A Survey on the Detection of Android Malicious Apps

Android-based smart devices are exponentially growing, and due to the ubiquity of the Internet, these devices are globally connected to the different devices/networks. Its popularity, attractive features, and mobility make malware creator to put a number of malicious apps in the market to disrupt and annoy the victims. Although to identify the malicious apps, time-to-time various techniques are proposed. However, it appears that malware developers are always ahead of the anti-malware group, and the proposed techniques by the anti-malware groups are not sufficient to counter the advanced malicious apps. Therefore, to understand the various techniques proposed/used for the identification of Android malicious apps, in this paper, we present a survey conducted by us on the work done by the researchers in this field.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

02/23/2018

An investigation of the classifiers to detect android malicious apps

Android devices are growing exponentially and are connected through the ...
06/23/2018

Automatic Investigation Framework for Android Malware Cyber-Infrastructures

The popularity of Android system, not only in the handset devices but al...
04/03/2019

Group-wise classification approach to improve Android malicious apps detection accuracy

In the fast-growing smart devices, Android is the most popular OS, and d...
11/07/2017

Contaminant Removal for Android Malware Detection Systems

A recent report indicates that there is a new malicious app introduced e...
07/16/2020

Less is More: A privacy-respecting Android malware classifier using Federated Learning

Android remains an attractive target for malware authors and as such, th...
03/31/2020

When the Guard failed the Droid: A case study of Android malware

Android malware is a persistent threat to billions of users around the w...
12/05/2021

On Impact of Semantically Similar Apps in Android Malware Datasets

Malware authors reuse the same program segments found in other applicati...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In 1992 International Business Machines Corporation came up with a prototype mobile computing device incorporating with the Personal Digital Assistant features (demonstrated it in the Computers Dealer’s Exhibition). Later on, Simon Personal Communicator first designed a device that was referred as smart device/phone which receives calls, sends faxes, emails and more. The smart devices/phone technology continued to advance throughout early 2000, and in 2007 Android-based smart device was unveiled by Google. Since then the popularity/demand for Android-based smart devices is continuously growing. An estimate shows that more than 15 billion smart devices are connected globe-wise and are expected to be reaching 200 billion by the end of the year 2020

[8]. Also, due to the mobility and the attractive features of these devices have drastically changed our day-to-day life. Many of these functionalities are very much similar to our other information technology systems and are capable to remotely access the enterprise’s data for the work. In addition, because of the ubiquity of Internet ubiquity, the user uses these devices for the shopping, financial transactions, share private information/data, etc. [21]. Hence, the security risks of the smart devices are now at never seen before levels, hence an attractive target for online attackers. Also, nowadays online criminal are investing more and more for the sophisticated attacks, e.g., ransomware or to steal the valuable personal data/information from it.

Today in the growing smart devices, Android is the most popular operating system (OS) ( 70% of the market share) [13], and are connected to different devices/networks through the Internet (five out of six mobile phones are Android based [37]). The popularity of Android OS is because of its open source, java supported free rich software developer’s kit, exponential increase in the Android-based apps, and third-party distribution. According to Statista, in addition to the third-party Android apps, at Google Play store, there are 2 apps are available for the users [41], and some of these apps may be malicious [1]

. Therefore, the probability of the malware in the Android smart devices is now at never seen before levels. Thus attacks on the Android-based smart devices are increasing exponentially, basically due to the ease of creating the variants of malware

[42] [6]. In 2013, there was a 200% increase in the malicious apps, and 3.7 million of variants added in McAfee’s database [7]. In 2015, Kaspersky reported that the growth rate of new malware variant is 300% with 0.88 million new variants [20]. The number of malicious installations found in 2015 was around three million, and around seven thousand mobile banking Trojans were also found in the same year [19]. In the 3rd quarter of 2015 Quick Heal Threat Research reported that per day they had received samples of the Windows and Android platforms [21]. Trend Micro estimated that the number of malicious mobile apps would reach 20 million by the end of 2017 [9]. In this, stepping up its fight against bad apps and malicious developers, Google has removed over 700,000 Android apps (i.e., 70% more apps that violated the Google Play policies in 2017 than the apps they removed in 2016) from Play Store and also took down as many as 100,000 bad developers in 2017 [2].

