DESIGN AND DEVELOPMENT OF MODELS FOR MOBILE MALWARE DETECTION

Abstract

Smartphones, in today’s era, have become ubiquitous because of the fascinating capabilities provided by them, for instance, sending and receiving emails, online shopping, mobile Internet browsing, location-based services, etc., apart from regular calling and messaging features. Additionally, a user-friendly app interface is present in most smartphones that allows users to download a variety of apps according to their needs. The popularity of smartphones can be seen from the fact that their sales have surpassed the sales of desktops and laptops in the past few years. However, with such an increase in their popularity, there has been an analogous increase in malware attacks targeting smartphones. On average, nearly 4 lakh mobile malware samples have been detected per month from March 2016 to March 2020, and more than 97% of them target the Android platform. Factors such as the availability of third-party app markets to download apps, confidential information stored in the devices, and presence of sensors in the devices with the capability to leak sensitive data, etc., are the primary reasons behind the increase in malware attacks against smartphones. If a smartphone gets compromised by any malware, it may cause many serious threats such as financial loss, system damage, data loss, and privacy leakage. This thesis aims to design and develop models to detect smartphone malware. Since the majority of the smartphone malware are targeted towards Android, this thesis aims to design novel techniques to detect Android malware. We first present an in-depth analysis of how smartphone malware has evolved over the past few years, their ways of infection, threats posed by them, and a comprehensive review of the related works in the field of malware detection; both desktop-based and smartphone-based. We also observe why desktop-based malware detection mechanisms cannot be applied to detect smartphone malware. In this thesis, we propose different methods to detect Android malware with better accuracy. More precisely, first, we introduce PermPair, an effective static mechanism to detect malicious Android apps by analyzing permission pairs. To the best of our knowledge, none of the existing works analyze permissions in pairs in malware and normal dataset. The proposed model generates malware and normal graphs, representing permissions pairs, and further uses these graphs for malware detection. The results highlight that the proposed model is effective in detecting malware samples and is better than 11 of the 13 mobile anti-virus apps available on VirusTotal. To analyze the run-time behavior of malicious Android apps, we next propose a dynamic network traffic-based approach for Android malware detection. We extract 22 features from the captured network traffic of normal and malware samples, rank them with statistical tests, and propose a novel algorithm to identify the best set of features that could give better detection accuracy. To the best of our knowledge, none of the related works in the literature aim to rank the traffic features to detect Android malware. The results of the proposed approach highlight that the model can effectively detect Android malware with the best set of 9 traffic features amongst 22 features. We next present another dynamic model, named NetFlowDroid, to study the network traffic of encrypted Android malware. Some malware samples employ encryption techniques while communicating with their remote servers. We observe that none of the existing works in the literature analyze traffic patterns of encrypted Android malware. Hence, we study how the traffic patterns in encrypted Android malware differ from unencrypted malware and normal Android traffic. We apply clustering algorithms to cluster the traffic patterns in three categories: encrypted Android malware, unencrypted Android malware, and normal traffic. We further propose a novel algorithm to detect encrypted and unencrypted Android malware based upon the clusters generated. The results prove that the proposed model is effective in detecting encrypted Android malware samples.