Understanding Android Financial Malware Attacks:Taxonomy, Characterization, and Challenges
DOI:
https://doi.org/10.13052/2245-1439.732Keywords:
Adware, Android malware, banking, behavioral analysis, financial malware, malware characterization, taxonomy, ransomware, scareware, SMS malwareAbstract
With the increased number of financial-related malware, the security community today has turned their attention to the Android financial malware. However, what constitutes Android financial malware is still ambiguous. A comprehensive understanding of the existing Android financial malware attacks supported by a unified terminology is necessarily required for the deployment of reliable defence mechanisms against these attacks. Thus, in this paper, we address this issue and devise a taxonomy of Android financial malware attacks. By devising the proposed taxonomy, we intend to: give researchers a better understanding of these attacks; explore the Android financial malware characteristics; and provide a foundation for organizing research efforts within this specific field. In order to evaluate the proposed taxonomy, we gathered a large collection of Android financial malware samples representing 32 families, which are selected based on the main characteristics defined in the taxonomy. We discuss the characterization of these families in terms of malware installation, activation and attacks, and derive a set of research question: how does the malware spread to the Android users?, how does the malware activate itself on the phone?, and what happens after the malware has reached the Android system? Evaluation and characterization of this taxonomic model towards Android financial malware implies the possibility for introducing an automatic malware categorization, which can effectively save the time of malware analysts to correlate various symptoms of malicious behavior; this combination provides a systematic overview of malware capabilities, which can help analyst in the malware-triage process for prioritizing which malware to be scrutinized. Also, we identified a number of challenges related to Android financial malware, which can create opportunity for future research.
Downloads
References
The rise of android drive-by downloads. Available at: http://0x4d31.blogspot.ca/2012/05/rise-of-android-drive-by-downloads.html accessed April 1, 2018.
Virus total. Available at: https://www.virustotal.com/en/ accessed August 1, 2017.
The first mobile encryptor trojan. Available at: https://securelist.com/blog/mobile/63767/the-first-mobile-encryptor-trojan/ accessed Jan, 2017.
Mobile crypto-ransomware simplocker now on steroids. Available at: https://blog.avast.com/2015/02/10/mobile-crypto-ransomware-simplocker-now-on-steroids/ accessed Jan, 2017.
Mobile ransomware: Status quo. Available at: https://blog.fortinet.com/2014/06/25/mobile-ransomware-status-quo accessed Jan, 2017.
The rising tide of android malware. Available at: http://www.sonicwall.com/whitepaper/2017-sonicwall-annual-threat-report8121810/ accessed Jan, 2017.
Scarepakage android ransomware pretends to be fbi porn warning. Available at: https://www.theguardian.com/technology/2014/jul/17/scarepakage-android-ransomware-porn-fbi accessed Jan, 2017.
Sms trojan yzhcsms found in android market and third party stores. Available at: http://forums.juniper.net/t5/Security-Now/SMS-Trojan-YZHCSMS-Found-in-Android-Market-and-Third-Party/ba-p/132963 accessed Jan,2017.
Security threat trends 2015. Available at: https://www.sophos.com/en-us/threat-center/medialibrary/PDFs/other/sophos-trends-and-predictions-2015.pdf accessed July 11, 2015.
Current android malware. Available at: https://forensics.spreitzenbarth.de/android-malware/ accessed July 11, 2017.
IT threat evolution in q3 2014. Available at: https://securelist.com accessed July 13, 2015.
Financial threats review 2017. Available at: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-financial-threats-review-2017-en.pdf accessed July, 2017.
Avg antivirus available for free on google play. Available at: https://urbangeekz.com/2017/05/avg-antivirus-available-for-free-on-google-play/, accessed July 31, 2017.
Androbugs.com. Available at: http://www.androbugs.com/ accessed September 7, 2017.
Android malware. Available at: http://amd.arguslab.org/sharing accessed September 7, 2017.
Android malware dataset. Available at: https://github.com/ashishb/android-malware, accessed September 7, 2017.
