Securing Mobile Applications Against Mobile

Malware Attacks: A Case Study

Muhammad Afif Husainiamer Madihah Mohd Saudi Muhammad Yusof
CyberSecurity and Systems (CSS) CyberSecurity and Systems (CSS) Institut Latihan Perindustrian Kuala
Research Unit, Faculty of Science and Research Unit, Faculty of Science and Langat
Technology (FST) Technology (FST) 42700 Banting, Selangor, Malaysia
Universiti Sains Islam Malaysia Universiti Sains Islam Malaysia muhammad@jtm.gov.my
2021 IEEE 19th Student Conference on Research and Development (SCOReD) | 978-1-6654-0193-7/21/$31.00 ©2021 IEEE | DOI: 10.1109/SCOReD53546.2021.9652685

(USIM) (USIM)
71800 Nilai, Negeri Sembilan, 71800 Nilai, Negeri Sembilan,
Malaysia Malaysia
afif@raudah.usim.edu.my madihah@usim.edu.my

Abstract— Nowadays, the security exploitations against dataset will be trained and evaluated using machine learning
online systems and mobile applications(apps) are increasing algorithms. Yet, the main challenge would be choosing the
tremendously. Due to the new norm, most of the meetings were best feature for detecting malware or feature selection to
conducted online with so many security challenges. Hence, this increase the accuracy rate [14]. Based on the analysis
paper presents a new model called Mobotder to detect possible conducted, one of the common components used for
security exploitation for online meeting applications and online exploitation would be the GPS, apart from Bluetooth, Wi-Fi,
games based on geolocation (GPS), permissions, Application audio and image [15,16]. This is part of this paper's main
Programming Interface (API) calls, and system calls. This contribution to detecting possible mobile malware attacks via
model was built using hybrid analysis in a controlled lab
GPS exploitation. Therefore, based on the security
environment with the dataset from Drebin and Google Play
Store for training and evaluation. As proof of concept (POC)
exploitations in the online apps, a new model called
for the developed model, a case study consists of twenty (20) Mobotder is introduced in this paper. It can identify possible
online meeting applications were conducted. As a result, 10% online apps exploitation. Furthermore, it is beneficial in
of the tested mobile apps were at high risk of potentially being identifying possible security exploitations in online mobile
exploited by the attackers. While for online games, 7 out of 10 apps.
anonymous evaluated online games were identified as medium This paper is organized as follows: Section II discusses
risk. As for future work, this model can be used as the
the methods used for this paper, followed by experimental
benchmark and guideline in developing a mobile malware
results in Section III and the conclusion and the future work
detection system for online mobile apps.
in Section IV.
Keywords— GPS, API, Android exploitation, online meeting
II. METHODS
exploitation, online game, malware, mobile security.
Fig.1 is the summarization method involved for feature
I. INTRODUCTION selection in the Mobotder model. There were 2694 selected
Currently, most of the meetings and learning are datasets from Drebin[17].
conducted online with different security issues [1,2]. In 2020,
Zoom accounts exploitation was found in the Dark Web [3].
While in 2021, in the United Kingdom, there were
2,323,326,953 breached records found against the cloud
service provider Accellion via ransomware attacks [4]. The
common factor contributing to the security exploitation for
online games was the embedded malware inside the game,
which was downloaded from the untrusted app stores[5].
This leads to password stolen, online security attacks, and
security exploitations against other players [6]. In 2020, for
example, the Valve game was among the victim of security
exploitation [7].
In the previous studies, few works were related to mobile
malware detection, such as [8-13]. Different features were
used for malware detection, such as permissions, system
calls and API calls. The previous studies commonly use
these three main features. When a comparison is made to
prior studies, the permission and API calls are easily
captured for malware detection compared to system calls due
to the detection technique used. This includes static analysis,
dynamic analysis or hybrid analysis. As for permissions and Fig. 1. Method summarization for feature selection
API calls, they can be easily be captured using static analysis
or dynamic analysis. In contrast with system calls, it needs Next, the detailed process involved for the Mobotder
hybrid analysis for analysis and detection. Next, once the development as displayed in Fig. 2.
features and techniques have been selected, subsequently the

978-1-6654-0193-7/21/$31.00
Authorized licensed use limited©2021 433
IEEEof New Brunswick. Downloaded
to: University on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.
 Fig. 2. Overall processes involved for Mobotder development

Feature selection is very significant to ensure only the most

related features were selected, which will help increase the
accuracy rate. For this experiment, permission calls and API
calls related to possible security exploitation were extracted
from AndroidManifest.xml and class.dex. Consent for
Permission is needed from the user before any mobile apps
installation. At the same time, API is used to develop an app
and consists of a set of routines, protocols. Fig. 3 shows the
extracted permissions and API calls used to develop this
Mobotder model.

