Detection and Prevention of Malware in Android Operating System

The Internet is not safe anymore, malware can be discovered anywhere on the Internet. The risk of malware has increased also due to the increasing popularity and use of Smartphones and their underlying cost-free applications. With its great market share, the Android operating system has become a prime target for malware developers. When an Android phone is injected with a malware, it may result in compromising the privacy of the user by stealing sensitive and private information like contacts, ids, passwords, photos, call records, and so on. Compared to any other Android-based application category, games are the most preferred zone for attackers, due to the high interest of users in game applications. When an end user downloads a game, which is injected with malicious code, user data is infected without bringing in the knowledge of the user. Though, there still are not sufficient protection mechanisms or guidelines stated for end user against Android malware, this study offers a novel approach to detect Android malware in order to ensure the safe usage of Android applications. The advantage of this approach is its ability to utilize Android manifest files for the detection of malware. The availability of manifest file in every Android application makes this approach applicable to all Android applications. It can also be considered as a lightweight method for malware detection, and its efficiency is experimentally confirmed by testing and comparing the results of 50 Android games samples. Experiments are carried out using the Android Package Kit (APK) tools, and based on the experiments, different kinds of malware identification and prevention guidelines have been proposed for the safe and secure usage of the Android operating system.


INTRODUCTION
mong recent technological innovations, Android operating system has gained much popularity because of its extensive use in Smartphone devices. Various types of applications like Google play store and other third-party applications give much freedom to Smartphone users to download and install applications of their interest. However, when it comes to Android's security, it can be considered as the most attacked platform due to its flexibility to allow its users to download and install to identify and stopover Android malware; this study focuses on looking for specific differences and patterns within Android malicious and benign applications (particularly game applications) by analyzing their requested permissions and intents, which actually give malware entrance to private resources inside a device. For this study, we take 50 game applications obtained from Google play store [6] and Virus sign [7] between the timeline of 2017-2018. Out of these 50 game applications, 25 are benign and 25 are real malwares. Malicious applications are studied to look for specific patterns inside their architecture, defined intents, and permissions usage. Based on the found patterns, the sets of permissions and intent filters (Actions) which are used by malware applications are consolidated and identified. Classifying permissions and intents that distinguish malware is the first stage of this research, after that, malware prevention guidelines are deliberated to prevent the malware attacks in the Android-based game applications.
The remaining of the paper is structured as follows: Section 2 gives a brief description of Android malware, games applications and manifest files. Section 3 presents APK tools used for decompiling game applications in order to extract manifest files, and to analyze game permissions and intent filters. Section 4 provides a comparative analysis of different malware detection approaches. Section 5 presents steps followed to carry on this study. Section 6 discusses results and gives comparative analysis of permissions requested by malicious and benign games. Following to that, section 7 presents guidelines to access and use game applications from users' security point of view. Finally, section 8 gives the conclusion of the work.

ANDROID MALWARE, GAMES, AND MANIFEST FILES
The Android is a Linux based working framework which is intended for touch screen Smartphones, and tablet PCs. It is an open source technology that enables the software to be altered and distributed freely by developers, device manufacturers, gadget makers, and wireless carriers. Android was uncovered in 2007 alongside the establishment of the Open Handset Alliance (OHA) which was made by the Google [8].
Because of the extensive use of Smartphone devices, Android operating system has gained much popularity over the past few years. Not only that, but different application developers have also attracted Smartphone users to access and use their applications to the best of their interests. This has also provided a strong opportunity to those who have malign intentions to steal users' sensitive and private data using their own developed apps [9]. Therefore, it is very much important to understand the severity of malware attacks and to take safety measures against them. Following subsection briefly describe Android malware, malware game applications, and manifest files.

Android Malware
Malware is any kind of truculent, intrusive or vexing program code which intends to utilize a contrivance without the owners' permission. Malicious projects keep an eye on users' behavior and trade-off their protection. Malware are notoriously difficult to combat as they appear and spread quickly [10][11][12]. Usually, an attacker registers a loaded altered malicious application, which is available free of charge at the black market, and puts up the file APK (Android Package Kit) onto the famous Blogs and Social networking sites to make it possible for many people to install the altered malicious application (see, Fig. 1). As soon as users download that malicious application, their phone gets infected by the malware, and they lose control of their device [13].

