Understanding Android Financial Malware Attacks:Taxonomy, Characterization, and Challenges

Authors

  • Andi Fitriah Abdul Kadir Canadian Institute for Cybersecurity (CIC), University of New Brunswick, New Brunswick, Canada
  • Natalia Stakhanova Canadian Institute for Cybersecurity (CIC), University of New Brunswick, New Brunswick, Canada
  • Ali A. Ghorbani Canadian Institute for Cybersecurity (CIC), University of New Brunswick, New Brunswick, Canada

DOI:

https://doi.org/10.13052/2245-1439.732

Keywords:

Adware, Android malware, banking, behavioral analysis, financial malware, malware characterization, taxonomy, ransomware, scareware, SMS malware

Abstract

With the increased number of financial-related malware, the security community today has turned their attention to the Android financial malware. However, what constitutes Android financial malware is still ambiguous. A comprehensive understanding of the existing Android financial malware attacks supported by a unified terminology is necessarily required for the deployment of reliable defence mechanisms against these attacks. Thus, in this paper, we address this issue and devise a taxonomy of Android financial malware attacks. By devising the proposed taxonomy, we intend to: give researchers a better understanding of these attacks; explore the Android financial malware characteristics; and provide a foundation for organizing research efforts within this specific field. In order to evaluate the proposed taxonomy, we gathered a large collection of Android financial malware samples representing 32 families, which are selected based on the main characteristics defined in the taxonomy. We discuss the characterization of these families in terms of malware installation, activation and attacks, and derive a set of research question: how does the malware spread to the Android users?, how does the malware activate itself on the phone?, and what happens after the malware has reached the Android system? Evaluation and characterization of this taxonomic model towards Android financial malware implies the possibility for introducing an automatic malware categorization, which can effectively save the time of malware analysts to correlate various symptoms of malicious behavior; this combination provides a systematic overview of malware capabilities, which can help analyst in the malware-triage process for prioritizing which malware to be scrutinized. Also, we identified a number of challenges related to Android financial malware, which can create opportunity for future research.

 

Downloads

Download data is not yet available.

Author Biographies

Andi Fitriah Abdul Kadir, Canadian Institute for Cybersecurity (CIC), University of New Brunswick, New Brunswick, Canada

Andi Fitriah Abdul Kadir is a Ph.D. student and a member of the Canadian Institute for Cybersecurity (CIC) at the University of New Brunswick, Fredericton, Canada. She completed her Master’s degree in Computer Science (Network Security) in 2013 at International Islamic University Malaysia (IIUM). Andi Fitriah was the recipient of the IIUM Academic Excellence Award and currently attached with IIUM as an academic trainee. She received several awards from International academic conferences including the Best Poster, Gold Medal, and Best Paper Honorable Mention awards. She works closely with industry focusing on the R&D projects. Her current research focus is computer forensics, network security, malware analysis, and machine learning.

Natalia Stakhanova, Canadian Institute for Cybersecurity (CIC), University of New Brunswick, New Brunswick, Canada

Natalia Stakhanova is an Assistant Professor and the New Brunswick Innovation Research Chair in Cyber Security at the University of New Brunswick, Canada. Her work revolves around building secure systems and includes mobile security, IoT security, software obfuscation & reverse engineering, and malicious software. Working closely with industry on a variety of R&D projects, she developed a number of technologies that resulted in 3 patents in the field of computer security. Natalia Stakhanova is the recipient of the UNB Merit Award, the McCain Young Scholar Award and the Anita Borg Institute Faculty Award.

Ali A. Ghorbani, Canadian Institute for Cybersecurity (CIC), University of New Brunswick, New Brunswick, Canada

Ali A. Ghorbani is currently serves as Director of the Canadian Institute for Cybersecurity (CIC) at the University of New Brunswick, Fredericton, Canada. Dr. Ghorbani is the co-Editor-In- Chief of Computational Intelligence, an international journal. He supervised more than 150 research associates, postdoctoral fellows, and undergraduate & graduate students and authored more than 250 research papers in journals and conference proceedings and has edited 11 volumes. He is the co-inventor of 3 patents in the area of Network Security. His current research focus is cybersecurity, complex adaptive systems, critical infrastructure protection, and web intelligence.

References

The rise of android drive-by downloads. Available at: http://0x4d31.blogspot.ca/2012/05/rise-of-android-drive-by-downloads.html accessed April 1, 2018.

Virus total. Available at: https://www.virustotal.com/en/ accessed August 1, 2017.

The first mobile encryptor trojan. Available at: https://securelist.com/blog/mobile/63767/the-first-mobile-encryptor-trojan/ accessed Jan, 2017.

Mobile crypto-ransomware simplocker now on steroids. Available at: https://blog.avast.com/2015/02/10/mobile-crypto-ransomware-simplocker-now-on-steroids/ accessed Jan, 2017.

Mobile ransomware: Status quo. Available at: https://blog.fortinet.com/2014/06/25/mobile-ransomware-status-quo accessed Jan, 2017.

