os-project-report-team-8
TRANSCRIPT
Malware: Detection and Prevention for Smart devices
Santa Clara University
COEN-283: Operating System
Team-8
Priyanka Rao Shweta Deshpande Shriram Suryanarayanan
[email protected] [email protected] [email protected]
“Cyber war is the battlefield of now.” - Geoff Livingston
May 28, 2015 Page 1
Content:
Project Detail
1. Introduction 2
2. Security Models in current Smart Devices 3
3. Malware Analysis a. Static Analysis b. Dynamic Analysis
5
4. Malware Detection Techniques
a. Signature Based b. Heuristic based
7
5. Security Measures and Defense Techniques 9
6. Conclusion 12
7. Future work 12
8. References 13
May 28, 2015 Page 2
1. Introduction
The new generation of cyber attacks is far more disparate from scattershot attacks designed for
mischief. Now the motivation behind it is gradually transmuted, and its authors use malware to gain
financial benefits with voluminous scale by stealing individuals and organizations data. Cyber criminals
successfully use advanced malware, zero-day exploits and other targeted advanced persistent threats
(APTs) every day to compromise and breach organizations and individuals.
Smartphones and tablets have long been established as popular personal electronics devices. According
to IDC’s Q2 2014 report, the sales of such devices have, for the first time ever, passed the mark of
300,000,000 devices sold per quarter. This is an important milestone in the market that has been
growing for several years. According to the same IDC report, the distribution of operating systems for
mobile devices is shown below:
source: kasperskylab
As the diagram shows, nearly 85% of the mobile
device market was occupied by Android in Q2 2014.
Android operating system is free for device
manufacturers and can be easily modified to match
various business needs, which has helped it achieve
popularity among smartphone and tablet developers
as well as consumers across the world. This also
means that Android-based devices inevitably attract
the attention of cybercriminals who are creating and
distributing malicious programs. It is estimated that
98.05% of all existing mobile malware targets the
users of Android devices.
Some of the active malware types: Trojans are malicious programs that perform actions that have not been authorized by the user. These actions can include: Deleting data, Blocking data, Modifying data, Copying data, Disrupting the performance of computers or computer networks. Trojan-SMS These programs can cost you money by sending text messages from your mobile device to premium rate phone numbers. Adware is form of malware(malicious software), that presents unwanted advertisements to the user of a computer. The advertisements produced by adware are sometimes in the form of a popup. Trojan-Downloader can download and install new versions of malicious programs onto your computer including Trojans and adware. Trojan-Banker programs are designed to steal your account data for online banking systems, e-payment systems, and credit or debit cards.
May 28, 2015 Page 3
Exploit are programs that contain data or code that takes advantage of vulnerability within application software that’s running on your computer. Backdoor trojan gives malicious users remote control over the infected computer. They enable the author to do anything they wish on the infected computer – including sending, receiving, launching, and deleting files, displaying data, and rebooting the computer. Backdoor Trojans are often used to unite a group of victim computers to form a botnet or zombie network that can be used for criminal purposes.