Fig. 3. Mobotder permission and API calls

There are 30 permissions and 38 API calls in this

Mobotder model. These permissions and API calls are the
main components used to execute a particular mobile apps
operation. It becomes suspicious and malicious when
combined with redirection to third parties such as through
SMS or email. Fig.4 illustrates the tools and controlled lab
architecture used to build this Mobotder model. There were
2694 malware datasets involved for the Drebin project's
training, while 1000 anonymous, randomized mobile apps
datasets related to meetings and games from the Google Play

434
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.
store for the evaluation. For this experiment, hybrid analysis III. FINDINGS
was used to reverse engineer all the datasets. It consists of Once the hybrid analysis is completed, the data mining
static and dynamic analyses. Both analyses were applied to process and model evaluation using open-source software
ensure any revealed or hidden payload by the malware could called Waikato Environment for Knowledge Analysis
be captured easily. A combination of API calls and (WEKA) [18]. It has multiple machine learning algorithms
Permission calls gave a better accuracy rate. inside it to build a new model.
Based on the experiment and comparison conducted as
displayed in Table I, this Mobotder model has outperformed
previous studies with a better accuracy rate using the
Random Forest algorithm. Comparison is made with
previous studies [19-22]. They used permissions and API
calls for malware detection. In comparison with previous
studies, the accuracy rate proposed by Mobotder is better due
to the feature selection used. In this context, as displayed in
Fig. 3, 30 permissions and 38 API calls were used as the
features to detect the malware. Feature selection is very
significant for malware detection. This is beneficial to
increase the accuracy rate and to lower the false alarm rate.

Fig. 4. Experiment lab architecture

TABLE I. COMPARISON WITH PREVIOUS STUDIES

Feature Work by [19] Work by [20] Work by [21] Work by [22] Mobotder

No. of dataset 1929/ 250/ 5560/ 5560 1931/1150 2694/1000

(Malware/ Benign) 150 250

Number of Features 63/ 12 Not stated the number of Not stated the number of 30/38
(Permission/API calls) 1414 /8 Permission, API calls, Permission, API calls,
hardware components, intents, metadata, system
intents calls, network

ML Classifier RF PSO-ANFIS RF RF RF
Accuracy Rate(%)
93.9
89 97.24 97.48 99.1
a.
ML=Machine Learning, RF=Random Forest

Next, this model is further evaluated using 30 online

mobile apps with 20 online meeting apps (App1 until
App20) and 10 from the online mobile games App21 until
App30), as summarized in Table II. The details of each API
call and Permission can be refereed in Fig. 3. Furthermore,
the model has been simulated and developed into a mobile
app for evaluation purposes. The mobile app's screenshots
developed for Mobotder are displayed in Fig.5 for the main
interface, while Fig. 6 for online gaming mobile apps and
Fig. 7 for online meeting mobile apps. The actual names of
online gaming and meeting mobile apps are sanitized to
avoid conflicts of interest with any parties.

Fig. 5. Mobotder Mobile App Main Interface

435
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.
 App4 High PE4+PE5+PE6+PE11+PE12+PE14+PE16+PE
17+PE18
+PE19+PE20+PE21+PE22+PE24+PE30+AC1
+AC3+AC4+
AC5+AC6+AC7+AC8+AC9+AC10+AC12+A
C14+AC15+
AC18+AC10+AC20+AC24+AC28+AC29+AC
30+AC32+AC34+AC36+AC38

App5 Medium PE1+PE2+PE4+PE5+PE6+PE11+PE12+PE16

+PE17+PE18+PE25+PE26

App6 Medium PE4+ PE6+ PE12+ PE16 +PE17+ PE25 +

AC1+ AC3+ AC4 + AC5 + AC6+ AC7 + AC9
+ AC10+ AC12 + AC13 +AC 28 + AC29 +
AC32 + AC34 + AC36

App7 Medium PE1 +PE2 +PE4+ PE5+ PE6+ PE7 +PE10+

PE12 +PE16 + PE17 + PE18 + PE20 +PE25 +
AC1 +AC3 + AC4 + AC5+ AC6 +AC7 +AC9
+AC10 + AC12 + AC13 + AC14 + AC15+
AC28 + AC29 + AC30 + AC31 + AC32 +
Fig. 6. Examples of Mobotder Mobile App Simulation for Online Gaming AC34 + AC36
Mobile Apps Evaluation
App8 Medium PE4 +PE5+PE6 + PE10 + PE12 + AC1 + AC3
+AC4 + AC5 + AC6 + AC7 + AC9 + AC10 +
AC12 +AC14 + AC15 + AC24 +AC28 + AC29
+ AC31 + AC32 + AC34 + AC36