The rising tide of android malware. Available at: http://www.sonicwall.com/whitepaper/2017-sonicwall-annual-threat-report8121810/ accessed Jan, 2017.

Scarepakage android ransomware pretends to be fbi porn warning. Available at: https://www.theguardian.com/technology/2014/jul/17/scarepakage-android-ransomware-porn-fbi accessed Jan, 2017.

Sms trojan yzhcsms found in android market and third party stores. Available at: http://forums.juniper.net/t5/Security-Now/SMS-Trojan-YZHCSMS-Found-in-Android-Market-and-Third-Party/ba-p/132963 accessed Jan,2017.

Security threat trends 2015. Available at: https://www.sophos.com/en-us/threat-center/medialibrary/PDFs/other/sophos-trends-and-predictions-2015.pdf accessed July 11, 2015.

Current android malware. Available at: https://forensics.spreitzenbarth.de/android-malware/ accessed July 11, 2017.

IT threat evolution in q3 2014. Available at: https://securelist.com accessed July 13, 2015.

Financial threats review 2017. Available at: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-financial-threats-review-2017-en.pdf accessed July, 2017.

Avg antivirus available for free on google play. Available at: https://urbangeekz.com/2017/05/avg-antivirus-available-for-free-on-google-play/, accessed July 31, 2017.

Androbugs.com. Available at: http://www.androbugs.com/ accessed September 7, 2017.

Android malware. Available at: http://amd.arguslab.org/sharing accessed September 7, 2017.

Android malware dataset. Available at: https://github.com/ashishb/android-malware, accessed September 7, 2017.

Malware sample sources for researchers. Available at: https://zeltser.com/malware-sample-sources/, accessed September 7, 2017.

Almeida, G. M. D. (2012). M-Payments in Brazil: Notes on How a Country’s Background May Determine Timing and Design of a Regulatory Model. Wash. JL Tech. & Arts, 8, 347.

Alzahrani, A. J., Stakhanova, N., Ali, H. G., and Ghorbani, A. (2014). Characterizing Evaluation Practicesof Intrusion Detection Methodsfor Smartphones. Journal of Cyber Security and Mobility, 3(2), (pp. 89–132).

Andronio, N., Zanero, S., and Maggi, F. (2015). Heldroid: Dissecting and detecting mobile ransomware. In International Workshop on Recent Advances in Intrusion Detection 382–404 Springer, Cham.

Beresford, A. R., Rice, A., Skehin, N., and Sohan, R. (2011). Mockdroid: trading privacy for application functionality on smartphones. In Proceedings of the 12th workshop on mobile computing systems and applications (pp. 49–54).

Bose, A., Hu, X., Shin, K. G., and Park, T. (2008). Behavioral detection of malware on mobile handsets. In Proceedings of the 6th International Conference on Mobile Systems, Applications, and Services (pp. 2259–238).

Chen, T. M., and Peikari, C. (2008). Malicious software in mobile devices. In Handbook of Research on Wireless Security, 1:1–10, 2008.

Choi, B., Choi, S. K., and Cho, K. (2013). Detection of mobile botnet using VPN. In Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2013 Seventh International Conference on (pp. 142–148). IEEE.

Hesham Darwish and Mohammad Husain. Security analysis of mobile money applications on android. Available at: http://www.cpp.edu/ accessed April, 2017.

Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B. G., Cox, L. P., and Sheth, A. N. (2014). Taint-droid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 32(2):5.

Erturk, E. (2015). Two trends in mobile security: Financial motives and transitioning from static to dynamic analysis. CoRR, abs/1504.06893.

Faruki, P., Bharmal, A., Laxmi, V., Ganmoor, V., Gaur, M. S., Conti, M., and Rajarajan, M. (2015). Android security: a survey of issues, malware penetration, and defenses. IEEE communications surveys & tutorials, 17(2), 998–1022.

Garner, P., Mullins, I., Edwards, R., and Coulton, P. (2006). Mobile Terminated SMS Billing—Exploits and Security Analysis. In Third International Conference on Information Technology: New Generations (ITNG’06), (pp. 294–299).

Gharib, A., and Ghorbani, A. (2017). Dna-droid: A real-time android ransomware detection framework. In International Conference on Network and System Security (pp. 184–198). Springer, Cham.

Gonzalez, H., Stakhanova, N., and Ghorbani, A. A. (2014). Droidkin: Lightweight detection of android apps similarity. In International Conference on Security and Privacy in Communication Systems (pp. 436–453). Springer, Cham.

Harris, A., Goodman, S., and Traynor, P. (2012). Privacy and security concerns associated with mobile money applications in Africa. Wash. JL Tech. & Arts, 8, 245.

Hoffman, D. V. (2007). Blackjacking: security threats to Blackberry devices, PDAs, and cell phones in the enterprise. John Wiley & Sons.

