An Analysis of Android Malware Behavior

Abstract

Android is dominating the smartphone market with more users than any other mobile operating system. But with its growing popularity, interest from attackers has also increased, as the number of malicious applications keeps on rising. To know more about these applications, investigation of their behavior has become very important. In our paper, we present a study that combines static and dynamic analysis of these applications with an aim to analyze their behavior by examining various attributes such as permission, CPU usage, volatile memory, and traffic. The experimental result of the static analysis shows that top permissions are used by malware to access network state, Internet, write external phone state, and read phone state. Our results of runtime experiments show that CPU usage of malicious applications is on average half that of normal applications while in terms of volatile memory usage malicious applications occupied more RAM than legitimate ones. Traffic analysis includes transmission rate between endpoints which is higher in malware compared to normal applications with a higher number of malformed packets. Based on the above-mentioned four attributes, the behavior of malware can be understood and this behavior can assist in differentiating malicious apps from legitimate applications.