Since 2013, Android operating system has been the dominance of the mobile operating system market, open-source and open platform makes the Android platform become a popular target of malicious application attacks. A growing number of malicious applications will not be released to the user through the normal reliable security audit, a serious threat to the user's personal security and even national security. Therefore, this paper analyzes the malicious Android application growth and harm, then the typical attack based on the Android platform was reviewed and, finally, the development trend detection technology and summarizes the current mainstream detection methods.

A malicious application attacks endanger Review

1.1 Malicious applications hazards

According to the 2018 annual report of G DATA (Deta song) released by the team, the number of new Android malware samples reached about 4 million, compared with the same period in 2017, an increase of 40%. According to the new 2018 full-year mobile terminal 360 Center for Internet Security disclosed malware types, mainly for privacy theft, remote control, consumption rates, deductions and malicious hooliganism. Where identity theft is the greatest danger of attack. Android malicious applications using the ubiquitous mobile intelligent terminals and network connectivity as a means of personal information, such as: information, contacts, bank certificates and web browsing history to steal sensitive information, to obtain illegal benefits, create zombie networks, to to bring huge economic losses, and even lead to loss of privacy issues. In the national security level, by hidden malicious applications to mobile intelligent terminal, you can get the national economy and even political aspects of the classified information, sensitive information leading to national regulators faced with severe challenges.

1.2 Typical attacks

In recent years, the use of Android malicious applications to steal user privacy information, to obtain a gray benefit remote control to achieve the purpose of illegal personal attacks are common, Android malicious application attacks technology has matured, the author lists the typical case for your reference.

Event a: Fake System Trojan discovered new variants, one million Android devices become broiler

September 2018, Tencent Anti-Fraud laboratory study of TRP-AI from the antivirus engine to capture a number of Android backdoor Trojan virus samples wantonly spread, the presence of this Trojan secretly obtain device information on a user device, install applications frequently backstage, backstage send text messages and other suspicious behavior. After analysis of security experts, these virus samples belong "Fake System" new variant of the Trojan family, this Trojan virus latent period is very long, using a variety of advanced "escape" technology to combat soft kill, and integrates three main black means of production in order to obtain gray cash income. The figure is Tencent anti-fraud laboratory data big data engine, the 2018 late July to late August, "Fake System" new variant of Trojan horse to infect users growing rapidly, in this month's time, several new variants infected users are growing rapidly to around 200,000, while the overall "Fake System" Trojan infected users has also grown dramatically, affecting nearly one million users.

Event two: FaceBook track user data via Android application

January 2019, Privacy International organization revealed some very popular Android smartphone applications, including Skyscanner, TripAdvisor and MyFitnessPal, without the user's consent, their data will be sent to the social network Facebook. This practice may violate EU rules. After study of 34 models very popular Android applications found that at least 20 applications on the phone after being opened, the case without obtaining permission of the user, it will send some of their data to the Facebook. Information includes the name of the application sent, opened and closed since the number of times a user's Google ID, and download applications from the installation. Some sites, such as the travel website Kayak, detailed information will be also sent people to search for flights to the Facebook, including travel date, whether users have children, and they search for flights and destinations.

Second, detection technology development history

Detect a lot of research at home and abroad many researchers and security companies are malicious applications on the Android platform, summary 2010--2019 on one hundred years of literature summarizes the ideological line of malicious applications detected as shown below. Among them, the study of feature extraction and classification done by the most links, the next will sort out separately.

2.1 Feature Extraction link

The "feature extraction" application information acquired in step manner, the need to run as a standard application, a malicious application detection techniques can be divided into static and dynamic detection technique detection. Android stationary detection required to run the application, motion detection needs to be performed at run time, there is a hybrid detector, which combines the respective advantages of both.

Static detection

The advantage is low energy consumption, low risk, high speed, low real-time requirements; disadvantage is low accuracy. There are many methods researchers use static detection. It can be divided into static signature-based detection, authority, assembly, Dalvik bytecode method, etc. The following chart summarizes the research status of these types of detection methods, and analyzes its existing problems.

Dynamic Detection

Dynamic detection means to monitor their behavioral characteristics in the application is running in real-time and high operating environment, take longer. Dynamic detection methods are generally divided into two types based on the pattern and behavior-based, following chart summarizes the research status of the two detection methods, and analyzes its existing problems.

Hybrid Detection

Method mixing method is the detection of static and dynamic binding, comprising the above advantages of both. The following figure describes several mixing detection method, and analyzes its problems.

2.2 Classification link

The "classification" step mode processing application information, the malicious application may be divided into detection feature value, and rule-based machine learning algorithm based detection technology. The following diagram depicts Since 2009 Android malware detection trends in the "category" links in 2011 before detection methods characteristic values ​​and rules based on absolute advantage, after 2011, based on the detection characteristics and rules of limitations of increasingly prominent, they can not detect unknown malicious applications.