The recent attacks on Android devices show that the security features in these devices are not good enough to stop the adversary [38]. Therefore, its a need of time to design a robust anti-malware, in particular, to counter zero-day attack [35]. Also, it is an open question, how to detect the variants of malicious Android apps which are concealed in the 3rd party apps markets [1], and how to find the repackaged apps in the ocean of Android apps. In addition, to avoid the deployed detection methods, malware developer uses various obfuscation techniques [36]. Hence, any gap in the security of the Android smart devices will allow the attacker to access the information stored in it. To defend the attack/threat from the Android malicious apps, a number of static and dynamic methods were proposed [4], [22],[26], [11]. But still, it appears that to defend the malicious apps, the proposed techniques are not good enough in the growing smart devices usage in our day-to-day life [35]. Thus, Android based smart devices security is one of the important fields to be addressed, and understanding the market share of the Android-based smart devices, in this paper to know the various techniques proposed/used to identify the Android malicious apps, in section 2, to understand security mechanism of the Android devices we discuss in brief that how user data and its resources are secure by providing the features viz. sandbox, permission, secure inter-component communication, and signing the apps. In section 3, we present the survey conducted by us on the work done by the researchers in this field. Finally, in section 4, we summarize our conclusion.

2 Security Mechanisms

The security of the Android-based devices are mainly focused to protect the user data, its resources, and isolation of the application by providing the features viz. sandbox, permission, secure inter-component communication, and signing the apps. In this, the sandbox in the Android based system isolate the apps from each other by the user ID (UID) and permissions. After installation, the apps runs in its assigned sandbox and can access only its own resources, unless other apps give explicit access permission to this applications. However, if the apps are designed by the same developer, then such apps can share the same UID and can run in the same sandbox to share resources/data between them.

Android apps consist of four components viz., services, broadcasts, activities, and providers. Similar to Inter Processes Communication in the Linux system, it provides a secure Inter-Component Communication by binder mechanism (middleware layer of Android). Inter-Component Communication is achieved by the intents/message, and these intents are explicitly used for the communication, if it identifies the receiver name, or used for implicit communication that allows the receiver to know that can it access this intent or not.

Application signing creates a certification between developers and their applications to ensure the security of the apps, and before putting it in its sandbox, it makes a relationship between the apps and UID. Without application signing, apps will not run. If two or more apps have the same UID, then all the apps which have the same UID can communicate with each other, share the permissions and can run in the same sandbox. By the application singing, apps update process can be simplified. The updated new version will have all the permissions that the old version has, and also the certificate does not change so that the package manager can verify the certificate. It also makes sure that without using Inter-Component Communication, apps cannot communicate with another apps. However, if the apps are developed by the same developer, then the developer without changing the application signing can enable the direct communication between the same developer apps.

In these smart devices, there are four levels of permissions viz. signatureOrSystem (granted to the apps that are installed by the root or pre-installed apps), signature (granted within the same sandbox), dangerous (granted by the users) and normal (granted automatically) permissions. In total there are 235 permissions out of which 163 are hardware accessible and remaining are for user information access [24]. Before installation of the apps, the system asks the users to grant all requested permissions, if users agree and grant the requested permissions to the apps, then in general installation becomes successful else it may get canceled. These permissions mechanisms put some restriction when the apps want to access the application programming interface (API) which are sensitive to the OS. The Android apps run in the sandbox, and if it needs to access resources/data outside its sandbox which could potentially affect the user’s privacy/data viz. short message service, contacts, camera, location, etc. then the user has to approve/reject the permission.

