Securing Mobile Applications Against Mobile Malware Attacks A Case Study
Securing Mobile Applications Against Mobile Malware Attacks A Case Study
Securing Mobile Applications Against Mobile Malware Attacks A Case Study
(USIM) (USIM)
71800 Nilai, Negeri Sembilan, 71800 Nilai, Negeri Sembilan,
Malaysia Malaysia
afif@raudah.usim.edu.my madihah@usim.edu.my
Abstract— Nowadays, the security exploitations against dataset will be trained and evaluated using machine learning
online systems and mobile applications(apps) are increasing algorithms. Yet, the main challenge would be choosing the
tremendously. Due to the new norm, most of the meetings were best feature for detecting malware or feature selection to
conducted online with so many security challenges. Hence, this increase the accuracy rate [14]. Based on the analysis
paper presents a new model called Mobotder to detect possible conducted, one of the common components used for
security exploitation for online meeting applications and online exploitation would be the GPS, apart from Bluetooth, Wi-Fi,
games based on geolocation (GPS), permissions, Application audio and image [15,16]. This is part of this paper's main
Programming Interface (API) calls, and system calls. This contribution to detecting possible mobile malware attacks via
model was built using hybrid analysis in a controlled lab
GPS exploitation. Therefore, based on the security
environment with the dataset from Drebin and Google Play
Store for training and evaluation. As proof of concept (POC)
exploitations in the online apps, a new model called
for the developed model, a case study consists of twenty (20) Mobotder is introduced in this paper. It can identify possible
online meeting applications were conducted. As a result, 10% online apps exploitation. Furthermore, it is beneficial in
of the tested mobile apps were at high risk of potentially being identifying possible security exploitations in online mobile
exploited by the attackers. While for online games, 7 out of 10 apps.
anonymous evaluated online games were identified as medium This paper is organized as follows: Section II discusses
risk. As for future work, this model can be used as the
the methods used for this paper, followed by experimental
benchmark and guideline in developing a mobile malware
results in Section III and the conclusion and the future work
detection system for online mobile apps.
in Section IV.
Keywords— GPS, API, Android exploitation, online meeting
II. METHODS
exploitation, online game, malware, mobile security.
Fig.1 is the summarization method involved for feature
I. INTRODUCTION selection in the Mobotder model. There were 2694 selected
Currently, most of the meetings and learning are datasets from Drebin[17].
conducted online with different security issues [1,2]. In 2020,
Zoom accounts exploitation was found in the Dark Web [3].
While in 2021, in the United Kingdom, there were
2,323,326,953 breached records found against the cloud
service provider Accellion via ransomware attacks [4]. The
common factor contributing to the security exploitation for
online games was the embedded malware inside the game,
which was downloaded from the untrusted app stores[5].
This leads to password stolen, online security attacks, and
security exploitations against other players [6]. In 2020, for
example, the Valve game was among the victim of security
exploitation [7].
In the previous studies, few works were related to mobile
malware detection, such as [8-13]. Different features were
used for malware detection, such as permissions, system
calls and API calls. The previous studies commonly use
these three main features. When a comparison is made to
prior studies, the permission and API calls are easily
captured for malware detection compared to system calls due
to the detection technique used. This includes static analysis,
dynamic analysis or hybrid analysis. As for permissions and Fig. 1. Method summarization for feature selection
API calls, they can be easily be captured using static analysis
or dynamic analysis. In contrast with system calls, it needs Next, the detailed process involved for the Mobotder
hybrid analysis for analysis and detection. Next, once the development as displayed in Fig. 2.
features and techniques have been selected, subsequently the
978-1-6654-0193-7/21/$31.00
Authorized licensed use limited©2021 433
IEEEof New Brunswick. Downloaded
to: University on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.
Fig. 2. Overall processes involved for Mobotder development
434
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.
store for the evaluation. For this experiment, hybrid analysis III. FINDINGS
was used to reverse engineer all the datasets. It consists of Once the hybrid analysis is completed, the data mining
static and dynamic analyses. Both analyses were applied to process and model evaluation using open-source software
ensure any revealed or hidden payload by the malware could called Waikato Environment for Knowledge Analysis
be captured easily. A combination of API calls and (WEKA) [18]. It has multiple machine learning algorithms
Permission calls gave a better accuracy rate. inside it to build a new model.
Based on the experiment and comparison conducted as
displayed in Table I, this Mobotder model has outperformed
previous studies with a better accuracy rate using the
Random Forest algorithm. Comparison is made with
previous studies [19-22]. They used permissions and API
calls for malware detection. In comparison with previous
studies, the accuracy rate proposed by Mobotder is better due
to the feature selection used. In this context, as displayed in
Fig. 3, 30 permissions and 38 API calls were used as the
features to detect the malware. Feature selection is very
significant for malware detection. This is beneficial to
increase the accuracy rate and to lower the false alarm rate.
