The Google Play Android market is growing faster every day. Along with its popularity, the number of Android malware in the wild has been growing… [600360]

ANDROID MALWARE
Cristina Ștefania POPESCU1
The Google Play Android market is growing faster every day. Along with its popularity, the
number of Android malware in the wild has been growing explosively since late 2011. Being an
open source project, available to any dev eloper, it became possible t o easily create an Android
malware. Given the growth of Android malware number , it is essential to come with some
complex security mec hanisms . If we do not have an insight ful understanding of how an Android
malware is attacking a target ’s system , it is hard to come with efficient defending so lutions . This
project describes a new idea of malware to prove that the Android system still has vuln erab ilities
that might be exploited and to exemplify how a malware operates.
Key words : security, An droid, Malware, Reverse Engineering

1. In troduction
Android was developed under the Android Open Source Project (AOSP) and most of
the Android available applications are published on Google Play Market. The increasing
number of Android OS users have encouraged more developers to start producing
applications. At the current time, there are over 1 million applications on the market. Along
with them, the number of malicious applications have also increased . In order to keep
malicious apps off the official Android app store, Google introduced a security service
named Bouncer. Bouncer does stop many malicious Android apps fro m getting into Google
Play, however, it can be evaded. Even though Google has the ability to remotely remove
installed apps from user’s device, it cannot undo all the malicious actions performed on that
device. Many of the Google P lay applications use sensitive data like banking accounts,
passwords , which represent a temptation for the attackers targeting Android .
The malware app developers have exploited all these Android security
vulner abilities, by stealing information and by analyzing the entire target’s system. There
are some malware appli cation which pretend t o be good applications but inste ad, they
collect information from the user ’s system a nd send them to a remote software . This is why
it is important to know how a malware performs an attack and how to protect our devices .
In this project, firs t, I have presented what Android security implies with in the
background chapter. Then, I have exemplified how an Android malware is created and I
have listed the main android malware families discovered until now . In the last part of the
project, a new idea of malware is described and explained.

1 Faculty of Automatic Control and Computers, University “Politehnica” of Bucharest, România, e -mail:
[anonimizat]

CRISTINA ȘTEFANIA PO PESCU

2. Background
In the first place, Android uses sandboxing or t rusted execution environments. This is
a security mechanism which purpose is to isolate running applications based on mandatory
access control policies. This t echnique can provide protection against malicious ap plicat ions
but this is not efficient if the users o verlook the permissions granted to installed apps.
Unfortunately , sandboxing do es not prevent applications from exploiting syste m or kernel
vulnerabilities .
The Android security is mostly based on permission levels . Each application has
assigned a unique id in o rder to protect the integrity of the application data. Along with this,
the developer gives different permission to the application that are defined in the Android
Manifest XML file. There are different levels of permission: normal, dangerous, signature
and system or signature . [4]
Normal permission allows the us ers to access data outside the application’s sandbox,
but it implies a small risk. Such permissions are useful when the user needs to access the
network state or to turn on the flashlight. The system grants automatically this kind of
permission.
Dangerous permission allows the users to access private user information like the
user’s contact list. For this type of permission, the user has to explicitly grant the access.
Signature permissions can be granted to applications that were signed with the same
key a s the package that has defined that permission.
Signature or system permission level is almost the same as the signature protection
level, except that the permission can also be requested by an application that came with the
Android system image.
Until And roid 6.0, all permissions were required during install time. Since Android
6.0, permissions are requested at run time.
Beside protection levels, another important aspect towards Android security is
represented by the privacy of the components of the applic ation. An android application
comprises of several components that use Intent messages to communicate with one
another. It is important to keep these components private and sandboxed. These
components are: activit ies, broadcast receivers, services an d content providers.
Activity represents the visual inter face that is utilized by the user in order to process
actions.
The Broadcast Receiver component receives and reacts to broadcast
announcements/messages . These messages are intents objects . Applications can also
initiate broadcasts . For example, in order to announce other applications that a file has
been downloaded to the device and is availa ble for them to use, a broadcast receiver who
will i ntercept this communication will perform appropriate action . It has no user interface.
The Service component has no user interface, bu t performs background operations .
For example, if we have an activity that needs to perform some action that should not stop
after the user interface disappears (such as download a file or play music), the best option is
to use a service specifically designed for that action.
Content Provider components st ore and share data using a relational database
interface. [2]

