug so when installing or running the software, you should consider bug occurrence with above several features.
4. Detection Results of Malware Families
The author installed four mobile security software from Lenovo Store on a Lenovo phone P70 (version 2.3.5) to
assess the effectiveness test on the same configuration and the same phone, the same samples set. (Dr. Web Anti-virus v7.00.3 (Dr. Web), Kaspersky Mobile Security. 9.10.139 (Kaspersky), NQmobile antivirus v5.2 (NQ or NetQin) and Zoner Mobile Security v1.0.0 (Zoner).
From the testing results, we are shown that some software like Zoner detection rate to 99.4% (Tables 5 and 6, Figure 8).
5. Discussion
From the analysis of malware families and samples, the author saw that the ability to detect malware from the users is usually limited. The rapid development of new applications and variations to immune with mobile security software requires overall solution from the analysis of new variants and detect new viruses to alert the com-
Table 6. Result detect malware families (total).
munity, and then users should also take preventive measures:
1) Users carefully read and understand permissions, an application and compare it with the real features of this app. In particular, users should not install or update software not necessary for the unknown effects of this app.
2) When an app is installed, users should check that the extraordinary can happen: no icon appears corresponding with this app (without, more one icon), Check
Figure 8. Result detect malware families (Chart).
regularly phone bill or account.
3) Users should invest a mobile security software copyright and install all apps from the official Android Market instead of third—party market.
4) Users should download an app with thousands of downloads and mostly positive comments.
5) Turn off unused features such as: GPS, GPRS, WIFI (Settings > Wireless & networks > Wi-Fi), extend memory (Settings -> Applications -> Development -> USB debugging), .… Especially, Android OS allows users to install file. APK in unknown sources directly and the malware easily penetrate the user’s phone. (Settings -> Applications -> unknown sources).
6) Keep your phone patched up to date.
6. Conclusions
From the analysis of the characteristics of the collected malware samples, the author classified them into their existing families or their addition of a new family for their collection with 58 malware families and 1485 malware samples. And the author introduced three different techniques to analyze the sample introduced in Section 1.
The author selected the recognizable characteristics from ordinary users with their families that had collected (Table 1), and proposed solutions as recommendations to users before installing it with the ultimate desire to mitigate the damage in the community that is on the android phone, especially the ordinary users with limited understanding about potential hazards. The visible Symptoms of malware which exploit the device to gain root privilege are difficult to see and detect because they silently execute malicious code in the platform OS. Mostly, they steal information and send to remote server or URL by SMS messages (premium rate number or not).
The author presented evaluation results of the test 04 mobile security software of top ten software from AVTEST in 2012 [51] with each family in order for the users to have the appropriate choice to proceed with fixing them and prevent them in the future, especially with malwares using root exploits when detecting the infection.
Beside, ordinary phone users recognize malwares by visible symptoms in order to fix it (Table 4) and they are careful when downloading and installing apps from official Android Market with security advisories (Section 5). If users are really concerned with the potential risks, they should consider investing in an effective mobile security app because it is still the best bet to stay protected anywhere, anytime. Also, when we are installing software of unknown source, the phones are also infected with malicious software before it can protect the phones.