3 Detection of Android Malicious Apps

To identify the Android malicious apps, static and dynamic analysis are the two basic methods that are used [17]

. In both the methods classifiers are first trained with a dataset for the classification of apps. However, in static analysis, apps are analyzed without executing it to extract some patterns viz. APIs used, data flow, permissions, control flow, intents, etc. Whereas, in the dynamic analysis the codes are analyzed during the execution of the apps, and monitoring its dynamic behavior (resources usage, tracing system calls, API call, network traffic, etc.) and the response of the system. In this, in 2009, understanding that the users do not understand what applications will do with their data/resources, and thus not able to decide which permissions shall be allowed to the application to run with, Fuchs, et al.,

[12] proposed a tool called SCANDROID (suppose to be the first program analysis tool for the Android-based devices) which can extracts security specifications from the applications, and can identify that the data flow of such apps are consistent with the specification or not.

In 2012 Sanz. et al. [28]

based on machine-learning techniques proposed a method to detect the Android malicious apps by automatically characterize the applications. For the classification, the feature sets used are the printable strings, apps permissions, and the apps permissions extracted from the Android Market. Their experiment with seven different categories (820 samples) and five classifiers shows that among the selected five classifiers, Bayes Tree Augmented Naive Bayes is the best classifier (0.93 area under the curve (AUC)), while random forest (RF) stands second in the investigated classifier (0.9 AUC), and among the analyzed classifier, the worst was Decision Tree with J48 (0.64 AUC). Wu. et al., based on the static feature proposed a technique called

DroidMat, to detect the Android malicious apps which analyze AndroidManifest.xml and the systems calls. For the experiment, they used 238 malicious and 15000 benign programs and claimed that their approach is very effective (97.87% accuracy), scalable and efficient [43].

In 2013 Michael et al. proposed a mobile-sandbox to automatically analyze the Android apps in two steps. In the first step (static analysis), applications Manifest files are parsed and decompiled; then they find that the applications are using suspicious permissions/intents or not. In the next step, dynamic analysis is performed, where the apps are executed to know all the actions including those originating from the associated API calls. They experimented with 36,000 apps from the third-party Asian mobile markets and reported that 24% of all analyzed apps use associated calls. [40]. Min Zheng et al. [45] developed a signature based system called DroidAnalytics for collecting the malware automatically, and to generate signatures for the identification of the malicious code segment. They conducted extensive experiments with 150,368 apps and detected 2,494 malicious apps from one hundred two different families, in which three hundred forty-two of them were zero-day malicious samples from the six different families. They claimed that their methods have significant advantages over the traditional MD5 hash based signature, and can be a valuable tool for the classification of Android malicious apps.

In 2014, a detection method was proposed by Quentin et al. which depends on the opcode-sequences. They tested libsvm and SVM classifier with the reduced data set (11,960 malware and 12,905 benign applications) and obtained 0.89% F-measure. However, their approach is not capable to detect completely different malware [15]. Kevin Allix et al. [3] devised classifiers that depend on the features set that are designed from the apps control flow graphs. They analyzed their techniques with 50,000 Android apps and claimed that their approach outperformed existing machine learning approaches. Also from the analysis, they concluded that for the realistic malware detectors, the 10-fold cross-validation approach on the usual dataset is not a reliable indicator of the performance of the classifier.

The smartphone can act as like a zombie device, controlled by the hackers via command and control servers. It has been found that mobile malware are targeting Android devices to get root level access so that from the remote server they can execute the instructions. Hence, such type of malware will be a big threat to the homeland security. Therefore Seo, et al. [30] discusses the defining characteristics which are inherent in the devices and shown the feasible mobile attack scenario against the Homeland security. They analyze various mobile malware samples viz. monitoring the home and office, banking, flight booking and tracking, from both the unofficial and official market to identify the potential vulnerabilities. Their analysis shows that the two banking apps (axis and mellat bank app) charges SMS for malicious activities and two other banking apps was modified to get permissions without the consent. Finally, they discuss an approach that mitigates the Homeland Security from the malware threats.