ANDROID MALWARE

Each component is declared in the Android Manifest XML file and it can be exported
or not. If it is exported, it means that it can be opened or accessed from other applications.
If we have a content provider that keeps some private information like passwords, banking
acco unt, the component shouldn’t be exported, in order to keep it private. By making a
component private, the component is secure and it doesn’t matter anymore what level of
permission the user should assign.
The attackers that target Android devices have taken advantage of thes e security
vulnerabilities and have developed malware by using reverse engineering. They usually
create a malic ious version of an existing application. They keep the same application
structure and inject the malic ious code inside it.
Android applications are written in Java language and then are compiled to a special
Android format, Dalvik bytecode. Along with the Java part, an application my also contain
native libraries or native code which are used through (Java Native Interface). After the
application is installed, it will run as an instance of Dalvik Virtual Machine (DVM) or of
Android Runtime ( ART).
The Android applica tion is packaged inside an “apk ” file, which is a zip archive that
contains all the data needed by the app. The most important file is AndroidManifes t.xml. It
describes all the components and all the permissions defined by an application. The “res”
folder contains all the compiled resources: icons, strings, xml layouts. The “assets” folders
store all the resources that don’t need to be compiled. “cl asses.dex” are executable files
that store Dalvik bytecode that will be executed by Dalvik virtual machine. A full description
of the android application structure can be seen in Fig 1.

Fig 1. Android Application Structure2

2 Figure taken from https://justamomentgoose.wordpress.com/2013/06/04/android -started -note -2-android –
file-apk-decompile/

CRISTINA ȘTEFANIA PO PESCU

3. Related Work
Malware (malicious software) is an application that tend to look like any ordinary
and non -invasive app but instead, they do malicious actions. Usually, the user is not aware
of malware presence . When installing an application, a list of all of the permiss ions required
appears on the screen. Most of the time, users grant access to all the permissions without
analyzing what are they demanding. Let’s say we have a pdf reader application or a simple
game. If the application requires access to send messages or to access user’s contacts list, it
might be a malware. This is how the malicious application are inst alled on an Android
device. In T able 1, there are some types of malware along with the permissions that they
are demanding. [4]

Table 1. Malware typ es and permissions required
Malware type Example action Permission
Changing Desktop Changing the default
wallpaper set by an user SET_WALLPAPER
BIND_WALLPAPER
Stealing user’s credentials Collect contact information
from device and send it to a
remote serv er, over the
Internet USE_CREDENTIALS
READ_PROFILE
MANAGE_ACCOUNTS
Premium rate calls and SMS Sending text messages to
premium numbers or just
make calls to premium
numbers READ_SMS
WRITE_SMS
SEND_SMS
Phone setup change Changing settings like loc king
phones, alert settings WRITE_SETTINGS
Hacking social network
accounts Accessing and updating
user’s profile information READ_SOCIAL_STREAM
WRITE_SOCIAL_STREAM

There are several families of Android Malware discovered. One of the most
important is SM S-Trojan and root -based attacks like race -against -the-cage, gingerbreak and
z4root. Beginning from a reliable application, the package is first being decompiled. Then,
the source code or the Android Manifest file are altered and repacked in another “APK”
archive.
Trojan malware performs harmful actions against the user like stealing sensitive
information (password, messages), sending SMS to premium numbers without the user ’s
approval. Some well -known apps like this are FakeNetflix, Fakeplayer, Android.Foney . Fake
Netflix was looking almost like the original Netflix application and instead it stole Netflix
user’s accounts.

ANDROID MALWARE

Backdoor malware families can gain superuser access and they are not easily
detected by anti -malware application. By entering the system, the attacker can have total
control over the device. The most popular backdoor malware are Obad, Basebridge, Kmin.
Worm malware can replicate itself through network or removable media. The most
common are Bluetooth worms that replicates and send copies to a paired device
(Android.Obad.OS).
Botnet malicious apps exploit a device by gaining access and sending commands
through a remote server. The commands can vary, from simple ones like sending the user
information to the remote server, to commands more compl ex like Denial Of S ervice
attacks. Some of the most known apps are AnServerBoot, Geinimi.
Spyware malware pretends to be useful applications, but they collect private
information like user ’s messages, location, contact list and send it to a remote server. T he
most notable malware in this area are the following: Nickspy, GPSSpy. [5]
Usually, the malware keeps the application’s structure and the use reverse engineer
technique. Figure 2 presents the main steps regarding this technique. An attacker starts
from a known or common app. He decompiles the apk archive and he takes the code ,
running “apktool ” from L inux command line . Then he writes the malicious code in Java and
he compiles it. After the code is convert it into “.class ” files, the attacker converts it into
Dalvik bytecode using “dx” executable. After this, the code will be ready and it will be
injected into the original code. Then the files are assemb led again into an “apk” archive and
singed with “jarsigner ” [1].

