National College of Business Administration & Economics Multan

Android operating system started its journey with the public release of android beta in November, 2007. But its first commercial version android 1. 0 is introduced in September, 2008. Android is a mobile operating system developed by Google, based on the Linuxkernel and designed primarily for touch screen mobile devices such assmart phonesand tablets. It is continually developed by google and open handset alliance.

Since 2008 there are many versions of android operating systems have been introduced

The most common are ginger bread, honey comb,ice cream sandwich, jelly beans, kitkat, lollipop and marshmallow. at the time of writing, only 32. 3% of Android devices on the market have Marshmallow, which was introduced early 2 years ago.

Evolution of Malware

Initially, when computing systems were primarily understood by a few experts, malware development was a test of one’s technical skill and knowledge. For example, the PC Internet worm known as Creeper displayed taunting messages, but the threat risk (e. g. ,stolen data, damaged systems) was considerably low. However, as time progressed fromthe 1980’s, the drive to create malware became less recreational and more profit-drivenas hackers actively sought sensitive, personal, and enterprise information. In 2015 a report showed that attackers can earn up to 12,000 USD per month viamobile malware 173 Moreover, an increase in black markets (i. e. , markets to sellstolen data, system vulnerabilities, malware source code, malware developer tools) hasprovided more incentive for profit-driven malware [106].

Android malware

The malware are termed as malicious software this is designed especially to target a cell device gadget,such as a tablet or smartphone to harm or disrupt the tool. The maximum cellular malware is designed to disable a cellular device, allow a malicious consumer to remotely control the device or to souse borrow non-public facts saved on the device.As android operating system has become most attractive operating system for the cellular companies so it is in more danger of malware attacks as compare to other operating systems. The number of malicious Android apps has risen steadily in the last four years. In 2013, just over a half million were malicious. By 2015 it had risen to just under 2. 5 million. For 2017, the number is up to nearly 3. 5 million.

Types of android malware

Following are the main categories of android malware

• Botnet
• Root exploit
• Android market
• Send sms
• Install application

Root Exploit

Root-exploit is a malware which modifies the kernel in Android Operating System (OS) to gain super-user privileges. Once attackers gain root-privileges, they are able to install other types of malware, such as, botnets, worms, or trojan. Once it has acquired the root privilege, an attacker/malware can bypass the Android sandbox, perform many kinds of malicious activities, and even erase evidence of compromise. For this reason, malware with embedded root exploits are on the rise. Indeed, as apparent in recent news, it has become more and more common that malware found in third party Android markets or even in the official Google Play store, contain root exploits. For the last few years, rooting malware has been the biggest threat to Android users. These Trojans are difficult to detect, boast an array of capabilities, and have been very popular among cybercriminals. Their main goal is to show victims as many ads as possible and to silently install and launch the apps that are advertised. In some cases, the aggressive display of pop-up ads and delays in executing user commands can render a device unusable. Rooting malware usually tries to gain super-user rights by exploiting system vulnerabilities that allow it to do almost anything. It installs modules in system folders, thus protecting them from removal. In some cases – Ztorg, for example – even resetting the device to factory settings won’t get rid of the malware. It’s worth noting that this Trojan was also distributed via the Google Play Store – we found almost 100 apps there infected by various Ztorg modifications. One of them had even been installed more than a million times.

Existing Approaches

In dynamic malware analysis the behavior of themalwareis checked that isexecuted on the system. Most of the times, virtual machine/device or is used for this method. It simply checks the behavior and network logsof the malware after executing the malware application on the machine. Droidbox, android SDK and android audit are the tools that can be used for dynamic analysis

During static analysis reverse engineeringtooland techniquesare used to decompile themalware application. Non-Run time environment is used for static analysis. At the same time, application is analyzed for all possible run time behaviorsand seek out coding flaws, Back doors and malicious code. In static analysis Androguard, dex2jar, apk inspector are the tools that can be used.

In the both approaches, machine learning algorithms have been used to build classification models by training classifiers with datasets of malware and features that collected from static or dynamic analysis. The learned classification models are then used to detect malicious android apps and classify them into their families. Problem statement

• Currently, the majority of malware detection systems are focusing mobile malware in general. Similarly, no detection solution is available in the literature targeting mobile applications involved in root exploit activities.
• What are the most important structural features that an intruder can use to design root exploits in Android based mobile apps?· How to classify root exploit from malicious corpus using machine learning techniques?