In 2015, Jehyun Lee et al. developed a technique to detect the malicious apps that use automated extraction of the family signature. They claimed that compare to earlier behavior analysis techniques their proposed family signature matching detection accuracy is high and can detect variants of known malware more accurately and efficiently than the legacy signature matching. Their results were based on the analysis done with the 5846 real Android malicious apps which belong to 48 families collected in April 2014 and achieved 97% accuracy. Smita et al. [23] addressed the problem of system-call injection attack (inject independent and irrelevant system-calls when programs are executing) and proposed a solution which is evasion-proof and is not vulnerable to the system-call injection attacks. Their technique characterizes the program semantics by using the property of asymptotic equipartition, which allows to find the information-rich call sequences to detect the malicious apps. According to their analysis, the semantically-relevant paths can be applied to know the malicious behavior and also to identify the number of unseen/new malware. They claimed that the proposed solution is robust against the system-call injection attacks and are effective to detect the real malware instances.

In 2016, a host-based Android malicious apps detection system called Multi-Level Anomaly Detector for Android Malware (MADAM) has been proposed by Saracino, et al. [29]. Their system at the same time can analyze and correlates the features at 4 levels viz., application, kernel, user and package to identify. It stopped the malicious behaviors of one hundred twenty-five known malware families, encompasses most of the malware. They claimed that MADAM could understand the behaviors characteristics of almost all the real malicious apps which can be known in the wild, and it can block more than 96% of Android malicious apps. Their analysis on 9,804 clean apps shows low false alarm rate, limited battery consumption (4% energy overhead), and negligible performance overhead. BooJoong et al. [16], proposed an n-opcode based static analysis for the classification and categorizing the Android malware. Their approach does not utilize the defined features viz. permissions, API calls, intents, and other application properties, rather it automatically discovers the features that eliminate the need of an expert to find the required promising features. Empirically they showed that by using the occurrence of n-opcodes, a reasonable classification accuracy can be achieved, and for n = 3 and n = 4, they have achieved F-measure up to 98% for categorization and classification of the malware.

Based on inter-component communication (ICC) related features, Ke Xu et al. [44] proposed a method to identify the malicious apps called ICCDetector, which can capture the interaction between the components or cross application boundaries. They evaluated the performance of their approach with 5264 malware and 12026 benign apps and achieved an accuracy of 97.4%. Also, after manually analyzing, they discovered 43 new malware in the benign data and reduced the number of false positive to seven. Jae-wook Jang et al. [14] proposed a feature-rich hybrid anti-malware system called Andro-Dumpsys, which can identify and classify the malware groups of similar behaviour. They claimed that Andro-Dumpsys could detect the malware and classify the malware families with low false positive (FP) and false negative (FN). It is also scalable and capable to respond zero-day threats. Gerardo Canfora et al. [5] evaluated a couple of techniques for detecting the malicious apps. First one was based on hidden markov model, and the 2nd exploits the structural entropy. They claimed that their approach is effective for Desktops viruses, and can also classify the malicious apps. Experimentally they achieved a precision of 0.96 to differentiate the malicious apps, and 0.978 to detect the malware family [5]. For the detection of malware in runtime, Sanjeev Das et al. [10] proposed a hardware-enhanced architecture calledGuardOL by using field programmable gate arrays

and processor. Their approach after extracting the system calls made the features from the high-level semantics of the malicious behavior. Then the features are used to train the classifier and multilayer perceptron to detect the malicious apps during the execution. The importance of their design was that the approach in the first 30% of the execution detects 46% of the malware, and after 100% of execution 97% of the samples have been identified with 3% FP.

[10].

