Analysis of Malware Families on Android Mobiles : Detection Characteristics Recognizable by Ordinary Phone Users and How to Fix It

The sale of products using the android Operation System (OS) phone is increasing in rate: the fact is that its price is cheaper but its configured hardware is higher, users easily buy it and the approach to this product increases the risk of the spread of mobile malware. The understanding of majority of the users of this mobile malware is still limited. While they are growing at a faster speed in the number and level of sophistication, especially their variations have created confusion for users; therefore worrying about the safety of its users is required. In this paper, the author discussed the identification and analysis of malware families on Android Mobiles. The author selected the recognizable characteristics from ordinary users with their families collected from 58 malware families and 1485 malware samples and proposed solutions as recommendations to users before installing it with the ultimate desire to mitigate the damage in the community that is on the android phone, especially the ordinary users with limited understanding about potential hazards. It would be helpful for the ordinary users to identify the mobile malware in order to mitigate the information security risk.


Introduction
In recent years, Sales of products using Android phones have continued to accelerate.Specifically in 2012, phones which use the android operating system rose from 52.5% to 72.4% compared to 2011, while the IOS operating system fells from 15% to 13.9% compared to 2011, according to Gartner [1].Some applications of the android operating system from Android Market are growing to compete with the largest application.Now Apps store is developed by third-party market, not to mention the thousands of everyday applications.According to Xyologic: "Android to overtake Apple soon", Apple's App store has now reached 25 billion downloads, Android's App store has now reached 10 billion downloads, but both tracked at 1 billion downloads a month [2].
This increases the amount of malicious software on the Android operating system.According to security Kaspersky Labs, in the second quarter of 2012 the mobile malware increased in three folds.In 2012, 99% of all the mobile malware they detected every month was designed for Android.The most widespread malicious objects detected on Android smartphones can be divided into three main groups: SMS Trojans, advertising modules and exploits to gain root access to smartphones [3].Specifically, 40% of modern smartphone owners do not use antivirus software [4].
Whilst malware is growing rapidly, a number of ordinary users that have easy access to the smartphone device do not have basic understanding of the potential danger.So we need to have the classification of samples according to similar characteristics, as well as collect more new malware to create malware families.Then, we can analyze it fully to make recognizable signs from ordinary users and guard solutions to mitigate the threats of the impact and risk of malwares before installing it from official android market or third-party market.
In this paper, the author first discussed the feature to select a sample of malware families and method to analysis them.Next, in Section 2, the author presented methods and tools to analyse malware samples.In section 3, the author presented some selected results of the features that ordinary users can easily recognize.From the analysis on the samples, the author collected the list from the project, blog and threat reports of antivirus companies [5,6] (including existing malware families and add them every day) and the threats that malicious applications can do.Section 4 shows the detection results with ten representatives of mobile phone antivirus software.In Section 5, the author discussed six (6) steps to security android phones.Finally, Section six ( 6) is the summary.

Methods and Tools to Analyze Malware Samples
In this section, the author first discussed the feature to select a sample of malware families and methods to analyses them.

Malware Family
Malware family feature that comes to notice is that of closeness which certain traits are preserved, including: similar activation, facial features, hereditary diseases and a host of other commonalities.One of the variations which is most harmful is KungFu malware family.There are variations with different names KungFuA (KungFu1), KungFuB (KungFu2), KungFuC (KungFu3), KungFuD (KungFu4), KungFuE (KungFu Sapp) or KungFu Lena (Legacy Native ) with properties which are analysed as follows: All KungFu malwares are packaged and downloaded from third markets and fora.It adds into applications a new service and a new receiver.With privilege root exploits, it automatically launches the service so that it doesn't interact with the user.KungFu can collect information on the infected mobile phone, including IMEI number, phone model, version of Android OS.The first variant, KungFuA exploits Dalvik codes based on Java and a single C&C server and payload is encrypted with AES.Differently, KungFuB exploits native code and three C&C servers.KungFuC inherits from KungFuB, it exploits vulnerability to allow local users to gain privilege by sending a NETLINK message (CVE-2009-1185) [7].KungFuD inherits from KungFuA and encrypted its native binaries.KungFuE inherits from KungFuD and encrypting a few strings to obfuscate its code and use a custom certificate in official market [8][9][10]."DroidKung-Fu" variants structure mentioned in Figure 1.
Its purpose is to evade the detection of mobile antivirus software.So the virus software is difficult to effectively detect variants with a rate of 100%.

