Article Preview
TopIntroduction
Android is Linux-based operating system and software package for mobile phones and tablets. Android is being deployed under Android open source project (AOSP), maintained by Google, and promoted by open handset alliance (OHA). Android app written in JAVA language is translated to Dalvik byte code that runs under newly created runtime, Dalvik Virtual Machine (DVM) (Bhat, 2019; Faruki,2012; Krajci, 2013). Owing to its immense popularity (Park, 2014), its open-source nature, Android is susceptible to different malware attacks. Attack can come from app that was downloaded by users or it may also be result of existing vulnerability that attackers exploited successfully (Jang-Jaccard,2014). As per mobile threat report (Kaspersky, 2013), Kaspersky blocked 116.5 million attacks from mobile malware and was also able to detect more than 5 million mobile malware installation packages across various platforms.
A malware is a software which is created for malicious use. A malware can be classified based on the purpose it is created for. E.g. a rootkit is a malware that tries to get privileged access or root access to the system to be able to access the restricted areas of the system. A malware exhibiting such behaviour can be classified as a rootkit family. A number of families of malware are known and it continues to increase. Zhou et al. (2012), identified 49 families of malware. A malware is a threat to the system because it tries to gain access e.g. by privilege escalation. It tries to then steal the users private and secure information and send it to its control centre or some other website where it can be misused. The users of a device need to protect not only their devices from attacks but also to prevent the spread of these attacks to other devices.
Anti-malware apps help users not only find malware and viruses but also apps that lack security implementations, allow dangerous permissions, and include advertising trackers that indirectly permit attack on devices Thus, one can easily understand necessity to secure android platform. There are ways to detect such apps that are malicious or intend to exploit vulnerability of system. Two approaches that have been discussed widely and can be categorized into static analysis and dynamic analysis (Bhat, 2019; Shim, 2018). Another approach resulting from using static and dynamic methods is termed as Hybrid approach. The static analysis approach of malware detection involves identifying the malware by analysing the features obtained from the different files and folders of the application. The application can be decompressed into its folder structure using the decompressing tools available. This process reveals the applications files and folders that includes its source code. Dynamic analysis involves analysing the application by executing it. The application is monitored during its execution and its behaviour is recorded. The features obtained thus are called as dynamic features.
The two discussed approaches for malware analysis have both advantages and disadvantages. Static analysis is time efficient but as applications are analysed statically it might not be able to analyse all paths, dynamic analysis observes the behaviour of application in runtime it can extract features that were not revealed until the program ran but it is not time efficient. Hybrid analysis makes use of both these techniques and provide a better approach for malware analysis. The features obtained are input to the machine learning algorithms to create models that will help identify malware. The machine learning approaches are classified as supervised, un-supervised, and re-inforcement. This article has discussed extraction of features from the files obtained after decompressing the application. These features provide a great amount of information to set an app apart from legitimate ones. These features are then used in machine learning algorithms to create models.
Research in the past have studied these analysis techniques and have used different feature for their machine learning models. Most of body of research focuses on the on-device type malware detection. These techniques mostly leverage machine learning-based classifiers for identification, but owing to limited resources, detection rate of on-device systems is lower. Cloud-based services provide for better and faster response time given huge dataset related to malware and computation services also provide for faster response time (Yadav, 2019). Cloud computing has many advantages like resource pooling, scalability, on-demand service, better network access. However, there are some issues as well in case of cloud features such as network unavailability, security issues, etc (Gou, 2017).