Dissecting Android Malware: Characterization and Evolution
Yajin Zhou
Department of Computer Science
North Carolina State University
yajin
zhou@ncsu.edu
Xuxian Jiang
Department of Computer Science
North Carolina State University
jiang@cs.ncsu.edu
Abstract—The popularity and adoption of smartphones has
greatly stimulated the spread of mobile malware, especially on
the popular platforms such as Android. In light of their rapid
growth, there is a pressing need to develop effective solutions.
However, our defense capability is largely constrained by the
limited understanding of these emerging mobile malware and
the lack of timely access to related samples.
In this paper, we focus on the Android platform and
aim to systematize or characterize existing Android malware.
Particularly, with more than one year effort, we have managed
to collect more than 1,200 malware samples that cover the
majority of existing Android malware families, ranging from
their debut in August 2010 to recent ones in October 2011.
In addition, we systematically characterize them from various
aspects, including their installation methods, activation mech-
anisms as well as the nature of carried malicious payloads.
The characterization and a subsequent evolution-based study
of representative families reveal that they are evolving rapidly
to circumvent the detection from existing mobile anti-virus
software. Based on the evaluation with four representative
mobile security software, our experiments show that the best
case detects 79.6% of them while the worst case detects only
20.2% in our dataset. These results clearly call for the need to
better develop next-generation anti-mobile-malware solutions.
Keywords-Android malware; smartphone security
I. INTRODUCTION
In recent years, there is an explosive growth in smartphone
sales and adoption. According to CNN [1], smartphone
shipments have tripled in the past three years (from 40
million to about 120 million). Unfortunately, the increasing
adoption of smartphones comes with the growing prevalence
of mobile malware. As the most popular mobile platform,
Google’s Android overtook others (e.g., Symbian) to become
the top mobile malware platform. It has been highlighted
[2] that “among all mobile malware, the share of Android-
based malware is higher than 46% and still growing rapidly.”
Another recent report also alerts that there is “400 percent
increase in Android-based malware since summer 2010” [3].
Given the rampant growth of Android malware, there is a
pressing need to effectively mitigate or defend against them.
However, without an insightful understanding of them, it is
hard to imagine that an effective mitigation solution can be
practically developed. To make matters worse, the research
community at large is still constrained by the lack of a
comprehensive mobile malware dataset to start with.
The goals and contributions of this paper are three-
fold. First, we fulfil the need by presenting the first large
collection of 1260 Android malware samples
1
in 49 different
malware families, which covers the majority of existing
Android malware, ranging from their debut in August 2010
to recent ones in October 2011. The dataset is accumulated
from more than one year effort in collecting related malware
samples, including manual or automated crawling from
a variety of Android Markets. To better mitigate mobile
malware threats, we will release the entire dataset to the
research community at http://malgenomeproject.org/.
2
Second, based on the collected malware samples, we
perform a timeline analysis of their discovery and thoroughly
characterize them based on their detailed behavior break-
down, including the installation, activation, and payloads.
The timeline analysis is instrumental to revealing major
outbreaks of certain Android malware in the wild while the
detailed breakdown and characterization of existing Android
malware is helpful to better understand them and shed light
on possible defenses.
Specifically, in our 1260 malware samples, we find that
1083 of them (or 86.0%) are repackaged versions of legiti-
mate applications with malicious payloads, which indicates
the policing need of detecting repackaged applications in the
current Android Markets. Also, we observe that more recent
Android malware families are adopting update attacks and
drive-by downloads to infect users, which are more stealthy
and difficult to detect. Further, when analyzing the carried
payloads, we notice a number of alarming statistics: (1)
Around one third (36.7%) of the collected malware samples
leverage root-level exploits to fully compromise the Android
security, posing the highest level of threats to users’ security
and privacy; (2) More than 90% turn the compromised
phones into a botnet controlled through network or short
messages. (3) Among the 49 malware families, 28 of them
(with 571 or 45.3% samples) have the built-in support of
sending out background short messages (to premium-rate
numbers) or making phone calls without user awareness. (4)
1
In this study, we consider the samples with different SHA1 values are
distinct.
2
To prevent our dataset from being misused, we may require verifying
user identity or request necessary justification before the dataset can be
downloaded. Please visit the project website for detailed information.
2012 IEEE Symposium on Security and Privacy
© 2012, Yajin Zhou. Under license to IEEE.
DOI 10.1109/SP.2012.16
95
Last but not least, 27 malware families (with 644 or 51.1%
samples) are harvesting user’s information, including user
accounts and short messages stored on the phones.
