Perceptive Computing for Android Threats: Unveiling Jekyll and Hyde Syndrome in Scareware
DOI:
https://doi.org/10.31436/ijpcc.v11i1.531Keywords:
Android, dynamic, scareware, static analysis, malware analysis, machine learningAbstract
This paper spotlights Android scareware, relating its deceptive behavior to the dual personality syndrome of Jekyll and Hyde, as described in The Strange Case of Dr. Jekyll and Mr. Hyde. Modern scareware employs sophisticated evasion techniques, including metamorphic and polymorphic obfuscation, enabling it to alter its code structure during propagation. Additionally, anti-emulator techniques allow scareware to detect emulation environments and conceal malicious activities. To address these challenges, we propose a hybrid approach that combines static and dynamic analysis, leveraging features derived from unreferenced strings and network flow. This method enhances detection by uncovering scareware's dual behaviors. Using five classifiers, we construct models to address three detection scenarios: identifying malicious Android apps, categorizing apps by scareware type, and classifying apps into scareware families. Tested on a dataset of 1,350 samples, the proposed method outperforms existing approaches, achieving over 90% accuracy across all scenarios with an average false positive rate of just 0.04
References
J. Giles, "Scareware: the inside story," *New Scientist*, vol. 205, no. 2753, pp. 38–41, 2010.
R. L. Stevenson, "Strange case of dr jekyll and mr hyde," in *Medicine and Literature, Volume Two*, CRC Press, 2018, pp. 105–118.
Kaspersky, "Polymorphic Malware on Android: The Rise of Xenomorph," 2024. [Online]. Available: https://www.kaspersky.com.
"Ad fraud, scareware slinger android.spy. 277.origin found in more than 100 apps," 2016. [Online]. Available: https://www.theregister.co.uk/2016/04/26.
"Scareware app downloaded over a million times from google play," 2015. [Online]. Available: http://researchcenter.paloaltonetworks.com/2015/01/scareware-appdownloaded-million-times-google-play/.
D. J. Tan, T. W. Chua, and V. L. Thing, "Securing android: a survey, taxonomy, and challenges," *ACM Computing Surveys (CSUR)*, vol. 47, no. 4, p. 58, 2015.
A. I. Ali-Gombe, B. Saltaformaggio, D. Xu, and G. G. Richard III, "Toward a more dependable hybrid analysis of android malware using aspect-oriented programming," *Computers & Security*, vol. 73, pp. 235–248, 2018.
Virus Total. [Online]. Available: https://www.virustotal.com/en/.
C. Lyvas, C. Lambrinoudakis, and D. Geneiatakis, "Dypermin: Dynamic permission mining framework for android platform," *Computers & Security*, vol. 77, pp. 472–487, 2018.
Y. Zhuang, "The performance cost of software obfuscation for android applications," *Computers & Security*, vol. 73, pp. 57–72, 2018.
H. Meng, V. L. Thing, Y. Cheng, Z. Dai, and L. Zhang, "A survey of android exploits in the wild," *Computers & Security*, vol. 76, pp. 71–91, 2018.
A. H. Lashkari, A. F. Kadir, L. Taheri, and A. A. Ghorbani, "Toward developing a systematic approach to generate benchmark android malware datasets and classification," in *Proceedings of the 52nd IEEE International Carnahan Conference on Security Technology (ICCST)*, 2018.
Virus Total, "Contagio mobile malware mini dump," 2016. [Online]. Available: http://contagiominidump.blogspot.ca/.
D. Arp et al., "Drebin: Effective and explainable detection of android malware in your pocket," in *NDSS*, vol. 14, pp. 23–26, 2014.
Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, "Hey, you, get off of my market: detecting malicious apps in official and alternative android markets," in *NDSS*, vol. 25, pp. 50–52, 2012.
W. Zhou et al., "Detecting repackaged smartphone applications in third-party android marketplaces," in *Proceedings of the Second ACM Conference on Data and Application Security and Privacy*, pp. 317–326, 2012.
H. Gonzalez, N. Stakhanova, and A. A. Ghorbani, "Droidkin: Lightweight detection of android apps similarity," in *International Conference on Security and Privacy in Communication Systems*, pp. 436–453, Springer, 2014.
R. Killam and N. Stakhanova, "Android malware classification through analysis of string literals," in *Analytics for Cybersecurity and Online Safety*, 2016.
R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham, "Efficient software-based fault isolation," in *ACM SIGOPS Operating Systems Review*, vol. 27, pp. 203–216, 1994.
I. Goldberg et al., "A secure environment for untrusted helper applications: Confining the wily hacker," in *Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography*, vol. 6, p. 11, 1996.
C. W. Tien, T. Y. Huang, T. C. Huang, W. H. Chung, and S. Y. Kuo, "MAS: Mobile-apps assessment and analysis system," in *2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)*, pp. 145–148, 2017.
G. Dini, F. Martinelli, A. Saracino, and D. Sgandurra, "MADAM: A multi-level anomaly detector for Android malware," in *MMM-ACNS 2012*, vol. 12, pp. 240–253, Springer, 2012.
W. Enck *et al.*, "TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones," *ACM Transactions on Computer Systems*, vol. 32, no. 2, p. 5, 2014.