Malware and Game Applications
Compared to any other category, game applications are the most preferred zone for attackers. This is due to the users' high interest in game applications.
Renowned Check-Point-Blog manifests a big campaign of malware on Google play, the name of malware was Judy, which is an adware with the capability of auto click. The malware utilizes contaminated devices to create a lot of deceitful taps on promotions, and producing income for the culprits behind it. The malware application achieved a shocking spread of about 18.5 million downloads [14].

Android Manifest
The manifest file takes the form of "AndroidManifest.xml" and is included in all Android applications. The manifest file contains the essential information about Android applications, such as name and version number of an application, API level, and requested permissions (see, Fig. 2). The manifest file format is alike in both malware and benign applications, though, there are certain dissimilarities in the characteristics of numerous information items [15]. For our study, we extract two items from Android manifest files for all 50 game applications. These items include: permissions and intent filters.
• Permissions: Android applications include security features called permissions. The main purpose of the permissions is to ensure the security of an Android client. Every application needs to unequivocally ask for a few permissions from the client at the time of installation to achieve specific tasks on the device, for e.g., to get access user's sensitive information like SMS (Short Message Service), phone numbers, photos and system's features like Internet and camera [15,16].
• Intent Filters: The intent is a notifying object which can be used to ask for an action from another application part. The <Intent-Filter> component must contain at least one <action> component. On the off chance that there are no <action> component in an intent filter, the filter doesn't acknowledge any intent items [17].

APK TOOLS
Android operating system uses APK file format for installation and distribution of its packages. APK tools refer to a group of tools used to edit, view, or alter Android applications. These tools can decode resources to almost original form and reconstruct them after creating some alterations through reverse engineering. This study utilizes two types of APK tools for reverse engineering of Android applications: i Show Java Pro Show Java Pro is used to decompile all 25 benign games. It extracts the source code of an Android application (including XML files and image assets) and works directly from an Android device [18].
ii Java APK De-Compiler Java APK De-Compiler is an online de-compiler used to decompile all 25 malicious games to reduce the risk of being infected while working on the malware programs [19].

MALWARE DETECTION APPROACHES
The process of identifying malware can be divided into analysis, detection, classification and ensuing containment of malware. Several detection approaches are employed to identify malware according to their cases and instances, which make it possible to acknowledge the nature and activities of malware and their latest variants. Some of the recognized malware detection approaches are defined below.

Signature-Based
Signature based approach can be considered as the most popular option for commercial software vendors to detect malware. It retrieves semantic patterns of known malware and produces an antique signature with the help of those retrieved patterns. If a program's signature matched with the signature of previous known malware, that program will be classified as a malware. Though, signature-based approach works very effectively for the malware which is already known, however, in case of detecting unknown or new malware, it gets failed which is also the main disadvantage of this approach. Furthermore, signature database is also limited; therefore, many samples of malware remain undetermined as they do not match with any signature. In order to overcome this limitation, new malware signatures need to be updated promptly into database as soon as new malware are perceived [20][21][22]. As an example of the use of signature-based approach, Wu et al. [23] proposed SP-MDM (Smartphone malware detection model) which is based on the artificial immune system likewise to the working principle of biologic immune system which guards us from several infections caused by viruses. In accordance of the model, static and dynamic signatures of malware were separately extracted, and grounded on actual valued vector encoding. 20 benign and 20 malicious samples were utilized for testing purposes to ensure the viability of the approach.