Number of Features 63/ 12 Not stated the number of Not stated the number of 30/38
(Permission/API calls) 1414 /8 Permission, API calls, Permission, API calls,
hardware components, intents, metadata, system
intents calls, network
ML Classifier RF PSO-ANFIS RF RF RF
Accuracy Rate(%)
93.9
89 97.24 97.48 99.1
a.
ML=Machine Learning, RF=Random Forest
435
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.
App4 High PE4+PE5+PE6+PE11+PE12+PE14+PE16+PE
17+PE18
+PE19+PE20+PE21+PE22+PE24+PE30+AC1
+AC3+AC4+
AC5+AC6+AC7+AC8+AC9+AC10+AC12+A
C14+AC15+
AC18+AC10+AC20+AC24+AC28+AC29+AC
30+AC32+AC34+AC36+AC38
436
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.
App20 Medium PE1 +PE2 +PE4 +PE5 + PE6 +PE9 + [3] Paul Wagenseil, “Zoom security issues: Everything that’s gone wrong
PE11+PE12 +PE16 +PE17 +PE18 + PE20+ (so far) ,” Tom’s Guide, 2020.
PE25 +AC1 +AC3 +AC4 + AC5 +AC6 +AC7 https://www.tomsguide.com/news/zoom-security-privacy-woes
+AC9+ AC10+ AC11 +AC12 +AC14 + (accessed Mar. 23, 2021).
AC15+AC28+ AC29 +AC31 +AC32+ AC34+ [4] Luke Irwin, “List of data breaches and cyber attacks in February
AC36 2021,” IT Governance UK Blog, 2021.
https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-
App21 Low PE8+ PE12 attacks-in-february-2021-2-3-billion-records-breached (accessed Mar.
23, 2021).
App22 Medium PE4+PE5+PE9+PE10+PE12+PE17+PE18 [5] R. M. Parizi, A. Dehghantanha, K.-K. R. Choo, M. Hammoudeh, and
G. Epiphaniou, “Security in Online Games: Current Implementations
App23 Medium PE4+PE5+PE6+PE9+PE10+PE12+PE17+PE1 and Challenges,” Handb. Big Data IoT Secur., pp. 367–384, 2019,
8+PE20 doi: 10.1007/978-3-030-10543-3_16.
[6] Naga Sai Nikhil Maguluri, “Multi-Class Classification of Textual
App24 Medium PE4+PE5+PE6+PE7+PE9+PE10+PE12+PE13 Data: Detection and Mitigation of Cheating in Massively Multiplayer
+PE17+PE18+PE20+PE23+PE25 Online Role Playing Games,” Wright State University, 2017.
App25 Medium PE4+PE5+PE10+PE12+PE17+PE18 [7] A. Balapour, H. R. Nikkhah, and R. Sabherwal, “Mobile application
security: Role of perceived privacy as the predictor of security
perceptions.,” Int. J. Inf. Manage., vol. 52, Jun. 2020.W. Hijawi, J.
App26 Medium PE1+PE4+PE5+PE10+PE12+PE17+PE18
Alqatawna, A. M. Al-Zoubi, M. A. Hassonah, and H. Faris, “Android
botnet detection using machine learning models based on a
App27 Medium PE1+PE2+PE4+PE5+PE6+PE9+PE10+PE12+ comprehensive static analysis approach,” J. Inf. Secur. Appl., vol. 58,
PE17+PE18 p. 102735, May 2021, doi: 10.1016/J.JISA.2020.102735.
App28 Low PE4+PE5+PE12 [8] S. Y. Yerima and M. K. Alzaylaee, “Mobile Botnet Detection: A
Deep Learning Approach Using Convolutional Neural Networks,”
2020 Int. Conf. Cyber Situational Awareness, Data Anal. Assessment,
App29 Low PE4+PE5+PE6+PE7+PE9+PE12+PE17
Cyber SA 2020, Jun. 2020, doi:
10.1109/CYBERSA49311.2020.9139664.
App30 Medium PE4+PE5+PE10+PE12+PE17+PE20
[9] T. Takahashi and T. Ban, “Android application analysis using
machine learning techniques,” Intell. Syst. Ref. Libr., vol. 151, pp.
181–205, 2019, doi: 10.1007/978-3-319-98842-9_7.
Table II showed that 2 out of 30 apps had high risk, 23 [10] H. Alshahrani, H. Mansourt, S. Thorn, A. Alshehri, A. Alzahrani, and
with medium risk, and 5 with low risk. While for online H. Fu, “DDefender: Android application threat detection using static
games apps, 70% with medium risk and 30% with low risk. and dynamic analysis,” 2018 IEEE Int. Conf. Consum. Electron.