App9 Medium PE4+PE5+PE6+PE12+ PE18+ PE20+ PE25

App10 Medium PE1 +PE2 +PE4 + PE5+ PE6 + PE7+ PE12 +

PE18 + PE25 +AC1 + AC3 + AC4 + AC5
+AC6 +AC7 + AC9 +AC10 + AC12 + AC14
+AC28 + AC29 + AC30 + AC32 + AC34 +
AC35 + AC36

App11 Medium PE1+PE2 +PE4+ PE5+PE9 +PE10 +PE11 +

PE12 + PE14 + PE16 + PE17 + PE18 + PE20 +
PE25 + AC1 + AC3 + AC5 + AC6 + AC7 +
AC9 + AC11 + AC12 +AC14 + AC15 + AC28
+AC29 + AC30 + AC31 +AC34 + AC35 +
AC36

App12 Medium PE4+PE5 +PE6 +PE7 + PE12 + PE17 + PE20

+ AC1 + AC3 + AC4 + AC5 + AC6 + AC7 +
AC9 + AC10 + AC12 + AC14 + AC15 + AC28
Fig. 7. Examples of Mobotder Mobile App Simulation for Online +AC29 + AC32 + AC34
Meeting Mobile Apps Evaluation
App13 Low PE6+PE12 +PE17
TABLE II. ONLINE MOBILE APPS EXPERIMENT RESULTS
App14 Medium PE1 +PE4 +PE5 +PE9 +PE12 + PE16 + PE17
Online Risk Description + PE18 + PE25 + AC3 + AC4 + AC5 +AC6 +
mobile AC7 +AC9 +AC10 + AC12 + AC14 +AC15 +
apps AC17 + AC22 + AC28 + AC29 + AC30 +
App1 High AC3+ AC4+ AC5+ AC6+ AC7+ AC9+AC10 + AC31 + AC32 + AC34
AC12+ AC14+ AC28+ AC29+ AC32+ AC34
App15 Medium PE4 + PE5 + PE6 + PE9 + PE12 + PE16 +
App2 Medium PE1+ PE2+ PE4+ PE5+ PE6+ PE7+ PE10+ PE18 + AC1 + AC3 + AC4 + AC5 + AC6 +
PE12+ PE16+ PE17+ PE20+ PE25+ AC3+ AC7 +AC9 +AC10 +AC11 + AC12 + AC14 +
AC4+ AC5+ AC6+ AC7+ AC9+ AC10+ AC15 + AC19 + AC24 + AC28 +AC29 +
AC12+ AC28+ AC29+ AC30 +AC31+ AC32+ AC30 + AC31 + AC34 + AC35 + AC36
AC34+ AC35+ AC36
App16 Medium PE4 + PE5 + PE6 + PE7 + PE12 + PE 16 +
App3 Medium PE1+ PE2+ PE4+ PE5+ PE6+ PE9+ PE10+ PE17 + PE18 +PE20 + PE25
PE12+ PE16+ PE17+ PE18+ PE20+ PE25+
PE30+ AC3+ AC4+ AC5+ AC6+ AC7+ AC9+ App17 Medium PE2 + PE4 + PE6 + PE 12 + PE14 + PE16 +
AC10+ AC11+ AC12+ AC14+ AC15+ AC18+ PE18 + PE20 + AC1 + AC3 + AC4 + AC5+
AC21+ AC22+ AC24+ AC25+ AC26+ AC28+ AC6 + AC7 +AC9 + AC10 +AC12 + AC28 +
AC29+ AC32+ AC34+ AC36+ AC38 AC29 + AC32 + AC34 + AC36