Specification-based
The specification-based approach uses the binding rule-set to identify malware. Under this strategy, a program which violates predefined binding rule-set is classified as malware. The main restraint of this approach is its difficult implementation to precisely specify the behavior of the program or system [20] [24]. Based on defined approach, Dini et al. [25] presented PICARD (Probabilistic Contract on Android) a framework for the detection of repackaged applications through probabilistic contracts on Android systems. As per application's contract statement, PICARD exploits the contract to validate that application is not repackaged by malware. The motivation behind the PICARD method is that actions, sequences or misbehaviors of applications even at small scale are not fragmented of the defined contract. Henceforth, that misbehavior will be recognized and ultimately stopped before it is able to damage the device.

Behavior-based
The behavior-based approach relies on the actions of software to define whether it is malware or not. It consists of many applications and offers essential resources and material required to detect malware on the Android operating system. Every application has its own precise feature and purpose within the system and therefore the alliance of all these tools creates the behavior-based malware detection system [20][21]. Based on this approach, Sheen et al. [26] presented MCDF (Multi-feature collaborative decision fusion) method to employ various item sets extracted from a group of benign and malicious applications. After that, an analysis is done on different item sets to find the most discerning set of items for malware detection. Based on the experiments, a comparative analysis of the proposed model with other ensemble learning techniques has also been presented.
The analysis methods for malware detection approaches can be categorized into two main types: static and dynamic.
• Static Analysis: liable for examining application's code by reverse engineering to seek out specific signs or patterns related to malwares. Typically, a static analysis can actually be performed without executing the particular application because this form of analysis is responsible for decompression and dissembling of an APK file without even executing it. This technique is rapid and does not require high system resources.
• Dynamic Analysis: works by monitoring system calls with the trace tool to analyse the behavior of Android programs. All input traces produced by the user will be collected using the data collecting software as the crowd sourcing and data collector script. In this form of analysis, the user will be responsible for the installation, execution and generation of input data for the Android software to get an output log file related to an application behavior. Because of the necessity for dynamic monitoring within the process of running the program, the degree of automation and period of time required are comparatively high. Furthermore, it additionally has to ensure detection before the entrance of malicious code within the system to avoid harm to the system. This also means that, dynamic detection technique requires additional resources [20,27].
In this paper, a behavior-based Android malicious detection approach is proposed by using static analysis. The malware detection method is grounded on reverse engineering. Static analysis is a well explored approach and used in past by several researchers having the alike goal to ours like malware detection with their own methods, selected characteristics, items, or also as a sub process to support their research and other purposes. However, all the methods, characteristics, extracted items and the experimental Android application samples completely differ compared to our research. In this paper, we used static analysis to extract items like permissions and intent filters from Android manifest files, after that, a comparative analysis of specific characteristics of 25 benign and 25 malicious Android applications has also been presented. In order to determine whether the sample to be detected is a malicious or not, we have matched and compared the specific characteristics of the known malicious applications, and based on that, have provided end user guidelines for prevention of malware and safe usage of Android operating system. This method is fast, cost effective, uses very low system resource, and has easy user accessibility as compared to other detection approaches and methods as shown in Table  1 and Table 2.

METHODOLOGY
As mentioned earlier, this study focuses on detection and prevention of malware in Android game applications. For this purpose, we have selected 50 game applications acquired from Google play store [6] and Virus sign [7] between the timeline of 2017-2018. As shown in Fig. 3. Methodology of the research is distributed in various phases which are selfexplanatory. These phases include: selection of benign and malicious games, scanning and installation of selected games, selection and usage of APK tools, decompilation, and extraction of items from manifest files, comparison of results, declaration of hazardous permissions and intent filters, and design and demonstration of guidelines for the end users.  1) The degree of automation and real-time requirements are comparatively high 2) Requires comparatively more resources to detect malicious code before it gets inside the system

Fig. 3: Methodology
The Table 3 and Table 4  All 50 game applications were scanned on Virus total [28], before installation on Smartphone. Fig. 4 and Fig. 5 show the scanned results of two game applications out of all 50 games samples.
After the installation, all applications are decompiled to calculate their average number of files and size as shown in Table 5 and Table 6 below. The manifest files are extracted in order to analyze the permissions and intent filters. The analysis of permissions is discussed in the sections to follow.