In 2017, Ali Feizollah et al. [11] proposed AndroDialysis to evaluate how effective is the Android intents (implicit and explicit) as a feature to identify the malicious apps. They showed that the intents are semantically rich features compared to well studied other features viz. permissions, to know the intentions of malware. However, they also concluded that such features are not the ultimate solution, and it should be used together with other known promising features. Their result was based on the analysis of the dataset of 7406 apps (1846 clean and 5560 infected apps). They achieved a 91% detection accuracy by using Android Intent, 83% using Android permission and by combining both the features they obtained the detection rate of 95.5%. They claimed that for the malware detection, Intent is more effective than the permission. Bahman Rashidi et al. [26] proposed an Android resources usage risk assessment called XDroid. They claimed that the malware detection accuracy could be increased significantly by using the temporal behavior tracking, and security alerts of the suspicious behaviors can be generated. Also, in real-time their model can inform users about the risk level of the apps, and can dynamically update the parameters of the model by the user’s preferences and from the on-line algorithm. They conducted the experiment on benchmark Drebin malware dataset and demonstrated that their approach could estimate the risk levels of the malware up to accuracy and with the user input it can provide an adaptive risk assessment.

Recently, Ashu et al. [31] with the benchmark Drebin dataset and first without making any groups, they examine the five classifiers using the opcodes occurrence as a feature for the identification of malicious applications and achieved detection accuracy up to 79.27% by functional tree classifier. They observed that the overall accuracy is mainly affected by the FP. However, highest true positive (99.91%) is obtained by RF and fluctuates least with the number of features compared to the remaining four classifiers. Their analysis shows that overall accuracy mainly depends on the FP of the investigated classifiers. Later on, in 2018, similar to the analysis of Windows Desktop malware classification [32] [34] [27], they group-wise analyzed the dataset based on permissions and achieved up to 97.15% overall average accuracy [33]. They observed that the MICROPHONE group detection accuracy is least while CALENDAR group apps are detected with maximum accuracy, and top 80-100 features are good enough to achieve the best accuracy. As far as the true positive (TP) is concerned, RF gives best TP for the CALENDAR group.

4 Summary

The attack/threat by the malware to the Android-based smart devices which are connected to different devices/networks through the Internet is increasing day-by-day. Consequently, these smart devices are highly vulnerable to the advanced malware, and its effect will be highly destructive if an effective and timely counter-measures are not deployed. Therefore, time-to-time, various static and dynamic methods that have been proposed by the authors for the identification of the Android malicious apps have been discussed in this paper to counter the advanced malicious apps in the fast-growing Internet and smart devices usage into our daily life. Although in literature various survey viz. [25] [18] [39] are available on the detection Android malicious but in this survey, we presented the comparative study of various approaches and the observations done by the various authors understanding that all malware are not of the same type and cannot be detected with one algorithm.