Aims and objective

Mobile devices such as smart phones have become one amongst the prominent device of the current century. In the similar way, Android operating system recognize as most popular operating system used by smart phone. As a result, android has become one of the most interesting targets for malware writers. Different types of android malwares are Botnet, root exploit, send sms, GPS Position and banking Trojan. An appropriate detection system of android malware are often useful to avoid such quite malware. This study will focus on the detection of a special malware called root exploit with the help of machine learning.

It has been observed that current android malware detection techniques may not applied to specific root exploit malware. Root exploit malware are considered as the most dangerous android malware which gain the root privileges. Several techniques have been introduced by the researchers. we will used machine learning classifier to separate the root exploit from benign applications on the basis of features that are extracted by static analysis of android APK.Thesis Breakdown: The structure of this thesis is organized as follows.

Chapter 2 presents related work about the static and dynamic malware detection in Android environment. Chapter 3 shows the implementation of this study which covers the framework, used tools, datasets, extracting and selecting features, and training machine learning classifiers. Chapter 4 demonstrates the results, and performance evaluation of the classifiers. Chapter 5 concludes the study work, emphasizes our findings, and suggests further potentials for future work for our proposed approaches in this thesis. CHAPTER NO 22. Literature ReviewGenerally there exist two malware detection methods known as static analysis and dynamic analysis [2]. . In dynamic study the applications are executed in a secure sandbox environment and collect runtime traces from each application for malicious intension. While static analysis focus on the techniques to reverse engineer the application by recreating the code of algorithm and program.

Mobile application analysis system which used both static analysis and dyamic analysis to detect hidden malware [3]. Static analysis introduced two additional features for malware analysis,native permissions and intent-priority including common features of permissions and function calls. Sandbox is used to find the malicious action which can be present in the application uploaded by user. System trace the short message sending initiated via an application instead of user, android emulator is modified. Python programming language employs to set up a technique named UnipDroid,which uses good discriminative feature to discern benign applications from malware applications. [4]. Machine learning classification algorithms are utilized after the static analysis of large data set from android application to find most per formant algorithm in terms of accuracy and speed. Result shows that unipdroid is efficient and effective. Dynamic analysis cannot manage storage space it only detects and prevent mobile malware[5]. Cloud service can detect the malware and predict the behavior of mobile malware but cannot prevent mobile malware. A new model which integrate the features of cloud service and dynamic analysis is a better solution to detect and prevent mobile malware. It is discussed in[6] understanding the current state-of-the-art static analysis research techniques used in the analysis of malware. Static analysis techniques can be used to address many software questions raised during different software lifecycles stages. It is found four high-level archetypal motivations for using malware-specific static analysis techniques across the development and maintenance detection techniques is analyzed by a comprehensive survey[7]. Security models and protection mechanism in most popular platforms for smart devices is discussed in depth. At the same time, observed in review how malware has progressed recently in most accepted platform through suspicious actions,practiced goals and sharing policies. Proposed system provide the detection technique using static analysis with creator information [8]. System achieve the almost cent percent accuracy to detect malware by checking particular parts of applications based on functionality and permissions. At the same time similarity scoring algorithm help to recognize malware families. That’s why system is considered as better solution to detect and classify malware. Generally an ordinary user who have an access of smart phone is not familiar with the possible risk. [9]. Due to this explanation, categorization of malware applications is necessary.

Different features are helpful to recognize a malware and method to analyze it. A set of result are collected which prove an ordinary user can easily recognize the malicious application before installing it on smart phone. It is discussed in[10] Root-exploit is one of the dangerous malware that attacks victim’s mobile device, and aims to gain root privileges. By gaining it, attackers are able to install any possible types of malware on the victim’s mobile device. An evaluation using machine learning is described to detect root exploit. It uses system-command,directory path and code based as features. The features are selected and evaluated in three machine learning classifiers: multilayer perceptron, random forests and naïve bayes. The experimental result exceeds 90 percent accuracy. Machine learning algorithms which are already being developed applied for behavioral analysis of android malware[11]. It explains a structure for automatically Training and Evaluating Android Malware classifiers. To classify and detect unknown malicious applications study discuss various solutions whichuse machine learningas a tool to counter android malwares that examine features of application. Android malware recognition technique which explain how static analysis joined with machine learning to filter large set of applications [12]. After automated static break down of samples Bayesian classification model is exercised. Results shows that 90% detection rate obtainable with this approach. At the same time, it is promising approach to filter android application which are continuously adding in Market.