Hua, J., and Sakurai, K. (2011). A sms-based mobile botnet using flooding algorithm. In Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication, pp. 264–279. Springer, 2011.

IBM. Financial malware explained. Available at: http://cdn.americanbanker.com/pdfs/WGW03086USEN.PDF 2014.

Ibrahim, L. M., and Thanon, K. H. (2015). Analysis and detection of the zeus botnet crimeware. International Journal of Computer Science and Information Security, 13(9), 121.

Jin-Hyuk Jung, Ju Young Kim, Hyeong-Chan Lee, and Jeong Hyun Yi (2013).Repackaging attack on android banking applications and its countermeasures. Wireless Personal Communications, (pp. 1421–1437).

Kadir, A. F. A., Stakhanova, N., and Ghorbani, A. A. (2016). An Empirical Analysis of Android Banking Malware. Protecting Mobile Networks and Devices: Challenges and Solutions, 209.

Leavitt, N. (2005). Mobile phones: the next frontier for hackers?. Computer, 38(4), 20–23.

Maasberg, M., Ko, M., and Beebe, N. L. (2016). Exploring a systematic approach to malware threat assessment. In System Sciences (HICSS), 2016 49th Hawaii International Conference on (pp. 5517–5526).

Mercaldo, F., Nardone, V., Santone, A., and Visaggio, C. A. (2016). Ransomware steals your phone. formal methods rescue it. In International Conference on Formal Techniques for Distributed Objects, Components, and Systems (pp. 212–221). Springer, Cham.

Mila. Contagio mobile: Mobile malware mini dump. Available at: http://contagiominidump.blogspot.ca/ accessed July 11, 2015.

Mulliner, C., and Seifert, J. P. (2010). Rise of the iBots: Owning a telco network. In Malicious and Unwanted Software (MALWARE), 2010 5th international conference on (pp. 71–80).

Mylonas, A., Dritsas, S., Tsoumas, B., and Gritzalis, D. (2011). On the feasibility of malware attacks in smartphone platforms. In International Conference on E-Business and Telecommunications (pp. 217–232). Springer, Berlin, Heidelberg.

Nauman, M., and Khan, S. (2011). Design and implementation of a fine-grained resource usage model for the android platform. Int. Arab J. Inf. Technol., 8(4), 440–448.

Reaves, B., Scaife, N., Bates, A. M., Traynor, P., and Butler, K. R. (2015). Mo (bile) Money, Mo (bile) Problems: Analysis of Branchless Banking Applications in the Developing World. In USENIX Security Symposium (pp. 17–32).

Marco Riccardi, David Oro, Jesus Luna, Marco Cremonini, and Marc Vilanova. (2010). A framework for financial botnet analysis. In eCrime Researchers Summit (eCrime), pp. 1–7.

Schreckling, D., Posegga, J., and Hausknecht, D. (2012). Constroid: data-centric access control for android. In Proceedings of the 27th Annual ACM Symposium on Applied Computing (pp. 1478–1485).

Song, S., Kim, B., and Lee, S. (2016). The effective ransomware prevention technique using process monitoring on android platform. Mobile Information Systems, 2016.

Tajalizadehkhoob, S. T., Asghari, H., Gañán, C., and Van Eeten, M. J. G. (2014). Why them? Extracting intelligence about target selection from Zeus financial malware. In Proceedings of the 13th Annual Workshop on the Economics of Information Security, WEIS 2014, State College (USA), June 23–24, 2014. WEIS.

Darell JJ Tan, Tong-Wei Chua, Vrizlynn LL Thing, et al. Securing android: a survey, taxonomy, and challenges. ACM Computing Surveys (CSUR), 47(4):58, 2015.

Vural, I., and Venter, H. (2010). Mobile botnet detection using network forensics. In Future Internet-FIS 2010, (pp. 57–67). Springer, 2010.

Yang, T., Yang, Y., Qian, K., Lo, D. C. T., Qian, Y., and Tao, L. (2015) Automated detection and analysis for android ransomware. In 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), (pp. 1338–1343).

Zeng, Y., Shin, K. G., and Hu, X. (2012, April). Design of SMS commanded-and-controlled and P2P-structured mobile botnets. In Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks (pp. 137–148). ACM.

Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X Sean Wang, and Binyu Zang (2013). Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, (pp. 611–622).

Zhauniarovich, Y., Gadyatskaya, O., Crispo, B., La Spina, F., and Moser, E. (2014). Fsquadra: fast detection of repackaged applications. In IFIP Annual Conference on Data and Applications Security and Privacy, (pp. 130–145). Springer, 2014.

Zhou, Y., and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 95–109).

Downloads

Published

2018-02-18

How to Cite

1.
Abdul Kadir AF, Stakhanova N, Ghorbani AA. Understanding Android Financial Malware Attacks:Taxonomy, Characterization, and Challenges. JCSANDM [Internet]. 2018 Feb. 18 [cited 2024 Nov. 5];7(3):1-52. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/5305

Issue

Section

Articles