App18 Low PE4 +PE5 + PE6 +PE12 +PE25

App19 Medium PE12 +PE18+ AC3 +AC4 + AC5 +AC6 + AC7

+ AC9+ AC10 + AC11 + AC12 + AC13 +
AC15 + AC28 + AC29 +AC32 +AC34

436
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.
 App20 Medium PE1 +PE2 +PE4 +PE5 + PE6 +PE9 + [3] Paul Wagenseil, “Zoom security issues: Everything that’s gone wrong
PE11+PE12 +PE16 +PE17 +PE18 + PE20+ (so far) ,” Tom’s Guide, 2020.
PE25 +AC1 +AC3 +AC4 + AC5 +AC6 +AC7 https://www.tomsguide.com/news/zoom-security-privacy-woes
+AC9+ AC10+ AC11 +AC12 +AC14 + (accessed Mar. 23, 2021).
AC15+AC28+ AC29 +AC31 +AC32+ AC34+ [4] Luke Irwin, “List of data breaches and cyber attacks in February
AC36 2021,” IT Governance UK Blog, 2021.
https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-
App21 Low PE8+ PE12 attacks-in-february-2021-2-3-billion-records-breached (accessed Mar.
23, 2021).
App22 Medium PE4+PE5+PE9+PE10+PE12+PE17+PE18 [5] R. M. Parizi, A. Dehghantanha, K.-K. R. Choo, M. Hammoudeh, and
G. Epiphaniou, “Security in Online Games: Current Implementations
App23 Medium PE4+PE5+PE6+PE9+PE10+PE12+PE17+PE1 and Challenges,” Handb. Big Data IoT Secur., pp. 367–384, 2019,
8+PE20 doi: 10.1007/978-3-030-10543-3_16.
[6] Naga Sai Nikhil Maguluri, “Multi-Class Classification of Textual
App24 Medium PE4+PE5+PE6+PE7+PE9+PE10+PE12+PE13 Data: Detection and Mitigation of Cheating in Massively Multiplayer
+PE17+PE18+PE20+PE23+PE25 Online Role Playing Games,” Wright State University, 2017.
App25 Medium PE4+PE5+PE10+PE12+PE17+PE18 [7] A. Balapour, H. R. Nikkhah, and R. Sabherwal, “Mobile application
security: Role of perceived privacy as the predictor of security
perceptions.,” Int. J. Inf. Manage., vol. 52, Jun. 2020.W. Hijawi, J.
App26 Medium PE1+PE4+PE5+PE10+PE12+PE17+PE18
Alqatawna, A. M. Al-Zoubi, M. A. Hassonah, and H. Faris, “Android
botnet detection using machine learning models based on a
App27 Medium PE1+PE2+PE4+PE5+PE6+PE9+PE10+PE12+ comprehensive static analysis approach,” J. Inf. Secur. Appl., vol. 58,
PE17+PE18 p. 102735, May 2021, doi: 10.1016/J.JISA.2020.102735.
App28 Low PE4+PE5+PE12 [8] S. Y. Yerima and M. K. Alzaylaee, “Mobile Botnet Detection: A
Deep Learning Approach Using Convolutional Neural Networks,”
2020 Int. Conf. Cyber Situational Awareness, Data Anal. Assessment,
App29 Low PE4+PE5+PE6+PE7+PE9+PE12+PE17
Cyber SA 2020, Jun. 2020, doi:
10.1109/CYBERSA49311.2020.9139664.
App30 Medium PE4+PE5+PE10+PE12+PE17+PE20
[9] T. Takahashi and T. Ban, “Android application analysis using
machine learning techniques,” Intell. Syst. Ref. Libr., vol. 151, pp.
181–205, 2019, doi: 10.1007/978-3-319-98842-9_7.
Table II showed that 2 out of 30 apps had high risk, 23 [10] H. Alshahrani, H. Mansourt, S. Thorn, A. Alshehri, A. Alzahrani, and
with medium risk, and 5 with low risk. While for online H. Fu, “DDefender: Android application threat detection using static
games apps, 70% with medium risk and 30% with low risk. and dynamic analysis,” 2018 IEEE Int. Conf. Consum. Electron.
Bear in mind; these results indicated a possibility of security ICCE 2018, vol. 2018-January, pp. 1–6, Mar. 2018, doi:
exploitation by the mobile malware against the online mobile 10.1109/ICCE.2018.8326293.
apps. Hence, users must always understand whatever consent [11] M. Sun, X. Li, J. C. S. Lui, R. T. B. Ma, and Z. Liang, “Monet: A
User-Oriented Behavior-Based Malware Variants Detection System
is granted to the installed apps in their smartphones and only for Android,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 5, pp.
download online apps from the trusted party. Furthermore, 1103–1112, May 2017, doi: 10.1109/TIFS.2016.2646641.
this model can identify possible security issues quickly and [12] F. Yang, Y. Zhuang, and J. Wang, “Android Malware Detection
efficiently. Using Hybrid Analysis and Machine Learning Technique,” Lect.
Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect.
IV. CONCLUSIONS & FUTURE WORK Notes Bioinformatics), vol. 10603 LNCS, pp. 565–575, 2017, doi:
10.1007/978-3-319-68542-7_48.
Based on the case study conducted with the online apps,
[13] A. Bhattacharya and R. T. Goswami, “Comparative Analysis of
specifically on the online meeting apps and online games, it Different Feature Ranking Techniques in Data Mining-Based Android
can be concluded that every online app has its own risk Malware Detection,” Adv. Intell. Syst. Comput., vol. 515, pp. 39–49,
related to security exploitation. The developed model used 2017, doi: 10.1007/978-981-10-3153-3_5.
the permissions and API calls as the underlying concept and [14] Heloise Pieterse and Martin Olivier, “Design of a hybrid command
input for the Mobotder model development. As a result, it is and control mobile botnet,” J. Inf. Warf., vol. 12, no. No. 1 (2013, pp.
proven that security exploitation can be detected with a 70–82, 2013, Accessed: Nov. 14, 2021. [Online]. Available:
https://www.jstor.org/stable/26487000.
suitable and right feature selection. Furthermore, security
[15] M. Mohd Saudi, L. Amran, and F. Ridzuan, “Go-Detect Application
awareness among users is crucial as part of the mitigation Inspired by Apoptosis to Detect SMS Exploitation by Malwares,”
solutions against mobile malware attacks. In the future, this Lect. Notes Mech. Eng., pp. 101–116, 2020, doi: 10.1007/978-981-
model can be used as the input for a mobile malware 13-8323-6_9.
detection system. [16] D. Arp, M. Spreitzenbarth, M. Hübner, H. Gascon, and K. Rieck,
“Drebin: Effective and Explainable Detection of Android Malware in
ACKNOWLEDGMENT Your Pocket,” Symp. Netw. Distrib. Syst. Secur., pp. 23–26, 2014,. ,
doi: 10.14722/ndss.2014.23247
The authors would like to express their gratitude to the [17] I. H. Witten and E. Frank, Data Mining: Practical Machine Learning
Ministry of Higher Education (MOHE), Malaysia for the Tools and Techniques, Second Edi. San Francisco: Morgan
support and facilities provided. This paper is supported under Kaufmann Publishers, 2005.
grant: P5-2-50-50819-KPT-FRGS-FST. [18] L. Onwuzurike, E. Mariconti, P. Andriotis, E. De Cristofaro, G. Ross,
and G. Stringhini, “Mamadroid: Detecting android malware by
REFERENCES building Markov chains of behavioral models (extended version),”
ACM Trans. Priv. Secur., vol. 22, no. 2, 2019, doi: 10.1145/3313391.
[1] P. Laplante, “Contactless u: Higher education in the postcoronavirus
world,” Computer (Long. Beach. Calif)., vol. 53, no. 7, pp. 76–79, [19] A. Feizollah, N. B. Anuar, R. Salleh, G. Suarez-Tangil, and S.
Jul. 2020, doi: 10.1109/MC.2020.2990360. Furnell, “AndroDialysis: Analysis of Android Intent Effectiveness in
Malware Detection,” Comput. Secur., vol. 65, pp. 121–134, Mar.
[2] M. Humayun, M. Niazi, · Nz Jhanjhi, · Mohammad Alshayeb, and ·
2017, doi: 10.1016/J.COSE.2016.11.007.
Sajjad Mahmood, “Cyber Security Threats and Vulnerabilities: A
Systematic Mapping Study,” Arab. J. Sci. Eng., vol. 45, no. 3, pp. [20] E. M. B. Karbab, M. Debbabi, A. Derhab, and D. Mouheb,
3171–3189, 2020, doi: 10.1007/s13369-019-04319-2. “MalDozer: Automatic framework for android malware detection

437
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.
 using deep learning,” in Proceedings of the 5fth Annual DFRWS System,” Proc. 2016 5th ICT Int. Student Proj. Conf. ICT-ISPC 2016,
Europe, Mar. 2018, vol. 24, pp. S48–S59, doi: pp. 1–5, Jul. 2016, doi: 10.1109/ICT-ISPC.2016.7519221.
10.1016/J.DIIN.2018.01.007.
[21] C. Tansettanakorn, S. Thongprasit, S. Thamkongka, and V.
Visoottiviseth, “ABIS: A prototype of Android Botnet Identification

438
Authorized licensed use limited to: University of New Brunswick. Downloaded on November 20,2022 at 19:33:10 UTC from IEEE Xplore. Restrictions apply.