Top 10 Malware Types
2. Security Models in Current Smart Devices
In this section we provide an overview of the security models and protection measures incorporated in current smart devices, especially smart phones. There are two major mobile platforms iOS and Android OS , these are built upon traditional desktop Operating Systems (OS) and inherit some security features from them. We next provide an overview of some of the security features present in the five platforms that currently dominate the market. Symbian: Symbian OS security model is based on a basic permission system. Phone resources are controlled by the OS using a set of permissions called “capabilities”. Furthermore, applications run in user space, while the OS run in kernel space. Those applications requiring access to protected resources must be signed by Symbian or the device manufacturer, while all others can be self-signed. There is very little information about protection at the market level. Blackberry: BlackBerry security model is based on a coarse-grained permission protection model. Applications have very limited access to the device resources and, as in the case of BlackBerry OS, they must be signed by the manufacturer (RIM) to be able to access resources such as, for example, the user’s personal information. Additionally, applications must get user authorization to access resources such as the network. However, once the user grants access to an application to use the network, the application can both send SMSs and connect to Internet. Although applications are not executed in a sandbox, some basic process and memory protection is offered. For instance, a process cannot kill other processes nor access memory outside the app bounds. Android: Google’s Android OS security model relies on platform protection mechanism rather than on market protection, as users are free to download applications from any market. Applications declare the permissions they request at installation time through the so-called manifest. If the user accepts them,
May 28, 2015 Page 4
the operating system will be in charge of enforcing them at running time Security policies are here defined for each individual resource, instead of specifying permissions for each app. Furthermore, such definition can be done at a fine-grained level, allowing users to, for example, grant an app access to a part of the address book only. A major consequence is that security policies are therefore defined by the user, not by the developer. However, this approach can easily overwhelm users as they are held responsible of specifying security and privacy policies. Additionally, Android OS uses sandboxing technique and Address Space Layout Randomization (ASLR) to protect applications from malicious interference of others apps. Although Android OS isolates each running process, apps can still communicate with each other using ICC, a rich functionality that, however, introduces risks such as those discussed before. Furthermore, all Android OS applications must be signed with a certificate to identify the developer. However, the certificate can be self-signed, in which case no certificate authority verifies the identity of the developer. iOS: Apple’s iOS security model [Apple, 2012] relies on market protection mechanisms rather than enforcing complex permission policies on the device at installation time. Apple’s App Store is a walled-garden market with a rigorous review process. Those processes are essential for preventing malware from entering the device, as runtime security mechanisms are limited to sandboxing and user supervision. iOS isolates each third-party application in a sandbox. However, most of the device’s resources are accessible and misuse of a few of them—such as GPS, SMS, and phone calls—can only be detected by the user after installation Apple uses also static and dynamic analyses. Applications distributed on Apple’s App Store must be signed by a valid certificate issued by Apple. Developer certificates are issued to individuals and/or companies after obtaining a verified Apple credential. iOS dynamically verifies that the application is signed, and therefore it is trusted, before executing it. Nevertheless, iOS can be tampered with (jail broken) to install applications from alternative markets. This practice violates Apple policies, causes the device to lose its warranty, and allows the distribution of piggyback malware repackaged together with the original app. Latest versions of iOS provide a number of features to protect user data based on master encryption keys and protected by a passcode. The entire file system is encrypted using block-based encryption and can only be decrypted when the phone is unlocked. Additionally, iOS supports ASLR and Data Execution Prevention (DEP) to prevent the execution of arbitrary code at runtime. Windows Mobile: Microsoft’s market protection model for Windows Mobile systems is based on application review. Developers are also validated prior to application’s approval. Platform protection in Windows Mobile is similar to Android OS. It uses a trusted boot component and code signing to protect the integrity of the operating system. It also provides signed drivers and applications through the Windows Phone Store online market. Latest versions of Microsoft’s smartphone OS (Windows Phone 7 and 8) incorporate isolation among different sandboxes [Microsoft, 2012], and each app is executed in its own sandbox, named “chamber”. Chambers are defined and implemented using system policies, which restrict the access to other chambers. While chambers are defined and implemented using a number of system policies, each security policy defines what permissions are given to an app, known as capabilities. In this regard, users are informed of the capabilities of an application prior to install. Malware characterization: We classify malware for smart devices in terms of their features: Attack goals and behavior: Identifying malware’s motivation on smart devices is paramount to have a better understanding of its behavior and can be used to develop targeted detection strategies. Such
May 28, 2015 Page 5
goals range from fraud and service misuse driven by economic incentives, to spamming, espionage, data theft and sabotage. Distribution and Infection: Malware creators can use a variety of techniques to distribute malicious applications and infect devices, from self-propagation mechanisms based on vulnerabilities and misconfigurations, to simply tricking the user into installing it by means of social-engineering techniques. Privilege acquisition: Once the malicious code is installed on the device, it often needs to acquire enough privileges to carry out its goals. This is automatic in many cases, as the user might already have granted them to the app, whereas in other cases technical vulnerabilities and/or misconfigurations are exploited
Malware analysis and Detection
Smart devices are often compromised with malware; therefore its security is a major concern. To
protect the device from activities of the malware, first we need to understand how to analyze and
detect them.
3. Malware Analysis:
It is a process of studying code, behavior and functionality of malware so that severity of attack can be
measured. It can be done in two ways: A. Static Analysis B. Dynamic Analysis.