Methods and Tools to Analyze Android Mobile Malware Sample
Common method for analysing malware in android OS is reverse engineering.Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation [10].Android OS was developed by Google and is based upon the Linux kernel and GNU software in which the malware application package files use the apk extension.They include all of the application's code (.dex files), resources, assets, and manifest file.Dex file (Dalvik Executable) is compiled Android application code file.Tools that focus three groups on examining inner-workings of Android mobile applications: 1) Command line:  Tool to unpack the .apkfile: Winzip, Rar  Tool to get the bytecode from the .dexfile: for example, smali to compile and baksmali to decompile (or dex2jar and jd-gui), dexdump… The author analysed a sample (RU .apk)below: Step 1: The malware is an apk package extract of its content, show example Figure 2.
Step 2: Use smali .rar to compile smali file: extracted the byte code from classes .dexfile, show example Figure 3.
Step 3: Open code contained in the MoviePlayer.smalifile.You can discover the purpose of it, show example Figure 4.
Step 2: open class java to read program file (show example Figure 6).

Results of the Features That Ordinary Users Easily Recognize
next chapter, with some assessment test results with our samples set.Statistical results below with reference from the first detection of the authors in manufacturer's anti-virus software: Symantec, NQMobile, F-secure, Lookout, Kaspersky, AVG, … and projects related links, Blog: http://www.csc.ncsu.edu/faculty/jiang,http://www.fortiguard.com,http://androguard.blogspot.com, http://blog.fortinet.com/... .
In the process of analysing the samples the author collected, the author had encountered difficulties with different names of the first authors found it.So his statistics record all the different names for easy sorting into their malware families.In addition to describing the visible symptoms, the author used illustrations or icons in Table 1.
In the first column of Table 4, the author collected the different names of the same malware families [5,52] by different anti-virus companies, based on installation methods, activation mechanisms or the name of the mali-Besides, Symptoms of malware which exploits the device to gain root privilege are not easily visible.So we propose to use mobile Security software solutions in the  cious packaged applications added.This solved problem of naming schemes of malware families such as [5]: "Last but not least, during the process of collecting malware samples into our current dataset, we felt confusions From visible symptoms malware families in Table 5, the author proposes some specific criterion for identifying the mobile malware: Ordinary phone users can recognize several features such as: premium-rate services and phone bill abnormal increase, display of a black screen, automatically install a software in which its users has not requested, or without a launcher icon after installation in applications list, warning requirements applica ion not licensed and crack t them, … However, malicious software is not a software bug so when installing or running the software, you should consider bug occurrence with above several features.

Detection Results of Malware Families
The author installed four mobile security software from Lenovo Store on a Lenovo phone P70 (version 2.3.5) to From the testing results, we are shown that some software like Zoner detection rate to 99.4% (Tables 5 and 6, Figure 8).

Discussion
From the analysis of malware families and samples, the author saw that the ability to detect malware from the users is usually limited.The rapid development of new applications and variations to immune with mobile security software requires overall solution from the analysis of new variants and detect new viruses to alert the com- munity, and then users should also take preventive measures: 1) Users carefully read and understand permissions, an application and compare it with the real features of this app.In particular, users should not install or update software not necessary for the unknown effects of this app.
2) When an app is installed, users should check that the extraordinary can happen: no icon appears corresponding with this app (without, more one icon), Check gularly phone bill or account.obile security soft co th thousan do GPS, GPRS W te. The author selected the recognizable characteristics om ordinary users with their families that had collected (Table 1), and proposed solutions as recommendations to users before installing it with the ultimate desire to mitigate the damage in the community that is on the android phone, especially the ordinary users with limited under-Mal standing about potential hazards.The visible Symptoms of malware which exploit the device to gain root privilege are difficult to see and detect because they silently execute malicious code in the platform OS.Mostly, they steal information and send to remote server or URL by SMS messages (premium rate number or not).

Conclusions
The author presented evaluation results of t AGAI obile security software of top ten software from AV-TEST in 2012 [51] with each family in order for the users to have the appropriate choice to proceed with fixing them and prevent them in the future, especially with malwares using root exploits when detecting the infection.
Besid sible symptoms in order to fix it (Table 4) and they are careful when downloading and installing apps from official Android Market with security advisories (Section 5).If users are really concerned with the potential risks, they should consider investing in an effective mobile security app because it is still the best bet to stay protected anywhere, anytime.Also, when we are installing software of unknown source, the phones are also infected with malicious software before it can protect the phones.

Figure 2 .
Figure 2. Classes is dex file to analyze.

Figure 3 .
Figure 3. Movie player.Smali is main code of malware.

Figure 4 .
Figure 4. Malware send a message to phone number 3354.

Figure 5 .
Figure 5. Screen of APK tool to decompile to java sources.

Figure 6 .
Figure 6.A Class java sources after decompile by APK tool.