References

  • [1] 9apps. Free android apps download, August 2016.
  • [2] Andrew Ahn. How we fought bad apps and malicious developers in 2017. Technical report, Google Play, January 2018.
  • [3] Kevin Allix, Tegawendé F Bissyandé, Quentin Jérome, Jacques Klein, Yves Le Traon, et al. Large-scale machine learning-based malware detection: confronting the 10-fold cross validation scheme with reality. In Proceedings of the 4th ACM conference on Data and application security and privacy, pages 163–166. ACM, 2014.
  • [4] Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon, and Konrad Rieck. Drebin: Effective and explainable detection of android malware in your pocket. In NDSS, pages 1–15, 2014.
  • [5] Gerardo Canfora, Francesco Mercaldo, and Corrado Aaron Visaggio. An hmm and structural entropy based detector for android malware: An empirical study. Computers & Security, 61:1–18, 2016.
  • [6] Beek Christiaan, Frosst Douglas, Greve Paula, Gund Yashashree, and Moreno Francisca. Mcafee threats report. Technical report, McAfee, June 2012.
  • [7] Beek Christiaan, Frosst Douglas, Greve Paula, Gund Yashashree, and Moreno Francisca. Mcafee labs threats report. Technical report, McAfee, May 2015.
  • [8] Beek Christiaan, Frosst Douglas, Greve Paula, Gund Yashashree, and Moreno Francisca. McAfee Labs Threats Report. Technical report, 2017.
  • [9] Jon Clay. Trend micro, continued rise in mobile threats for 2016, Nov 2015.
  • [10] Sanjeev Das, Yang Liu, Wei Zhang, and Mahintham Chandramohan. Semantics-based online malware detection: Towards efficient real-time protection against malware. IEEE Transactions on Information Forensics and Security, 11(2):289–302, 2016.
  • [11] Ali Feizollah, Nor Badrul Anuar, Rosli Salleh, Guillermo Suarez-Tangil, and Steven Furnell. Androdialysis: Analysis of android intent effectiveness in malware detection. Computers & Security, 65:121–134, 2017.
  • [12] Adam P Fuchs, Avik Chaudhuri, and Jeffrey S Foster. Scandroid: Automated security certification of android. Technical report, University of Maryland Department of Computer Science, 2009.
  • [13] Nisarg Gandhewar and Rahila Sheikh. Google android: An emerging software platform for mobile devices. International Journal on Computer Science and Engineering, 1(1):12–17, 2010.
  • [14] Jae-wook Jang, Hyunjae Kang, Jiyoung Woo, Aziz Mohaisen, and Huy Kang Kim. Andro-dumpsys: anti-malware system based on the similarity of malware creator and malware centric information. computers & security, 58:125–138, 2016.
  • [15] Quentin Jerome, Kevin Allix, Radu State, and Thomas Engel. Using opcode-sequences to detect malicious android applications. In 2014 IEEE International Conference on Communications (ICC), pages 914–919. IEEE, 2014.
  • [16] BooJong. Kang, S. Y. Yerima, K. Mclaughlin, and S. Sezer. N-opcode analysis for android malware classification and categorization. In 2016 International Conference On Cyber Security And Protection Of Digital Services (Cyber Security), pages 1–7, June 2016.
  • [17] Ankita Kapratwar. Static and dynamic analysis for android malware detection. Master’s thesis, San Jose State University, 2016.
  • [18] Nor Badrul Anuar Rosli Salleh Kimberly Tam, Ali Feizollah and Lorenzo Cavallaro. The evolution of android malware and android analysis techniques. volume 49.
  • [19] Kaspersky Lab. Red alert: Kaspersky lab reviews the malware situation in q3. Technical report, 2014.
  • [20] Kaspersky Lab. Securelist: Mobile malware evolution. Technical report, 2015.
  • [21] Quick Heal Lab. Threat report 3rd quarter, 2015. Quick Heal Lab., http://www.quickheal.co.in/ resources/threat-reports, 2015.
  • [22] Annamalai Narayanan, Liu Yang, Lihui Chen, and Liu Jinliang. Adaptive and scalable android malware detection through online learning. In Neural Networks (IJCNN), 2016 International Joint Conference on, pages 2484–2491. IEEE, 2016.
  • [23] Smita Naval, Vijay Laxmi, Muttukrishnan Rajarajan, Manoj Singh Gaur, and Mauro Conti. Employing program semantics for malware detection. IEEE Transactions on Information Forensics and Security, 10(12):2591–2604, 2015.