A) Static Analysis (code analysis): is responsible for analyzing a software properties or a piece of code in
order to find malicious code patterns or signatures. In static analysis, detection is done through the
source code, binary or the API level without the execution of the code or file. In this technique reverse
engineering is performed by decompressing, disassembling and searching for patterns in the APK files in
order to understand structure of malware. Advantage: The method is fast and not very resource
consuming. Low level of false positive (accuracy is high). Disadvantage: obfuscation and encryption
techniques embedded in software makes static analysis difficult. It cannot detect new the malware.
Obfuscation: is to hide the information such that others cannot find the true meaning. Binary obfuscation techniques transform the malware binaries into self compressed and uniquely structured binary files, which are designed to resist reverse engineering and thus make the static analysis very expensive and unreliable. Moreover, when utilizing binary executables (obtained by compiling source code) for static analysis, the information like size of data structures or variables gets lost thereby complicating the malware code analysis. Below is an example of Clean code vs. Obfuscated code. Clean code can be identified in static analysis. Obfuscated code cannot be easily identified unless the code is executed which will convert the ASCII into string. Obfuscated code can easily bypass in static analysis, as it do not able to match the pattern with the available data from the database.
May 28, 2015 Page 6
There are three types of Static analysis which are explained in the below Figures a) System call based b)
Static taint analysis c) Source code analysis
a. Malware analysis proposed for Symbian OS. This technique uses IDA Pro to disassemble the mobile application and extract system calls. It then use Centroid Machine, to classify the mobile application as either malicious or benign (anomaly detection). b. PiOS, a technique proposed for performing static taint analysis on iOS application binaries. PiOS disassembles the mobile application and constructs a control flow graph. The analysis considers paths originating from sensitive sources, such as the address book, current GPS coordinates, keyboard cache, unique device ID, and other phone-related information. Dataflow analysis checks for any sensitive data transmission for data leakage detection. c. Android malware analysis. It uses a Dalvik decompiler, to generate Java source code from the application’s installation image and then uses SCA, a static code analyzer, to evaluate the recovered source code.
B) Dynamic Analysis (behavioral analysis): Analysis of infected file during its execution is known as
dynamic analysis. It identifies malicious behaviors after deploying and executing the application on a
simulated environment like a virtual machine, emulator, and sandbox. During execution of file its system
interaction, its behavior & effect on the machine are monitored. These techniques require some human
or automated interaction with the app, as malicious behavior is sometimes triggered only after certain
events occur. It considers parameters like network traffic, native code and user interaction. It can be
used both in the cloud for market protection or directly in the device. Advantage: Can analyze the
obfuscated and polymorphic malware. Detect known as well as unknown malware. Disadvantage: Highly
resource consuming. High level of false positive (accuracy is low).
May 28, 2015 Page 7
TaintDroid provides system-wide dynamic taint tracking for Android. The mobile application passes to the Dalvik Virtual machine to perform four granularities of taint propagation: variable, method, message, and file-level. Taint tracking marks any ambiguous data that originates from sensitive sources, such as location, microphone, camera, and other phone identifiers. This technique modifies the native library loader to ensure that all the native libraries are called from the virtual machine, thus preventing untrusted applications from executing native methods directly.
4. Malware Detection Techniques:
These techniques are used to detect the malware and prevent the device from being infected,
protecting it from potential information loss and system compromise. Few detection techniques are
listed below:
a) Signature-based malware Detection: This technique maintains the database of signature and detects
malware by comparing pattern against the database. Commercial antivirus scanners look for signatures
which are typically a sequence of bytes within the malware code to declare that the program scanned is
malicious in nature. Most of the antivirus tools are based on the signature based detection techniques.
These signatures are created by examining the disassembled code of malware binary. Disassembled
code is analyzed and features are extracted. These features are used in constructing the signature of
particular malware family. A library of known code signatures is updated and refreshed constantly by
the antivirus software vendor so this technique can detect the known instances of malware accurately.