W. Fan, Y. Sang, D. Zhang, R. Sun, and Y. Liu, "DroidInjector: A process injection-based dynamic tracking system for runtime behaviors of Android applications," *Computers & Security*, vol. 70, pp. 224–237, 2017.
"Android malware toolkit for malware analysis." [Online]. Available: http://dunkelheit.com.br/amat/analysis/index_en.php
P. Faruki, V. Ganmoor, V. Laxmi, M. S. Gaur, and A. Bharmal, "AndroSimilar: Robust statistical feature signature for Android malware detection," in *Proceedings of the 6th International Conference on Security of Information and Networks*, pp. 152–159, 2013.
Y. Feng, S. Anand, I. Dillig, and A. Aiken, "Apposcopy: Semantics-based detection of Android malware through static analysis," in *Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering*, pp. 576–587, 2014.
M. Zheng, M. Sun, and J. C. S. Lui, "Droid analytics: A signature based analytic system to collect, extract, analyze and associate Android malware," in *2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications*, pp. 163–171, 2013.
R. Sato, D. Chiba, and S. Goto, "Detecting Android malware by analyzing manifest files," *Proceedings of the Asia-Pacific Advanced Network*, vol. 36, pp. 17–23, 2013.
C. Y. Huang, Y. T. Tsai, and C. H. Hsu, "Performance evaluation on permission-based detection for Android malware," in *Advances in Intelligent Systems and Applications—Volume 2*, Springer, 2013, pp. 111–120.
B. Sanz *et al.*, "PUMA: Permission usage to detect malware in Android," in *International Joint Conference CISIS'12-ICEUTE'12-SOCO'12 Special Sessions*, Springer, 2013, pp. 289–298.
W. Shin, S. Kiyomoto, K. Fukushima, and T. Tanaka, "Towards formal analysis of the permission-based security model for Android," in *2009 Fifth International Conference on Wireless and Mobile Communications*, pp. 87–92, 2009.
J. Kim, Y. Yoon, K. Yi, and J. Shin, "SCANDAL: Static analyzer for detecting privacy leaks in Android applications," in *Proceedings of the Mobile Security Technologies (MoST)*, 2012.
E. R. Wognsen, H. S. Karlsen, M. C. Olesen, and R. R. Hansen, "Formalisation and analysis of Dalvik bytecode," *Science of Computer Programming*, vol. 92, pp. 25–55, 2014.
I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, "Crowdroid: Behavior-based malware detection system for Android," in *Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices*, pp. 15–26, 2011.
P. Irolla and E. Filiol, "Glassbox: Dynamic analysis platform for malware Android applications on real devices," *arXiv preprint arXiv:1609.04718*, 2016.
A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss, "Andromaly: A behavioral malware detection framework for Android devices," *Journal of Intelligent Information Systems*, vol. 38, no. 1, pp. 161–190, 2012.
M. Zhao, F. Ge, T. Zhang, and Z. Yuan, "AntiMalDroid: An efficient SVM-based malware detection framework for Android," in *International Conference on Information Computing and Applications*, Springer, 2011, pp. 158–166.
W. Klieber, L. Flynn, A. Bhosale, L. Jia, and L. Bauer, "Android taint flow analysis for app sets," in *Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis*, pp. 1–6, 2014.
G. Sarwar, O. Mehani, R. Boreli, and M. A. Kaafar, "On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices," in *SECRYPT 2013*, 2013.
N. Andronio, S. Zanero, and F. Maggi, "Heldroid: Dissecting and detecting mobile ransomware," in *International Workshop on Recent Advances in Intrusion Detection*, Springer, 2015, pp. 382–404.
L. K. Yan and H. Yin, "DroidScope: Seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis," in *Proceedings of the 21st USENIX Security Symposium*, pp. 569–584, 2012.
T. Bläsing, L. Batyuk, A. D. Schmidt, S. A. Camtepe, and S. Albayrak, "An Android application sandbox system for suspicious software detection," in *2010 5th International Conference on Malicious and Unwanted Software*, pp. 55–62, 2010.
A. Saracino, D. Sgandurra, G. Dini, and F. Martinelli, "MADAM: Effective and efficient behavior-based Android malware detection and prevention," *IEEE Transactions on Dependable and Secure Computing*, vol. 15, no. 3, pp. 424–436, 2018.
K. Tam, S. J. Khan, A. Fattori, and L. Cavallaro, "CopperDroid: Automatic reconstruction of Android malware behaviors," in *NDSS*, 2015.
S. Mutti *et al.*, "BareDroid: Large-scale analysis of Android apps on real devices," in *Proceedings of the 31st Annual Computer Security Applications Conference*, pp. 71–80, 2015.
M. K. Alzaylaee, S. Y. Yerima, and S. Sezer, "Emulator vs real phone: Android malware detection using machine learning," in *Proceedings of the 3rd ACM on International Workshop on Security and Privacy Analytics*, pp. 65–72, 2017.
Y. Zhou and X. Jiang, "Dissecting Android malware: Characterization and evolution," in *2012 IEEE Symposium on Security and Privacy*, pp. 95–109, 2012.
A. F. Abdul Kadir, *A Detection Framework for Android Financial Malware*. M.S. thesis, University of New Brunswick, 2018.
F. Pedregosa *et al.*, "Scikit-learn: Machine learning in Python," *Journal of Machine Learning Research*, vol. 12, pp. 2825–2830, 2011