Third, we perform an evolution-based study of repre-
sentative Android malware, which shows that they are
rapidly evolving and existing anti-malware solutions are
seriously lagging behind. For example, it is not uncom-
mon for Android malware to have encrypted root ex-
ploits or obfuscated command and control (C&C) servers.
The adoption of various sophisticated techniques greatly
raises the bar for their detection. In fact, to evaluate the
effectiveness of existing mobile anti-virus software, we
tested our dataset with four representative ones, i.e.,
AVG
Antivirus Free
, Lookout Security & Antivirus, Norton
Mobile Security Lite
, and Trend Micro Mobile Security
Personal Edition
, all downloaded from the official Android
Market (in the first week of November, 2011). Sadly, wile
the best case was able to detect 1, 003 (or 79.6%) samples
in our dataset, the worst case can only detect 254 (20.2%)
samples. Furthermore, our analysis shows that malware
authors are quickly learning from each other to create hybrid
threats. For example, one recent Android malware, i.e.,
AnserverBot [4] (reported in September 2011), is clearly
inspired from
Plankton [5] (reported in June 2011) to have
the dynamic capability of fetching and executing payload at
runtime, posing significant challenges for the development
of next-generation anti-mobile-malware solutions.
The rest of this paper is organized as follows: Section II
presents a timeline analysis of existing Android malware.
Section III characterizes our samples and shows a detailed
breakdown of their infection behavior. After that, Section IV
presents an evolution study of representative Android mal-
ware and Section V shows the detection results with four
representative mobile anti-virus software. Section VI dis-
cusses possible ways for future improvement, followed by a
survey of related work in Section VII. Lastly, we summarize
our paper in Section VIII.
II. M
ALWARE TIMELINE
In Table I, we show the list of 49 Android malware
families in our dataset along with the time when each
particular malware family is discovered. We obtain the list
by carefully examining the related security announcements,
threat reports, and blog contents from existing mobile anti-
virus companies and active researchers [6]–[12] as exhaus-
tively as possible and diligently requesting malware samples
from them or actively crawling from existing official and al-
ternative Android Markets. As of this writing, our collection
is believed to reflect the state of the art of Android malware.
Specifically, if we take a look at the Android malware history
[13] from the very first Android malware FakePlayer in
August 2010 to recent ones in the end of October 2011, it
spans slightly more than one year with around 52 Android
malware families reported. Our dataset has 1260 samples
Table I
T
HE TIMELINE OF 49 ANDROID MALWARE IN OUR COLLECTION (O
†
:
OFFICAL ANDROID MARKET;A
‡
:ALTERNATIVE ANDROID MARKETS)
Malware Samples
Markets Discovered
Month
O
†
A
‡
FakePlayer 6
√
2010-08
GPSSMSSpy 6
√
2010-08
TapSnake 2
√
2010-08
SMSReplicator 1
√
2010-11
Geinimi 69
√
2010-12
ADRD 22
√
2011-02
Pjapps 58
√
2011-02
BgServ 9
√
2011-03
DroidDream 16
√ √
2011-03
Walkinwat 1
√
2011-03
zHash 11
√ √
2011-03
DroidDreamLight 46
√ √
2011-05
Endofday 1
√
2011-05
Zsone 12
√ √
2011-05
BaseBridge 122
√
2011-06
DroidKungFu1 34
√
2011-06
GGTracker 1
√
2011-06
jSMSHider 16
√
2011-06
Plankton 11
√
2011-06
YZHC 22
√ √
2011-06
Crusewin 2
√
2011-07
DroidKungFu2 30
√
2011-07
GamblerSMS 1
√
2011-07
GoldDream 47
√
2011-07
HippoSMS 4
√
2011-07
Lovetrap 1
√
2011-07
Nickyspy 2
√
2011-07
SndApps 10
√
2011-07
Zitmo 1
√ √
2011-07
CoinPirate 1
√
2011-08
DogWars 1
√
2011-08
DroidKungFu3 309
√
2011-08
GingerMaster 4
√
2011-08
NickyBot 1
√
2011-08
RogueSPPush 9
√
2011-08
AnserverBot 187
√
2011-09
Asroot 8
√ √
2011-09
DroidCoupon 1
√
2011-09
DroidDeluxe 1
√
2011-09
Gone60 9
√
2011-09
Spitmo 1
√
2011-09
BeanBot 8
√
2011-10
DroidKungFu4 96
√ √
2011-10
DroidKungFuSapp 3
√
2011-10
DroidKungFuUpdate 1
√ √
2011-10
FakeNetflix 1
√
2011-10
Jifake 1
√
2011-10
KMin 52
√
2011-10
RogueLemon 2
√
2011-10
Total 1260 14 44
in 49 different malware families, indicating a very decent
coverage of existing Android malware.