The main advantages of this technique is that it can detect new instances of malware accurately, less
amount of resources are required to detect the malware and it mainly focus on signature of attack. The
major drawback is that it can’t detect the new, unknown instances of malware as no signature is
available for such type of malware. Every kind of malware has some specific characteristics in their
coding, which can be used for their detection. It’s like using photograph of criminals at airport in order
to match them with the people and detect someone suspicious.
b) Anomaly based detection: It is also called as profile-based intrusion / statistical detection. It assumes
that malicious code will cause behaviors’ different from the ones normally observed in a system. In fact,
anomaly detection is based on the definition of normality & classifies as malicious any activity that
deviates from it. It observes the “normal” activities of the user and then creates behavior profiles that
represent the threshold that divides normal from abnormal behaviors’. Classifying what is normal is a
difficult task and involves technical factors as well as some sort of knowledge from expert users. It need
machine learning techniques to detect unknown malware. Below is the machine learning mechanism. It
helps in detecting the malwares which keeps on generating new mutants since they will always use the
system resources and services in the similar manner.
May 28, 2015 Page 8
1. Data Collection: This component collects
dynamic / static information. 2. Interpretation: This component converts
the raw information collected by data collection module into intermediate representations.
3. Matching Algorithm: It is used to compare the representation with the behavior signature.
Advantage: it can detect known as well as new instances of malware or obfuscated malware.
Disadvantage: it needs to update the data describing the system behavior and the statistics in normal
profile. It need more resources like CPU time, memory & disk space and level of false positive is high.
Analysis and Detection Challenge: If system uses any one analysis or detection technique it will miss
greater number of malicious samples. So to improve the detection, the system needs to combine
different analysis and detection techniques. So researchers propose a solution called Hybrid Analysis.
Hybrid Analysis: is a technique that overcomes the limitations of static and dynamic analysis techniques.
It first, analyses the signature specification of any malware code & then combines it with the other
behavioral parameters for enhancement of complete malware analysis.
The Android Application Sandbox (AASandbox) system is another technique which offers two-step analysis for an android application. A mobile application passes to AASandbox, where it performs static and dynamic analysis in offline mode. Static analysis disables the application image binary and uses the disassembled code to search for suspicious patterns. Dynamic analysis executes the binary in an Android emulator and logs the system calls.
Cloud Based Malware Detection (Replicas in the Cloud) uses hybrid analysis: Mobile devices have less
resource and having a full-fledged detection system in a mobile device would be a resource overhead.
To overcome this, a cloud based approach will be an efficient scheme. In this scheme a light-weight
client application monitors the system calls in the device and sends it to the server in cloud to detect
malicious behavior. Thus, offloading of powerful computation to the cloud will enable efficient
detection.
Paranoid Android is a cloud based android malware detection technique. It has a small component on user phone, it records all interactions of the application with various components. It transmits that
May 28, 2015 Page 9
information to cloud server. Server in the cloud reruns the application with same behaviors. Server deploys several security checks, such as dynamic malware analysis, memory scanners, system call anomaly detection, and commercial antivirus scanning, from the cloud’s ample resources. Paranoid uses a proxy to temporarily store inbound network traffic information so that the phone can save energy by not sending this data back to the server. Instead, the server can directly contact the proxy to get the network traffic information needed to successfully replay the execution. The advantages of having cloud based detection system are: Efficient detection system through
dedicated specialized servers, less usage of device resources, less software complexity at the device. On
other hand, a centralized solutions like cloud based detection needs to be always connected to the
cloud to enable live detection. Also, privacy could be a concern as their data is being processed in a
central server.
5. Mobile Malware and Defenses
As phones have evolved to become full-fledged computing devices, they have also become attractive
targets for malware such as Viruses, Worms and Trojans. Malware typically exploits vulnerabilities on
interfaces unique to the Smartphone such as Bluetooth or vulnerabilities in applications running on the
phone. Tools to detect mobile malware have adapted well-known techniques used on desktops, such as
signature and behavior based detection algorithms, to operate in a resource-constrained environment.
These algorithms use lesser memory, run faster, and consume lesser battery power than their desktop
counterparts. Other approaches to detect mobile malware are to monitor and analyze untrusted
software for anomalous behaviors that deplete energy. Mobile phones are likely targets of cross-service
attacks. For example, an attack may be perpetrated and downloaded through the Internet onto a
Smartphone via its data plan, and may access its telephony subsystem. Such threats are possible
because of relax security mechanisms currently employed by mobile phones. For example, an arbitrary
user-space process on the phone can issue AT commands to the GSM device. Such cross-service attacks
can be prevented by labeling user space files and resources and enhancing access control mechanisms
on smart phone operating systems.