Malware sample sources for researchers. Available at: https://zeltser.com/malware-sample-sources/, accessed September 7, 2017.
Almeida, G. M. D. (2012). M-Payments in Brazil: Notes on How a Country’s Background May Determine Timing and Design of a Regulatory Model. Wash. JL Tech. & Arts, 8, 347.
Alzahrani, A. J., Stakhanova, N., Ali, H. G., and Ghorbani, A. (2014). Characterizing Evaluation Practicesof Intrusion Detection Methodsfor Smartphones. Journal of Cyber Security and Mobility, 3(2), (pp. 89–132).
Andronio, N., Zanero, S., and Maggi, F. (2015). Heldroid: Dissecting and detecting mobile ransomware. In International Workshop on Recent Advances in Intrusion Detection 382–404 Springer, Cham.
Beresford, A. R., Rice, A., Skehin, N., and Sohan, R. (2011). Mockdroid: trading privacy for application functionality on smartphones. In Proceedings of the 12th workshop on mobile computing systems and applications (pp. 49–54).
Bose, A., Hu, X., Shin, K. G., and Park, T. (2008). Behavioral detection of malware on mobile handsets. In Proceedings of the 6th International Conference on Mobile Systems, Applications, and Services (pp. 2259–238).
Chen, T. M., and Peikari, C. (2008). Malicious software in mobile devices. In Handbook of Research on Wireless Security, 1:1–10, 2008.
Choi, B., Choi, S. K., and Cho, K. (2013). Detection of mobile botnet using VPN. In Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2013 Seventh International Conference on (pp. 142–148). IEEE.
Hesham Darwish and Mohammad Husain. Security analysis of mobile money applications on android. Available at: http://www.cpp.edu/ accessed April, 2017.
Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B. G., Cox, L. P., and Sheth, A. N. (2014). Taint-droid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 32(2):5.
Erturk, E. (2015). Two trends in mobile security: Financial motives and transitioning from static to dynamic analysis. CoRR, abs/1504.06893.
Faruki, P., Bharmal, A., Laxmi, V., Ganmoor, V., Gaur, M. S., Conti, M., and Rajarajan, M. (2015). Android security: a survey of issues, malware penetration, and defenses. IEEE communications surveys & tutorials, 17(2), 998–1022.
Garner, P., Mullins, I., Edwards, R., and Coulton, P. (2006). Mobile Terminated SMS Billing—Exploits and Security Analysis. In Third International Conference on Information Technology: New Generations (ITNG’06), (pp. 294–299).
Gharib, A., and Ghorbani, A. (2017). Dna-droid: A real-time android ransomware detection framework. In International Conference on Network and System Security (pp. 184–198). Springer, Cham.
Gonzalez, H., Stakhanova, N., and Ghorbani, A. A. (2014). Droidkin: Lightweight detection of android apps similarity. In International Conference on Security and Privacy in Communication Systems (pp. 436–453). Springer, Cham.
Harris, A., Goodman, S., and Traynor, P. (2012). Privacy and security concerns associated with mobile money applications in Africa. Wash. JL Tech. & Arts, 8, 245.
Hoffman, D. V. (2007). Blackjacking: security threats to Blackberry devices, PDAs, and cell phones in the enterprise. John Wiley & Sons.
Hua, J., and Sakurai, K. (2011). A sms-based mobile botnet using flooding algorithm. In Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication, pp. 264–279. Springer, 2011.
IBM. Financial malware explained. Available at: http://cdn.americanbanker.com/pdfs/WGW03086USEN.PDF 2014.
Ibrahim, L. M., and Thanon, K. H. (2015). Analysis and detection of the zeus botnet crimeware. International Journal of Computer Science and Information Security, 13(9), 121.
Jin-Hyuk Jung, Ju Young Kim, Hyeong-Chan Lee, and Jeong Hyun Yi (2013).Repackaging attack on android banking applications and its countermeasures. Wireless Personal Communications, (pp. 1421–1437).