For each malware family, we also report in the table the
number of samples in our collection and differentiate the
sources where the malware was discovered, i.e., from either
the official or alternative Android Markets. To eliminate
possible false positive in our dataset, we run our collection
through existing mobile anti-virus software for confirmation
(Section V). If there is any miss from existing mobile anti-
virus security software, we will manually verify the sample
and confirm it is indeed a malware.
96
08 09 10
11
12 01 02 03 04 05 06 07 08 09 10
0
2
4
6
8
10
The Number of New Android Malware Families
2010 2011
In Android Market
In Both Markets
In Alternative Market
(a) The Monthly Breakdown of New Android Malware Families
08 09 10
11
12 01 02 03 04 05 06 07 08 09 10
11
0
200
400
600
800
1000
1200
1400
The Cumulative Number of New Malware Samples
13 13 13
14
18
23
33
66 66
115
209
403
527
678
1260
DroidKungFu
(including its variants)
AnserverBot
2010 2011
(b) The Cumulative Growth of New Malware Samples in Our Collection
Figure 1. The Android Malware Growth in 2010-2011
To better illustrate the malware growth, we show in Fig-
ures 1(a) and 1(b) the monthly breakdown of new Android
malware families and the cumulative monthly growth of
malware samples in our dataset. Consistent with others [2]
[3], starting summer 2011, the Android malware has indeed
increased dramatically, reflected in the rapid emergence of
new malware families as well as different variants of the
same type. In fact, the number of new Android malware
in July 2011 alone already exceeds the total number in
the whole year of 2010. Figure 1(b) further reveals two
major Android malware outbreaks, including DroidKungFu
(starting June, 2011) and AnserverBot (starting September,
2011). Among these 1260 samples in our collection, 37.5%
of them are related to DroidKungFu [14] and its variants;
14.8% are AnserverBot [4]. Both of them are still actively
evolving to evade the detection from existing anti-virus
software – a subject we will dive into in Section IV.
III. M
ALWARE CHARACTERIZATION
In this section, we present a systematic characterization
of existing Android malware, ranging from their installation,
activation, to the carried malicious payloads.
A. Malware Installation
By manually analyzing malware samples in our collection,
we categorize existing ways Android malware use to install
onto user phones and generalize them into three main so-
cial engineering-based techniques, i.e., repackaging, update
attack, and drive-by download. These techniques are not
mutually exclusive as different variants of the same type may
use different techniques to entice users for downloading.
1) Repackaging Repackaging is one of the most
common techniques malware authors use to piggyback mali-
cious payloads into popular applications (or simply apps). In
essence, malware authors may locate and download popular
apps, disassemble them, enclose malicious payloads, and
then re-assemble and submit the new apps to official and/or
alternative Android Markets. Users could be vulnerable by
being enticed to download and install these infected apps.
To quantify the use of repackaging technique among our
collection, we take the following approach: if a sample
shares the same package name with an app in the official
Android Market, we then download the official app (if
free) and manually compare the difference, which typically
contains the malicious payload added by malware authors. If
the original app is not available, we choose to disassemble
the malware sample and manually determine whether the
malicious payload is a natural part of the main functionality
of the host app. If not, it is considered as repackaged app.
In total, among the 1260 malware samples, 1083 of them
(or 86.0%) are repackaged. By further classifying them
based on each individual family (Table II), we find that
within the total 49 families in our collection, 25 of them
infect users by these repackaged apps while 25 of them
are standalone apps where most of them are designed to
be spyware in the first place. One malware family, i.e.,
GoldDream, utilizes both for its infection.
Among the 1083 repackaged apps, we find that malware
authors have chosen a variety of apps for repackaging,
including paid apps, popular game apps, powerful utility
apps (including security updates), as well as porn-related
apps. For instance, one
AnserverBot malware sample (SHA1:
ef140ab1ad04bd9e52c8c5f2fb6440f3a9ebe8ea
) repackaged
a paid app
com.camelgames.mxmotor available on the offi-
cial Android Market. Another
BgServ [15] malware sam-
ple (
SHA1: bc2dedad0507a916604f86167a9fa306939e2080)
repackaged the security tool released by Google to remove
DroidDream from infected phones.