A multi-layer integrated security solution for mobile smart devices is proposed below:
End-user: It is always essential for the end-user to be aware of the security measures of their mobile
device. End-users should be aware of at least the following measures:
1. Install antivirus and antimalware solutions to protect the device against malware and viruses.
Also ensure to turn on the automatic update. It is been shown that installing anti-virus and anti-
malware is very effective to protect mobile devices from malicious applications. Install a
personal firewall to protect mobile device interfaces from direct attack and illegal access. The
effectiveness of mobile firewalls to increase a mobile device’s security.
May 28, 2015 Page 10
2. Install only applications from trusted sources that have legitimate contact information and a
website. As the current Android Market (Google Play) does not adopt a certification process for
applications, it is up to the end user to make sure he/she only installs trusted applications from
trusted developers. Install only applications from the official and original developer (for
example, if you are installing Instagram applications, make sure you download it from Instagram
Inc.)
3. Ensure your OS and software are always up-to-date with the latest versions and update security
patches regularly.
4. Install remote locate, track, lock, wipe, backup and restore software to retrieve, protect or
restore a lost or stolen mobile device and the personal data on the device.
5. Only install applications that have a high number of download and positive reviews.
6. Never view sensitive data over public wireless networks which have no passwords or encryption.
Mobile Network Operators (MNO):
MNO has responsibility to create a more secure environment for their customers. MNOs need to install
anti-virus and anti-malware software to scan outgoing and incoming SMS and MMS to the mobile
network, as many malwares use SMS/MMS to propagate and contact the bot-master. MNO should also
build a global partnership with related agencies such as other MNOs to prevent mobile malware
propagation by exchanging information, knowledge, database and expertise.
Apps Developers: Developers also need to take care of the security measures implemented in their
application. They should ensure that private data is not being sent via an unencrypted channel; the data
must be sent through HTTPS or TLS networks.
Developers should minimize the use of built-in permissions in their applications, for example do not ask
for full Internet access permission, unless it is essential for your applications to work properly. Android
has about 100 built-in permissions that control operations such as dialing the phone (CALL_PHONE),
sending short message (SEND_SMS), etc.
In Android, there are three main “ security protection levels” for permission labels: a “normal”
permission is granted to any application that requests it; a “dangerous” permission is only granted after
user approval at install-time; and a “signature” permission is only granted to applications signed by the
same developer key as the application defining the permission label.
This “signature” protection level is integral in ensuring that third-party applications do not gain access
affecting the Android’s trusted computing base (TCB)’s integrity. This is also useful to minimize
repackaging attacks. It is shown that the repackaging technique is highly effective mainly because it is
often difficult for end-users to tell the difference between a legitimate application and its malicious
repackaged form. In fact, repackaging was the most prevalent type of social engineering attack used by
Android malware developers.
Defense techniques:
People have long favored functionality over security and are unwilling to pay the price and
inconvenience incurred by security schemes. Functionality demands extensibility, and extensibility
invites malicious extensions. Given the current trend, unless legislature can effectively mandate limited
May 28, 2015 Page 11
extensibility for smart-phones, we don’t see the hope of reducing the powerfulness and functions of a
smart-phone. Nevertheless, there are some strategies that we’d like to point out for hardening smart-
phone which we discuss as follows:
Attack surface reduction: One simple defense is to reduce the attack surface as much as possible.
Although a smart-phone is always on, most of its features need not be active. For example, when users
make an outgoing phone call or compose a SMS message, the PC part of the smartphones can be turned
off (unless instructed otherwise, say, when a user is downloading a movie).
OS hardening: Smart-phone OSes can enforce some security features, such as always displaying callee’s
number and lighting up LCD display when dialing. This can be achieved by only exporting security
enhanced APIs to applications. With hardened OSes, unless attackers can subvert the smart-phone OS
without being noticed, attacking actions from malicious user-level code can be more easily detected by
the smart-phone user.