Followed by machine learning algorithms are widely used, researchers initially directly employ some machine learning algorithm, then choose from several machine learning algorithms in tandem in recent years have begun to propose improvements to the lack of existing algorithms, in order to better adapt to the characteristics ,As shown below.

Depth study as a branch of machine learning, emphasizing the depth of the model structure, highlighting the importance of learning features. Since 2015, the depth of the learning image recognition accuracy than the human eye, the depth of the learning algorithm starts to be applied to Android malware detection field, as shown below.

DroidDetector: extracting more than 200 properties for static analysis and dynamic analysis of each Android application, the application depth learning techniques to classify. The results show that depth than other learning technique more appropriate machine learning technique, comprising: Bayes, SVM, C4, logistic regression and MLP.

DeepDroid: In the case of using the same set of tests, accuracy DeepDroid algorithm of SVM algorithm higher than 3.96 percent, 12.16 points higher than the naive Bayes Naive Bayes method, 13.62 percentage points higher than the K nearest neighbor algorithm.

Under the same experimental conditions, Android malicious applications based detection methods tend to have a depth of learning as compared to traditional machine learning algorithms better performance.

RECOMMENDATIONS

Here, the author put forward some suggestions Researchers Android mobile phone users and Android malware:

(1) Select the official website to download Android applications, and verify that the URL is correct. Ensure that the application is officially uploaded by developers, rather than individuals, such applications high security risks.

Before (2) download and read user reviews, even application on the official website will also contain advertising messages or other malicious payload, it can help us to complete a preliminary screening by other users reviews.

(3) Do not download forum or blog cracking software, such applications are more likely malicious component or malicious instructions.

(4) to properly configure application permission to open the state, which will effectively avoid security problems the vast majority of mobile phones. Although the factors involved safety of mobile phones there are many, but for most users, control the state authority is equivalent to minimize the security risks of mobile phones. Here to teach you a little way to close unwanted permissions:

Using the system comes right management tools to manage, such as Huawei's "mobile butler," "security center" of millet, Meizu's "Mobile Manager" and so on. Open the application, click permissions management, find the corresponding application permission settings. Huawei mobile butler example: open the phone housekeeper, click on the "rights management"; select the application you want to set; set permissions switch; you can also click on the "Settings for individual rights", set permissions to enter the switch.

(5) For Android malware researchers can use the following public data sets related research:

Can contact the teacher, then email contact them for some longer share can also contact a number of universities and institutions already have data sets, basically well-known domestic universities will have these data sets.

(6) when manual analysis is more time-consuming or difficult, can make use of a number of specialized tools to Complete:

Conclusion

By malicious Android application development trends, introduction of hazards and attacks I believe we have been aware of the problems it brings can not be underestimated. Based on the above summary of the study to detect malicious Android application, for "feature extraction" session, not difficult to find the combination of static and dynamic mixing method will be more accurate and comprehensive, while promoting extracting fine-grained feature makes it possible to accurately describe the behavior of the application; for "classification" link, deep learning algorithm is applied to the area of ​​security is a developing trend in the next few years. In the future, our study should also adopt a hybrid approach, while other aid application, improve accuracy and reduce false positives to efficiently detected Android malware.

references

[1] Gartner. Gartner says Android has been growing market share in the smartphone opera ting system market, which in 2017 is at 85.9% [EB/OL]. [2018-02-14]. https://www.gartner. com/doc/3855724?ref=SiteSearch&sthkw=android%20market&fnl=search&srcId=1-3478922254.

[2] G DATA. Cyber attacks on Android devices on the rise. [EB/OL]. [2018-11-07]. https://www.gdatasoftware.com/blog/2018/11/31255-cyber-attacks-on-android-devices-on-the-rise.

[3] 360 Center for Internet Security: Android malicious software annual special report in 2018 [EB / OL] [2019-02-18] http://zt.360.cn/1101061855.php?dtid=1101061451&did=610100815... .

[4] FREEBUF Hero RAT:. Based on the Android Telegram malware [EB / OL] [2018-08-14] https://www.freebuf.com/articles/terminal/179842.html...

[5] FREEBUF. Fake System Trojan discovered new variants, one million Android devices become a chicken. [EB / OL]. [2018-09-07]. Https://www.freebuf.com/articles/terminal/183221 .html

[6] Securityaffairs. Facebook tracks non-users via Android Apps [EB/OL]. [2018-12-30]. https://securityaffairs.co/wordpress/79313/digital-id/facebook-tracking-android-apps.html.

[7] Zhenlong Yuan, Yongqiang Lu, Yibo Xue.DroidDetector: Android Malware Characterization and Detection Using DeepLearning [J] Tsinghua University Natural Science (in English), 2016, 21 (1): 114-123.

[8] Su Zhi Da, ZHU Yue-fei, Liu Long. Android-based depth study of the malicious application detection [J]. Computer Applications, 2017 (6).

Author: Lijia Nan Liu Chao