Also, possibly due to the attempt to hide piggy-
backed malicious payloads, malware authors tend to use
the class-file names which look legitimate and benign.
For example,
AnserverBot malware uses a package name
com.sec.android.provider.drm for its payload, which
looks like a module that provides legitimate DRM func-
tionality. The first version of
DroidKungFu chooses to use
com.google.ssearch to disguise as the Google search mod-
ule and its follow-up versions use
com.google.update to
pretend to be an official Google update.
It is interesting to note that one malware family –
jSMSHider – uses a publicly available private key (serial
number:
b3998086d056cffa) that is distributed in the An-
droid Open Source Project (AOSP). The current Android
security model allows the apps signed with the same plat-
form key of the phone firmware to request the permissions
97
Table II
A
N OVERVIEW OF EXISTING ANDROID MALWARE (PART I: INSTALLATION AND ACTIVATION)
Installation Activation
Repackaging
Update
Drive-by
Download
Standalone BOOT SMS
NET CALL USB PKG BATT SYS MAIN
ADRD
√ √ √ √
AnserverBot
√ √ √ √ √ √ √ √
Asroot
√
BaseBridge
√ √ √ √ √ √ √
BeanBot
√ √ √
BgServ
√ √ √ √
CoinPirate
√ √ √
Crusewin
√ √ √
DogWars
√
DroidCoupon
√ √ √ √ √
DroidDeluxe
√
DroidDream
√ √
DroidDreamLight
√ √ √
DroidKungFu1
√ √ √ √
DroidKungFu2
√ √ √ √
DroidKungFu3
√ √ √ √
DroidKungFu4
√ √ √ √
DroidKungFuSapp
√ √ √ √
DroidKungFuUpdate
√ √
Endofday
√ √ √
FakeNetflix
√
FakePlayer
√
GamblerSMS
√ √
Geinimi
√ √ √
GGTracker
√ √ √ √ √
GingerMaster
√ √
GoldDream
√ √ √ √ √
Gone60
√
GPSSMSSpy
√ √
HippoSMS
√ √ √ √
Jifake
√ √
jSMSHider
√ √ √
KMin
√ √
Lovetrap
√ √ √
NickyBot
√ √ √
Nickyspy
√ √
Pjapps
√ √ √ √
Plankton
√ √
RogueLemon
√ √
RogueSPPush
√ √
SMSReplicator
√ √
SndApps
√ √
Spitmo
√ √ √ √
TapSnake
√ √
Walkinwat
√
YZHC
√ √
zHash
√ √
Zitmo
√ √ √
Zsone
√ √ √
number of families 25 4 4 25 29 21 4 6 1 2 8 8 5
number of samples 1083 85 4 177 1050 398 288 112 187 17 725 782 56
which are otherwise not available to normal third-party apps.
One such permission includes the installation of additional
apps without user intervention. Unfortunately, a few (ear-
lier) popular custom firmware images were signed by the
default key distributed in AOSP. As a result, the
jSMSHider-
infected apps may obtain privileged permissions to perform
dangerous operations without user’s awareness.
2) Update Attack The first technique typically piggy-
backs the entire malicious payloads into host apps, which
could potentially expose their presence. The second tech-
nique makes it difficult for detection. Specifically, it may still
repackage popular apps. But instead of enclosing the payload
as a whole, it only includes an update component that
will fetch or download the malicious payloads at runtime.
As a result, a static scanning of host apps may fail to
capture the malicious payloads. In our dataset, there are four
malware families, i.e.,
BaseBridge, DroidKungFuUpdate,
AnserverBot, and Plankton, that adopt this attack (Table II).
The
BaseBridge malware has a number of variants. While
some embed root exploits that allow for silent installation
of additional apps without user intervention, we here focus
on other variants that use the update attacks without root
exploits. Specifically, when a
BaseBridge-infected app runs,
it will check whether an update dialogue needs to be
displayed. If yes, by essentially saying that a new version
is available, the user will be offered to install the updated
version (Figure 2(a)). (The new version is actually stored in
the host app as a resource or asset file.) If the user accepts,
an “updated” version with the malicious payload will then
98
(a) The Update Dialogue (b) Installation of A New Version
Figure 2. An Update Attack from
BaseBridge
be installed (Figure 2(b)). Because the malicious payload is
in the “updated” app, not the original app itself, it is more
stealthy than the first technique that directly includes the
entire malicious payload in the first place.