Fig. 2 Reverse engineering Android

CRISTINA ȘTEFANIA PO PESCU

In order to keep our devices safe from malware attacks, there are a few precautions
that the user should consider:
 He should not download application s from any Android Market. He should
use some well -known applications market lik e Google Play and he should
read the application’s reviews and comments.
 He should always h ave a pin or a password for An Android device in order to
keep it safe.
 He should keep his phone updated to th e latest Android Version. If there is
an older one, it might have unsolved and exploitable bugs.
 He should notice wh en the phone has a strange behavior; if the battery is
consuming very fast, or odd text messages appear.
 He should use specialized security tool s that c an discover spyware or
malware and that can also protect your devices against them.

4. Ma lware proposal
Every year new families of malware are cr eated. In this research project a new idea
of malware is propo sed. A malware that will collect all user’s messages, then it will parse
them and it will look up for keywords like accounts or passwords . After the parsing part, the
sensitive information will be send to a remote server. Many services send passwords or
accounts details in SMS messages to users. The malware will look like an ordin ary photo
editor. When the application is installed and open ed, a list with all the keyword s that were
found through the user ’s messages will be sent to a remote server. In order to be able to do
that, the malware will require “READ_SMS ” permission. This is how an Android malware can
get sensitive information from the messages .
Another important part of the malwar e is represented by how it is distributed to
people . The malware will be sent through messages on social networks. Fo r example, it will
access the user ’s Facebook contact list and it will send the “apk” file as a message to all
users.

ANDROID MALWARE

5. Conclusions
Android is a Linux based operating system that also includes key applications and
middleware. In order to fully benefit from and explore the functionalities of Android, Google
allows third party developers to create applications and release it to the Google Play
Market. This is the main reason why Android is such a popular operating system. This
popularity also brought many attackers that created malware. These malware were
categorized into families and they perform harmful action s or collect in formation about the
user ’s system. Attackers are constantly discovering newer methods to crack into the
devices. Every year new malware families appear on Android. Because of them , defending
the security of the system became essential.
In this research, I have presented the main Androi d security issues like sandboxing,
permissions and components . As we have seen in the previous chapters, Android system
provide s a permission -based system which has as a purpose to restrict the actions that an
application can execute on the device and also the access to stored data and available
services . For example, i f the user has a pdf reader application and this app requests
“SEND _SMS ” or “READ_SMS ” permission, th e user should be aware about the risk that he is
taking by granting those permissions. He could install a malware application that pretends
to be a simple pdf -reader.
I have described in chapter 3 how an Android malware is created from a benign
applic ation and which are the most popular Android malware families . It is important to
understand how the m alware attacks are being executed in order to learn to defend user ’s
systems . Furthermore , the project present a new malware pr oposal, a malware which
access user ’s messages, parses them a nd finds special keywords or sensitive information .
Smartphones are more than portable telephones in these days. With an android
device, the user can make bank transmission, access the internet , use all the social
networks. But all th ese functionalities represent a temptation for an attacker that targets
Android system.

CRISTINA ȘTEFANIA PO PESCU

B I B L I O G R A P H Y
[1]. “Reverse Engineering Of Ma lware On Android” ,SANS Institute InfoSec Reading Room ;
[2]. “Understanding Android Security ” Gary McGraw , ieeexplore.ieee.org , Security & Privacy,
IEEE , Jan 1, 2009 ;
[3]. “Dissecting Android Malware: Characterization and Evolution “ ,Yajin Zhou, Xuxian Jiang ,
IEEE Symposium on Security and Privacy ,2012 ;
[4]. “A Survey of Android Malware Cha racteris tics and Mitigation Techniques” , Vanessa N.
Cooper, Hossai n Shahriar and Hisham M. Haddad , International Conference on
Information Technology: New Generations , 2014 11th ;
[5]. “Android Security: A Survey of Issues, MalwarePenetration and Defenses” ,Parvez Faruki,
Ammar Bharmal, Vijay Laxmi, Vijay Ganmoor, Manoj Singh Gaur, Mauro Contiand , IEEE
communications surveys and tutorials, vol. 00, no . 0, JANUARY 2015 .