Figure 7 .
Figure 7.An analysis result for file RU .apkfrom website.
should invest a m ware Operating System in third Quarter of 2012,"2012.http://www.gartner.com/it/page.jsp?id=2237315 [2] R. Thurner, "A Breakdown by Country of t pyright and install all apps from the official Android Market instead of third-party market.4) Users should download an app wi ds of , Popular App Download Services to Help Make the Business Case," 2012.http://www.smartinketing/app-download-statistics/ [3] Kaspersky Lab, "The overall stat wnloads and mostly positive comments.5) Turn off unused features such as: IFI (Settings > Wireless & networks > Wi-Fi), extend memory (Settings -> Applications -> Development -> USB debugging), .…Especially, Android OS allows users to install file.APK in unknown sources directly and the malware easily penetrate the user's phone.(Settings -> Applications -> unknown sources).6) Keep your phone patched up to da From the analysis o malware samples, the author classified them into their existing families or their addition of a new family for their collection with 58 malware families and 1485 malware samples.And the author introduced three different techniques to analyze the sample introduced in Section 1.

Table 1 . Describes characterization and area of the effects of malware families.
* ): Details Table 1 are described in Table 2. ( ** ): Details Table 1 are described in Table 3.

Table 4 . Description about visible symptoms of malware. Families Visible Symptoms Manually Checked by user Illustrations AnserverBot
It makes a new dialog to request and upgrade a new apps but does not show any icon.You remember new apps name and check show icon on your home screen (request upgrade) BeanBot The device booting up or hanging up on a phone call.Check the regular phone bill.Pjapps Request read/write Browse's history and bookmarks and receive SMS when you install it.View Request read/write Browse's history and bookmarks and receive BGSERV Android market security is running by BgService.View BgService is running when you don't request CruseWin (CruseWind) Display of a black screen.Check the regular phone bill.Can view: Flash MMS icon or Flash icon DroidCoupon It uses a popular root exploit-" Rage against the Cage" in Android 2.2 and earlier, hide Platform so we are difficult to detect it.
It will not work on android 2.3, with message: "This application has stopped unexpectedly.Please try again".You can detect it when your phone using version 2.3.View Recovery Deluxe tool DroidDream (DORDRAE) It also disguises itself as apps like battery-monitoring tool, a task-listing tool, and an app listing the permissions used by installed apps.View my Batter Life DreamLight Service named "CoreService" running.Getting a phone call.View Illustrations DroidKungFu (LeNa) Install Google search or Google Ssearch.View Icon 2 apps: Google search or Google Ssearch Smssend (fakeplayer) Running media player application.Check the regular phone bill.Auto run media player gamblersms Request provide a phone number and an email address.View: Phone number and email Geinimi Create a shortcut, Change wall paper Appear a popups message about Google map.check for abnormal appearance on the background GGTracker Website analyzing the phone's battery or request download APK solution battery.View solution battery GingerMaster (GingerBreaker) Requires add apps list.Your phone using Android 2.3/2.3Requires add apps list GoldDream Difficult to identify.You should use anti-virus software.If detects it, you should uninstall apps.Gone60 (gonein60) Pay money from web gi60s.comSelf-uninstallation as figure beside: Enter this code (5-digit code) to gi60s.com(send a website) GPSSMSSpy (mobinauten, SmsHowU, smsspy) The message the spy sends (How are you) is an error or spam.HippoSMS Costs bill from the beginning of 1066.Check the regular phone bill.Nickyspy (Nickispy) Install Google + application View Google + application Plankton Removal of installed mobile security software.Check security software in the system tray or the main screen Continued RogueLemon Request subscribed value-added service.Check your phone bill RogueSPPush Request subscribed value-added service.disagree registration value-added services.Check Your phone bill Show RogueSPPush love app.YZHC Abnormally high bill from SMS sending and connection Internet.Check regularly phone bill and your account zsone Abnormally high bill from SMS sending .Check regularly phone bill and your account Battery Doctor (fakedoc) pop-up ads about improve your battery life.You should not install scare or trick app that you don't need.(Battery Doctor) CI4 Without a launcher icon after installation.Counterclank Restrict the use of ad networks.Dougalek An error has occurred and the video has not loaded.DropDialer Uninstall itself after sending.Check regularly phone bill and your account.Check icon apps after installed a app.FakeAngry (AnZhu) Pop-ups displayed Bookmark Name/Bookmark URL.Appear Screen Off And Lock apps Faketimer (oneclickfraud) Opens unhealthy content websites.Remove its FakeToken uses the logo and colours of the bank in the icon of the application when the user don't enter the first factor of authentication then shows an error Icon of Bank: Santander, BBVA, Banesto,.. FindAndCall the app sends SMS spam View icon apps (Find & call).Remove it Gamex (muldrop) Appear new icon apps and Message in Android 8.2.3 patch View Android 8.2.3 patch Logastrod Abnormally high bill Check regularly phone bill Luckycat an "empty" icon or a standard Android icon Moghava JPG images increasing in size: full sdcard uninstalling the app delete jpg Notcompatible Request open "Unknown sources" Download from Android market Opfake Its variant have the Opera icon strange charges to your phone bill