Kadir, A. F. A., Stakhanova, N., and Ghorbani, A. A. (2016). An Empirical Analysis of Android Banking Malware. Protecting Mobile Networks and Devices: Challenges and Solutions, 209.
Leavitt, N. (2005). Mobile phones: the next frontier for hackers?. Computer, 38(4), 20–23.
Maasberg, M., Ko, M., and Beebe, N. L. (2016). Exploring a systematic approach to malware threat assessment. In System Sciences (HICSS), 2016 49th Hawaii International Conference on (pp. 5517–5526).
Mercaldo, F., Nardone, V., Santone, A., and Visaggio, C. A. (2016). Ransomware steals your phone. formal methods rescue it. In International Conference on Formal Techniques for Distributed Objects, Components, and Systems (pp. 212–221). Springer, Cham.
Mila. Contagio mobile: Mobile malware mini dump. Available at: http://contagiominidump.blogspot.ca/ accessed July 11, 2015.
Mulliner, C., and Seifert, J. P. (2010). Rise of the iBots: Owning a telco network. In Malicious and Unwanted Software (MALWARE), 2010 5th international conference on (pp. 71–80).
Mylonas, A., Dritsas, S., Tsoumas, B., and Gritzalis, D. (2011). On the feasibility of malware attacks in smartphone platforms. In International Conference on E-Business and Telecommunications (pp. 217–232). Springer, Berlin, Heidelberg.
Nauman, M., and Khan, S. (2011). Design and implementation of a fine-grained resource usage model for the android platform. Int. Arab J. Inf. Technol., 8(4), 440–448.
Reaves, B., Scaife, N., Bates, A. M., Traynor, P., and Butler, K. R. (2015). Mo (bile) Money, Mo (bile) Problems: Analysis of Branchless Banking Applications in the Developing World. In USENIX Security Symposium (pp. 17–32).
Marco Riccardi, David Oro, Jesus Luna, Marco Cremonini, and Marc Vilanova. (2010). A framework for financial botnet analysis. In eCrime Researchers Summit (eCrime), pp. 1–7.
Schreckling, D., Posegga, J., and Hausknecht, D. (2012). Constroid: data-centric access control for android. In Proceedings of the 27th Annual ACM Symposium on Applied Computing (pp. 1478–1485).
Song, S., Kim, B., and Lee, S. (2016). The effective ransomware prevention technique using process monitoring on android platform. Mobile Information Systems, 2016.
Tajalizadehkhoob, S. T., Asghari, H., Gañán, C., and Van Eeten, M. J. G. (2014). Why them? Extracting intelligence about target selection from Zeus financial malware. In Proceedings of the 13th Annual Workshop on the Economics of Information Security, WEIS 2014, State College (USA), June 23–24, 2014. WEIS.
Darell JJ Tan, Tong-Wei Chua, Vrizlynn LL Thing, et al. Securing android: a survey, taxonomy, and challenges. ACM Computing Surveys (CSUR), 47(4):58, 2015.
Vural, I., and Venter, H. (2010). Mobile botnet detection using network forensics. In Future Internet-FIS 2010, (pp. 57–67). Springer, 2010.
Yang, T., Yang, Y., Qian, K., Lo, D. C. T., Qian, Y., and Tao, L. (2015) Automated detection and analysis for android ransomware. In 2015 IEEE 7th International Symposium on Cyberspace Safety and Security (CSS), (pp. 1338–1343).
Zeng, Y., Shin, K. G., and Hu, X. (2012, April). Design of SMS commanded-and-controlled and P2P-structured mobile botnets. In Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks (pp. 137–148). ACM.
Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X Sean Wang, and Binyu Zang (2013). Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, (pp. 611–622).
Zhauniarovich, Y., Gadyatskaya, O., Crispo, B., La Spina, F., and Moser, E. (2014). Fsquadra: fast detection of repackaged applications. In IFIP Annual Conference on Data and Applications Security and Privacy, (pp. 130–145). Springer, 2014.
Zhou, Y., and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 95–109).