Android Botnets: A Proof-of-Concept Using Hybrid Analysis Approach

Android Botnets: A Proof-of-Concept Using Hybrid Analysis Approach

Ahmad Karim (Bahauddin Zakariya University, Pakistan), Victor Chang (Aston University, UK), and Ahmad Firdaus (Faculty of Computer Systems and Software Engineering, Malaysia)
Copyright: © 2020 |Pages: 18
DOI: 10.4018/JOEUC.2020070105
Article PDF Download
Open access articles are freely available for download


Mobile botnets are gaining popularity with the expressive demand of smartphone technologies. Similarly, the majority of mobile botnets are built on a popular open source OS, e.g., Android. A mobile botnet is a network of interconnected smartphone devices intended to expand malicious activities, for example; spam generation, remote access, information theft, etc., on a wide scale. To avoid this growing hazard, various approaches are proposed to detect, highlight and mark mobile malware applications using either static or dynamic analysis. However, few approaches in the literature are discussing mobile botnet in particular. In this article, the authors have proposed a hybrid analysis framework combining static and dynamic analysis as a proof of concept, to highlight and confirm botnet phenomena in Android-based mobile applications. The validation results affirm that machine learning approaches can classify the hybrid analysis model with high accuracy rate (98%) than classifying static or dynamic individually.
Article Preview


Although Android OS being an open source has promoted mobile applications developers, yet malware programmers have also contributed to exploit its open source nature to carry out malicious acts. MacAfee, an antimalware platform, has diagnosed more than 700K mobile malware in the second quarter of 2014 (Weafer, 2014). Another report (Chebyshev, 2016) published in 2016 discovered that Internet access on smartphone devices had exceeded 61% in the first quarter of 2015. This study also revealed that 60.85% of Android users had started Internet access on their smartphone devices. Consequently, the similar growth is observed in malware program construction, i.e., 40,267 new mobile malware variants were analyzed and diagnosed by the security agencies at the end of 2015(Millman, 2015). In Q2 2016, it was observed that Android was used by 86.2% of smartphone users (Paul, 2017). Similarly, its widespread adaptation to other platforms such as televisions, tablets, wearable, and vehicles opened the new dimensions for multi-platform attacks. In the similar pace, IoT (Internet of Things) would be the next target for malware programmers. A more recent report (BILIĆ, 2017) states that the growth of mobile malware is constantly increasing since 2013. On average 200 new malicious code variants have been discovered per month during 2015, this number rose to 300 per month by the end of 2016. As a result, on average 400 new malicious code variants are expected to evolve by the end of 2017 (Weafer, 2016).

Mobile botnet or SMARTbot (Karim, Salleh, & Khan, 2016) is a malevolent action which is inspired from traditional botnets (PC based). The basic motive behind botnet is to gain illegitimate access to someone’s personal device (smartphone, tablets, etc.) and makes this device compromised by a bot binary (app). After becoming the part of a bot network, another pivotal role (botmaster) is responsible for controlling this device remotely and to initiate various attacks using some command and control (C&C) channel. Consequently, these devices are then participating in numerous malicious activities including DDoS, ransom, making premium calls, sending text messages and emails without user’s consent.

There are two most common analysis strategies exist, static and dynamic analysis. In static analysis, structural properties of program code are observed including permission usage, CFGs, function call graphs and API calls, etc. For static analysis, reverse engineering tools (Lukan, 2012) are deployed to disassemble program code (Schmidt et al., 2009) or directly fetching parameters from executable binaries (Petsas, Voyatzis, Athanasopoulos, Polychronakis, & Ioannidis, 2014; Yousafzai et al., 2016). In contrast, dynamic analysis requires execution of malware binaries in a secure environment (called sandbox) to extract runtime behavior of these applications. Following are some of the parameters which are of interest during dynamic analysis: (a) file operations (b) network traces (c) initiated services (d) HTTP and DNS traffic etc. Currently, some mobile malware detection approaches (Arp, Spreitzenbarth, Hubner, Gascon, & Rieck, 2013; Chen, Rong-Cai, ZHENG, Jia, & Li-Jing, 2016; Fereidooni, Conti, Yao, & Sperduti, 2016; Yang, Wang, Ling, Liu, & Ni, 2017) are introduced targeting either program code or runtime execution traces. However, at a higher level of abstraction, these approaches are targeting mobile malware detection rather than mobile botnet. This is the extension of our previously proposed approaches (Ahmad Karim & Shah, 2015; Karim, Salleh, Khan, Siddiqa, & Choo, 2016) in a way that it can highlight the need for a hybrid analysis framework for the detection of botnet mobile binaries.

Complete Article List

Search this Journal:
Volume 35: 2 Issues (2023)
Volume 34: 10 Issues (2022)
Volume 33: 6 Issues (2021)
Volume 32: 4 Issues (2020)
Volume 31: 4 Issues (2019)
Volume 30: 4 Issues (2018)
Volume 29: 4 Issues (2017)
Volume 28: 4 Issues (2016)
Volume 27: 4 Issues (2015)
Volume 26: 4 Issues (2014)
Volume 25: 4 Issues (2013)
Volume 24: 4 Issues (2012)
Volume 23: 4 Issues (2011)
Volume 22: 4 Issues (2010)
Volume 21: 4 Issues (2009)
Volume 20: 4 Issues (2008)
Volume 19: 4 Issues (2007)
Volume 18: 4 Issues (2006)
Volume 17: 4 Issues (2005)
Volume 16: 4 Issues (2004)
Volume 15: 4 Issues (2003)
Volume 14: 4 Issues (2002)
Volume 13: 4 Issues (2001)
Volume 12: 4 Issues (2000)
Volume 11: 4 Issues (1999)
Volume 10: 4 Issues (1998)
Volume 9: 4 Issues (1997)
Volume 8: 4 Issues (1996)
Volume 7: 4 Issues (1995)
Volume 6: 4 Issues (1994)
Volume 5: 4 Issues (1993)
Volume 4: 4 Issues (1992)
Volume 3: 4 Issues (1991)
Volume 2: 4 Issues (1990)
Volume 1: 3 Issues (1989)
View Complete Journal Contents Listing