Article Preview
TopIntroduction
Although Android OS being an open source has promoted mobile applications developers, yet malware programmers have also contributed to exploit its open source nature to carry out malicious acts. MacAfee, an antimalware platform, has diagnosed more than 700K mobile malware in the second quarter of 2014 (Weafer, 2014). Another report (Chebyshev, 2016) published in 2016 discovered that Internet access on smartphone devices had exceeded 61% in the first quarter of 2015. This study also revealed that 60.85% of Android users had started Internet access on their smartphone devices. Consequently, the similar growth is observed in malware program construction, i.e., 40,267 new mobile malware variants were analyzed and diagnosed by the security agencies at the end of 2015(Millman, 2015). In Q2 2016, it was observed that Android was used by 86.2% of smartphone users (Paul, 2017). Similarly, its widespread adaptation to other platforms such as televisions, tablets, wearable, and vehicles opened the new dimensions for multi-platform attacks. In the similar pace, IoT (Internet of Things) would be the next target for malware programmers. A more recent report (BILIĆ, 2017) states that the growth of mobile malware is constantly increasing since 2013. On average 200 new malicious code variants have been discovered per month during 2015, this number rose to 300 per month by the end of 2016. As a result, on average 400 new malicious code variants are expected to evolve by the end of 2017 (Weafer, 2016).
Mobile botnet or SMARTbot (Karim, Salleh, & Khan, 2016) is a malevolent action which is inspired from traditional botnets (PC based). The basic motive behind botnet is to gain illegitimate access to someone’s personal device (smartphone, tablets, etc.) and makes this device compromised by a bot binary (app). After becoming the part of a bot network, another pivotal role (botmaster) is responsible for controlling this device remotely and to initiate various attacks using some command and control (C&C) channel. Consequently, these devices are then participating in numerous malicious activities including DDoS, ransom, making premium calls, sending text messages and emails without user’s consent.
There are two most common analysis strategies exist, static and dynamic analysis. In static analysis, structural properties of program code are observed including permission usage, CFGs, function call graphs and API calls, etc. For static analysis, reverse engineering tools (Lukan, 2012) are deployed to disassemble program code (Schmidt et al., 2009) or directly fetching parameters from executable binaries (Petsas, Voyatzis, Athanasopoulos, Polychronakis, & Ioannidis, 2014; Yousafzai et al., 2016). In contrast, dynamic analysis requires execution of malware binaries in a secure environment (called sandbox) to extract runtime behavior of these applications. Following are some of the parameters which are of interest during dynamic analysis: (a) file operations (b) network traces (c) initiated services (d) HTTP and DNS traffic etc. Currently, some mobile malware detection approaches (Arp, Spreitzenbarth, Hubner, Gascon, & Rieck, 2013; Chen, Rong-Cai, ZHENG, Jia, & Li-Jing, 2016; Fereidooni, Conti, Yao, & Sperduti, 2016; Yang, Wang, Ling, Liu, & Ni, 2017) are introduced targeting either program code or runtime execution traces. However, at a higher level of abstraction, these approaches are targeting mobile malware detection rather than mobile botnet. This is the extension of our previously proposed approaches (Ahmad Karim & Shah, 2015; Karim, Salleh, Khan, Siddiqa, & Choo, 2016) in a way that it can highlight the need for a hybrid analysis framework for the detection of botnet mobile binaries.