RESULTS
All discovered malware were identified and their symptoms or effects on device were recorded after their installation. The total extracted permissions and intent filters of benign and malicious games are recorded and compared. Based on the comparison, a set of dangerous permissions and intent filters within Android games category have been declared which must be avoided by end users to reduce the risk of being infected from malware.

Malware Identification
As defined below, total five types of malware are discovered and identified during the experiments.

Trojan:
Trojan is a kind of malware which keeps running in the background of a device with the ability to hide itself from the user. It inaudibly waits for instructions from its creator, and these instructions can be anything from hijacking personal information to sending that information at any particular destination. In the Android operating system, it usually hides its existence by not generating an icon and disguising itself with a generic name in the list of applications.

Symptoms:
In most cases, users possibly notice a slowdown in device's performance because Trojan consumes device's resources in the background.

2.
Adware: This is the most well-known and unequaled prominent Android malware that a Smartphone gets contaminated with. Having adware on the phone can be a baffling thing, as the user experiences constant popups and advertisements on the screen of a Smartphone. Additionally, on the off chance that any of the advertisements is clicked, at that point another noxious program will be downloaded or some undesirable application will be installed on user's Smartphone. Adware produces revenue for its creator by automatically showing online advertisements on the user's device.

Symptoms:
Users start seeing different types of ads, like, uncertain miracle weight loss agendas, offers to get rich within few days, and fake virus warnings that invite users to click on. Also, user might experience frequent opening of new tabs on their own, change in browser home page or even a pass on to a NSFW (Not safe for work) websites.

SMS Agent:
It is also a kind of Trojan, which spreads itself with the help of SMS, e-mail and other kind of messages circulating on social media or the web. The messages which are being sent may contain pernicious links which when the user on the receiving end clicks get infected by that malware. Google has added cautioning functionality for these types of short code messages in latest versions of the Android. This additional protection helps to warn a user in the shape of a popup notice before sending the SMS or following any kind of links from the text messages.

Symptoms:
Users may experience sudden charges on their mobile phone bill or decrease in their mobile credit. Users may also be notified that they have signed up for multiple premium services or websites which they did not presume.

Riskware:
Riskware is the name specified to valid applications and programs that can cause harm if they are oppressed by malicious users in order to modify, copy, or delete data, and disrupt the device's performance. Riskware is not designed preferably as malicious program, but though, they do have some functions that can be served for malicious purposes.
Symptoms: Users may encounter device's strange or lagging behavior, unwanted background processes, an increase in spam e-mail etc. Additional symptoms may depend on the severity of an installed program.

PUP (Potentially Unwanted Program):
A PUP is a software that the user might not want clogging up his/her device's system. The name "Potentially Unwanted Program" was specified by McAfee to avoid marking downloadable applications as malware. What marks a PUPs dissimilar from malware is that, the user gives approval to download it. When the user downloads an application from the Internet and avoids to read the user agreement or prescribed instructions with it, he may fail to comprehend what other unwanted programs are being installed with that particular application. In most cases these PUPs are adware or browser hijackers. These unwanted programs either get control of your browser homepage and default search engine, or shows unwanted ads not devising from the websites you are surfing, and usually employ enormous amounts of system assets which are the common reasons of clumpy operating systems.
Symptoms: Frequent Ads displaying while surfing the web, changing of homepage and installation of unwanted applications, and tool bars without user's knowledge.  Fig. 6 shows the collective ratio of malwares which were discovered and identified in this research. Most of the malicious games were found working as Adware and Trojans with a collective percentage of 56 percent. However, the remaining 44% of game applications are identified to be affected by SMS Agent, Riskware and PUP malwares.

Results of Benign Games
All 25 benign games were decompiled with the help of Show Java Pro APK tool. Android manifest.xml file was obtained from each decompiled game, after that, each game's permissions and intent filters were extracted from its manifest file and separately calculated and recorded. Fig. 7 Shows the top 15 permissions requested by benign games.