The
DroidKungFuUpdate malware is similar to
BaseBridge. But instead of carrying or enclosing the
“updated” version inside the original app, it chooses to
remotely download a new version from network. Moreover,
it takes a stealthy route by notifying the users through
a third-party library [16] that provides the (legitimate)
notification functionality. (Note the functionality is similar
to the automatic notification from the Google’s Cloud to
Device Messaging framework.) In Figure 3, we show the
captured network traffic initiated from the original host app
to update itself. Once downloaded, the “updated” version
turns out to be the
DroidKungFu3 malware. As pointed out
in Table I, the
DroidKungFuUpdate malware was available
on both official and alternative Android Markets.
The previous two update attacks require user approval to
download and install new versions. The next two malware,
i.e.,
AnserverBot and Plankton, advance the update attack
by stealthily upgrading certain components in the host apps
not the entire app. As a result, it does not require user
approval. In particular,
Plankton directly fetches and runs
a
jar file maintained in a remote server while AnserverBot
retrieves a public (encrypted) blog entry, which contains the
actual payloads for update! In Figure 4, we show the actual
network traffic to download
AnserverBot payload from the
remote command and control (C&C) server. Apparently,
the stealthy nature of these update attacks poses significant
challenges for their detection (Table VII – Section V).
3) Drive-by Download The third technique applies
the traditional drive-by download attacks to mobile space.
Though they are not directly exploiting mobile browser
vulnerabilities, they are essentially enticing users to down-
load “interesting” or “feature-rich” apps. In our collection,
we have four such malware families, i.e.,
GGTracker [17],
GET /appfile/acc9772306c1a84abd02e9e7398a2cce/FinanceAccount.apk HTTP/1.1
Host: 219.234.85.214
Connection: Keep-Alive
User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"377865-1315359197000"
Last-Modified: Wed, 07 Sep 2011 01:33:17 GMT
Content-Type: application/vnd.android.package-archive
Content-Length: 377865
Date: Tue, 25 Oct 2011 02:07:45 GMT
PK.........\$?................META-INF/MANIFEST.MF.Y[s...}.....
xNY.@.dW..PD.. r.%.U>...r......N.O’UI.C...,....W.......w./ ....
..../...K....OoP..#../..........".-,..~.S..._.|......o..1..k...
..........]<.Y..,-...,l7zh......%....g..7r......^.BA41.L.......
Figure 3. An Update Attack from DroidKungFuUpdate
GET /s/blog_8440ab780100t0nf.html HTTP/1.1
User-Agent: Dalvik/1.2.0 (Linux; U; Android 2.2.1;
generic Build/MASTER)
Host: blog.sina.com.cn
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Wed, 21 Sep 2011 01:44:16 GMT
...
v_____:yjEJTTlSvSSVSGRp9NASSSSS<wbr>SSSSSSSSSSSkSSSS7WB5
rthy<wbr>OV3JeJ4q96sSrc5Os7g6Wsz8<wbr>hJn99P6O6UaRgkSZsu
...
Figure 4. An Update Attack from AnserverBot
Jifake
[18], Spitmo [19] and ZitMo [20]. The last two are
designed to steal user’s sensitive banking information.
The
GGTracker malware starts from its in-app advertise-
ments. In particular, when a user clicks a special advertise-
ment link, it will redirect the user to a malicious website,
which claims to be analyzing the battery usage of user’s
phone and will redirect the user to one fake Android Market
to download an app claimed to improve battery efficiency.
Unfortunately, the downloaded app is not one that focuses
on improving the efficiency of battery, but a malware that
will subscribe to a premium-rate service without user’s
knowledge.
Similarly, the
Jifake malware is downloaded when users
are redirected to the malicious website. However, it is not
using in-app advertisements to attract and redirect users.
Instead, it uses a malicious QR code [21], which when
scanned will redirect the user to another URL containing
the
Jifake malware. This malware itself is the repackaged
mobile ICQ client, which sends several SMS messages to
a premium-rate number. While QR code-based malware
propagation has been warned earlier [22], this is the first
time that this attack actually occurred in the wild.
The last two
Spitmo and ZitMo are ported versions of
nefarious PC malware, i.e.,
SpyEye and Zeus. They work in
a similar manner: when a user is doing online banking with
a comprised PC, the user will be redirected to download a
particular smartphone app, which is claimed to better protect
online banking activities. However, the downloaded app is
actually a malware, which can collect and send mTANs
or SMS messages to a remote server. These two malware
families rely on the comprised desktop browsers to launch
the attack. Though it may seem hard to infect real users,
the fact that they can steal sensitive bank information raises
serious alerts to users.
4) Others We have so far presented three main social
engineering-based techniques that have been used in existing
99