Bear in mind; these results indicated a possibility of security ICCE 2018, vol. 2018-January, pp. 1–6, Mar. 2018, doi:
exploitation by the mobile malware against the online mobile 10.1109/ICCE.2018.8326293.
apps. Hence, users must always understand whatever consent [11] M. Sun, X. Li, J. C. S. Lui, R. T. B. Ma, and Z. Liang, “Monet: A
User-Oriented Behavior-Based Malware Variants Detection System
is granted to the installed apps in their smartphones and only for Android,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 5, pp.
download online apps from the trusted party. Furthermore, 1103–1112, May 2017, doi: 10.1109/TIFS.2016.2646641.
this model can identify possible security issues quickly and [12] F. Yang, Y. Zhuang, and J. Wang, “Android Malware Detection
efficiently. Using Hybrid Analysis and Machine Learning Technique,” Lect.
Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect.
IV. CONCLUSIONS & FUTURE WORK Notes Bioinformatics), vol. 10603 LNCS, pp. 565–575, 2017, doi:
10.1007/978-3-319-68542-7_48.
Based on the case study conducted with the online apps,
[13] A. Bhattacharya and R. T. Goswami, “Comparative Analysis of
specifically on the online meeting apps and online games, it Different Feature Ranking Techniques in Data Mining-Based Android
can be concluded that every online app has its own risk Malware Detection,” Adv. Intell. Syst. Comput., vol. 515, pp. 39–49,
related to security exploitation. The developed model used 2017, doi: 10.1007/978-981-10-3153-3_5.
the permissions and API calls as the underlying concept and [14] Heloise Pieterse and Martin Olivier, “Design of a hybrid command
input for the Mobotder model development. As a result, it is and control mobile botnet,” J. Inf. Warf., vol. 12, no. No. 1 (2013, pp.
proven that security exploitation can be detected with a 70–82, 2013, Accessed: Nov. 14, 2021. [Online]. Available:
https://www.jstor.org/stable/26487000.
suitable and right feature selection. Furthermore, security
[15] M. Mohd Saudi, L. Amran, and F. Ridzuan, “Go-Detect Application
awareness among users is crucial as part of the mitigation Inspired by Apoptosis to Detect SMS Exploitation by Malwares,”
solutions against mobile malware attacks. In the future, this Lect. Notes Mech. Eng., pp. 101–116, 2020, doi: 10.1007/978-981-
model can be used as the input for a mobile malware 13-8323-6_9.
detection system. [16] D. Arp, M. Spreitzenbarth, M. Hübner, H. Gascon, and K. Rieck,
“Drebin: Effective and Explainable Detection of Android Malware in
ACKNOWLEDGMENT Your Pocket,” Symp. Netw. Distrib. Syst. Secur., pp. 23–26, 2014,. ,
doi: 10.14722/ndss.2014.23247
The authors would like to express their gratitude to the [17] I. H. Witten and E. Frank, Data Mining: Practical Machine Learning
Ministry of Higher Education (MOHE), Malaysia for the Tools and Techniques, Second Edi. San Francisco: Morgan
support and facilities provided. This paper is supported under Kaufmann Publishers, 2005.
grant: P5-2-50-50819-KPT-FRGS-FST. [18] L. Onwuzurike, E. Mariconti, P. Andriotis, E. De Cristofaro, G. Ross,
and G. Stringhini, “Mamadroid: Detecting android malware by
REFERENCES building Markov chains of behavioral models (extended version),”
ACM Trans. Priv. Secur., vol. 22, no. 2, 2019, doi: 10.1145/3313391.
[1] P. Laplante, “Contactless u: Higher education in the postcoronavirus
world,” Computer (Long. Beach. Calif)., vol. 53, no. 7, pp. 76–79, [19] A. Feizollah, N. B. Anuar, R. Salleh, G. Suarez-Tangil, and S.
Jul. 2020, doi: 10.1109/MC.2020.2990360. Furnell, “AndroDialysis: Analysis of Android Intent Effectiveness in
Malware Detection,” Comput. Secur., vol. 65, pp. 121–134, Mar.
[2] M. Humayun, M. Niazi, · Nz Jhanjhi, · Mohammad Alshayeb, and ·
2017, doi: 10.1016/J.COSE.2016.11.007.
Sajjad Mahmood, “Cyber Security Threats and Vulnerabilities: A
Systematic Mapping Study,” Arab. J. Sci. Eng., vol. 45, no. 3, pp. [20] E. M. B. Karbab, M. Debbabi, A. Derhab, and D. Mouheb,
3171–3189, 2020, doi: 10.1007/s13369-019-04319-2. “MalDozer: Automatic framework for android malware detection
437
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.
using deep learning,” in Proceedings of the 5fth Annual DFRWS System,” Proc. 2016 5th ICT Int. Student Proj. Conf. ICT-ISPC 2016,
Europe, Mar. 2018, vol. 24, pp. S48–S59, doi: pp. 1–5, Jul. 2016, doi: 10.1109/ICT-ISPC.2016.7519221.
10.1016/J.DIIN.2018.01.007.
[21] C. Tansettanakorn, S. Thongprasit, S. Thamkongka, and V.
Visoottiviseth, “ABIS: A prototype of Android Botnet Identification
438
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.