Results of Malicious Games
All 25 malicious games were decompiled with the help of online APK tool, java APK De-compiler to avoid the security issues in Smartphones. Android manifest.xml file is obtained from each decompiled game, after that, each game's permissions and intent filters were extracted from its manifest file and separately calculated and recorded.  Fig. 9 Shows the comparison of total permissions requested by all benign and malicious games. It can be seen that, benign games requested 112 permissions, whereas, malicious games requested 285 permissions. Here, we can clearly see that the number of permissions requested by malicious games is a way much higher than the permissions requested by the benign games.

Hazardous Permission
After the comparison of benign and malicious games' permissions, below mentioned permissions are marked as dangerous, and are found and requested by malicious games only. A brief description of these permissions is given below: a) WRITE_SETTINGS Permits an application to read or write settings of the system. b) CHANGE_NETWORK_STATE Permits an application to change the connectivity state of the network. c) CHANGE_WIFI_STATE Permits an application to change the connectivity state of the Wi-Fi. d) SEND_SMS Permits an application to send the messages through SMS. e) RECEIVE_SMS Permits an application to receive the messages through SMS. f) SYSTEM_ALERT_WINDOW Permits an application to draw over/overlay other applications.

Requested Intents and their Comparison
Fig . 10 Shows the intent filters of benign and malicious games. After permissions, this is our second item which we have extracted from Android manifest. Fig. 10. Shows that the main intent is assigned to all 50 games (benign/malicious). Boot completed is assigned to 3 benign and 5 malicious games, and remaining all other intents are only found in malicious games.

MALWARE PREVENTION GUIDELINES
Malware prevention guidelines are specially designed for end users' safety. The end users' can easily understand and follow the guidelines to avoid of being affected by malware, and to enjoy the safe and malware-free usage of the Android operating system. These guidelines are outlined below.
1. Always download applications which are from certified developers and trustworthy sources like Google play store.   a) When a user tries to download any game, he has two options: (i) the user can either go directly to play store and download the game of his choice, or (ii) he can go to the black market by means of any other website or store. b) No matter which source the downloaded game belongs to, it will request for some permissions at the time of installation. Here, users have a great chance to verify the downloaded game's permissions before installing it. If any game is asking for more than what it is meant for, the user simply should not install it. c) If the user somehow ignores or does not verify the permissions before installing the games, an active antivirus installed on user's phone can detect and eliminate the malware, or warns the user about the risks of that installed malicious game depending on the privileges given to the particular antivirus. d) Now back to the permissions, if the user grants administrative rights to an application, that application becomes so powerful that it obtains full control of user's device. In this case, the application can easily shut down any active antivirus and steals user's private data or use the infected device for the benefit of its creator. e) In cases of malicious SMS or e-mails, if the user responds to those fake SMS or e-mails and visits that particular URL, he will end up inadvertently downloading or installing malware without his knowledge. f) It is strongly recommended that user should not connect to an unknown or unidentified open wireless network, the information which is sent on an unsecured or without WPA / WPA2 (Wi-Fi Protected Access) can be dangerous. By connecting to an unsecured or open wireless network, you are actually opening your device on that network for someone else. g) Continues software updates are really necessary and highly recommended for device' system as well as antivirus for fixing bugs, making enhancements, and adding new features for more security.

Conclusion
This study presented an approach to detect and avoid Android malware in game applications. With the help of APK tools, experiments were performed on 50 Android game applications: 25 benign and 25 malware games. The main advantage of this approach is its utilization of Android manifest files (already available on every Android application) for the detection of malware. Results show dangerous permissions and intent filters which originated after the comparison of benign and malicious games. To identify the permissions and intent filters related to malicious programs, it was essential to use reverse engineering method to obtain the source code of several malicious and benign game applications. Results confirmed that malware programs profoundly target device settings, network, and Wi-Fi states, SMS and applications overlapping. Moreover, malware prevention guidelines are also deliberated. It is proved that examining the manifest files only is very economical in terms of resource consumption. Furthermore, proposed method and guidelines can be easily applied by end-users to detect and prevent malware for the safe usage of Android applications.