  • [24] K Olmstead and M Atkinson. Apps permissions in the google play store. Technical report, Pew Research Center, 2016.
  • [25] Vijay Laxmi Vijay Ganmoor Manoj Singh Gaur Mauro Conti Parvez Faruki, Ammar Bharmal and Muttukrishnan Rajarajan. Android security: A survey of issues, malware penetration, and defenses. IEEE Communication Surveys & Tutorials, 17(2):998 – 1022, 2015.
  • [26] Bahman Rashidi, Carol Fung, and Elisa Bertino. Android resource usage risk assessment using hidden markov model and online learning. Computers & Security, 65:90–107, 2017.
  • [27] Sanjay K. Sahay and Ashu Sharma. Grouping the executables to detect malwares with high accuracy. Procedia Computer Science, 78:667–674, 2016.
  • [28] Borja Sanz, Igor Santos, Carlos Laorden, Xabier Ugarte-Pedrero, and Pablo Garcia Bringas. On the automatic categorisation of android applications. In 2012 IEEE Consumer communications and networking conference (CCNC), pages 149–153. IEEE, 2012.
  • [29] A. Saracino, D. Sgandurra, G. Dini, and F. Martinelli. Madam: Effective and efficient behavior-based android malware detection and prevention. IEEE Transactions on Dependable and Secure Computing, PP(99):1–1, 2017.
  • [30] Seung-Hyun Seo, Aditi Gupta, Asmaa Mohamed Sallam, Elisa Bertino, and Kangbin Yim. Detecting mobile malware threats to homeland security through static analysis. Journal of Network and Computer Applications, 38:43–53, 2014.
  • [31] Ashu Sharma and Sanjay Sahay, K. An investigation of the classifiers to detect android malicious apps. In Information and Communication Technology, Proceedings of ICICT 2016, volume 625, pages 207–217. Springer, 2017.
  • [32] Ashu Sharma and Sanjay K Sahay. An effective approach for classification of advanced malware with high accuracy. International Journal of Security and Its Applications, 10(4):249–266, 2016.
  • [33] Ashu Sharma and Sanjay K. Sahay. Group-wise classification approach to improve android malicious apps detection accuracy. International Journal of Network Security,, 2018, in press.
  • [34] Ashu Sharma, Sanjay K. Sahay, and Abhishek Kumar. Improving the detection accuracy of unknown malware by partitioning the executables in groups. In Advanced Computing and Communication Technologies, pages 421–431. Springer, 2016.
  • [35] Ashu Sharma and Sanjay Kumar Sahay. Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey. International Journal of Computer Applications, 90(2):7–11, March 2014.
  • [36] Aimoto Shaun, AlKhatib Tareq, Coogan Peter, Corpin Mayee, and DiMaggio Jon. Internet security threat report. Technical report, Symantec, April 2014.
  • [37] Aimoto Shaun, AlKhatib Tareq, Coogan Peter, Corpin Mayee, and DiMaggio Jon. Internet security threat report 2016. Technical report, Symantec Corporation, 2016.
  • [38] Aimoto Shaun, AlKhatib Tareq, Coogan Peter, Corpin Mayee, and DiMaggio Jon. Internet security threat report 2017. Technical report, Symentec, 2017.
  • [39] Alireza Souri and Rahil Hosseini. A state-of-the-art survey of malware detection approaches using data mining techniques. Human-centric Computing and Information Sciences, 8(3):22, 2018.
  • [40] Michael Spreitzenbarth, Felix Freiling, Florian Echtler, Thomas Schreck, and Johannes Hoffmann. Mobile-sandbox: having a deeper look into android applications. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, pages 1808–1815. ACM, 2013.
  • [41] Statista. Number of available applications in the google play store from december 2009 to february 2016, August 2016.
  • [42] Timothy Vidas, Nicolas Christin, and Lorrie Cranor. Curbing android permission creep. In Proceedings of the Web, volume 2, pages 91–96, 2011.
  • [43] Dong-Jie Wu, Ching-Hao Mao, Te-En Wei, Hahn-Ming Lee, and Kuo-Ping Wu. Droidmat: Android malware detection through manifest and api calls tracing. In Information Security (Asia JCIS), 2012 Seventh Asia Joint Conference on, pages 62–69. IEEE, 2012.
  • [44] Ke Xu, Yingjiu Li, and Robert H Deng. Iccdetector: Icc-based malware detection on android. IEEE Transactions on Information Forensics and Security, 11(6):1252–1264, 2016.
  • [45] Min Zheng, Mingshen Sun, and John CS Lui. Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on, pages 163–171. IEEE, 2013.