Hardware hardening: We believe one advantage we can leverage for smartphone hardening is that
smart-phone already has an embedded smart-card, the SIM card. The SIM card has evolved to
incorporate the use of the SIM Toolkit (STK) — an API for securely loading applications to the SIM. STK
allows the mobile operator to create or provision services by loading them into the SIM card without
changing anything in the GSM handset. One interesting approach therefore is to combine STK card and
TCG’s Trusted Platform Module (TPM) for smart-phone hardware hardening. This way, no additional
security chips will be needed.
Internet Side Protection: The malware defense mechanisms that have been deployed or proposed for
the Internet can be readily applied to smartphones. For example, more rigorous process in software
patching or vulnerability-driven network traffic shielding will certainly strengthen the defense for smart-
phones for known vulnerabilities, though not unknown ones. It would be desirable for smart-phone
Internet Service Providers to ensure that devices that access them are properly patched or shielded —
unpatched or unshielded ones should not be exposed to the wild Internet. Currently, majority of
smartphones access the Internet through telecom data networks such as GPRS or CDMA 1X. In this
scenario, base stations can first check whether smart-phones have been properly patched or shielded
and they will be forced to patch or shield if not. Alternatively, base stations could even perform
shielding on behalf of the smart-phones. This kind of strategy, however, faces challenges when smart-
phones use 802.11 access points for Internet connectivity: many 802.11 access points have already been
deployed; it would be very difficult, if possible at all, to upgrade all the access points to enforce patching
or shielding. Further, such quarantining makes seamless handoff between access networks very
challenging. This is an open research question.
Cooperation between the Internet and Telecom Networks: Effective coordination between the Internet
and telecom networks would be desirable. In this section, we discuss the opportunities and difficulties in
coordinating the Internet and telecom networks for defending against smartphone attacks. Known
vulnerability and attack information can be exchanged between the Internet and telecom networks. If
specific attack target information, such as which call center will be attacked, becomes known from the
Internet side, it can help the call center prepare for the attack and put its rate limiting and call filtering
May 28, 2015 Page 12
mechanisms in place. With the black list of smart-phone zombies from a telecom carrier, Internet access
points (AP) could potentially reject those zombies from getting on the Internet. This means that SIM ID-
based authentication needs to be in place for the APs. If GPRS is used for Internet access, this
authentication is trivial. However, for 802.11-like APs, this is very challenging in that these APs are not
just for smart-phones but general-purpose for all wireless Internet endpoints; state of-the-art APs
cannot recognize which devices are smartphones, and which are not, since a smart-phone can always
claim not being one. We identify the following approaches in addressing this issue: 1. since it is hard to
differentiate between smart-phones and other endpoints; we could assign unique IDs to all Internet
wireless endpoints, and then create the mapping between SIM IDs and Internet wireless IDs. This
solution faces significant backward compatibility issues with the existing devices and 802.11
infrastructures. 2. We could design smart-phone OSes to submit SIM IDs to APs for authentication when
accessing the Internet, as part of the OS hardening. This solution raises the bar for attackers
significantly. To make OS tamper-proof, we could further harden the smart-phone hardware for OS
authentication.
6. Conclusion
Smart devices are increasingly being equipped with sophisticated hardware and software systems,
which make them highest sellers in market. This increasing popularity makes them a perfect target for
malware attackers. Therefore there is a constant growth in the presence of security risks among Smart
devices. In our study, we explored security model in the current platforms of smart devices and found
that among various platform, Android is favorite ones for Malware attacks. To protect the device you
will first need to analyze and detect the malware to take further actions. We have highlighted various
analysis and detection techniques like Static analysis, Dynamic Behavioral analysis, Cloud based system
to name a few. The detection system analyzed covers both signature and anomaly based systems. Using
any one technique will not assure you to increase the detection rate. To counter the trade-off between
analysis speed and detecting obfuscated malwares, researches have adapted a technique incorporating
a combination of static and dynamic features for detecting and classifying malwares. We have also
mentioned potential security solutions in smart devices which identify the type of malware and in some
situation it prevents the malware from running its own code on device.
7. Future work
Natural hand gestures associated with three primary smartphone services—calling, snapping and
tapping—can be detected and have the ability to withstand attacks using motion, position and ambient
sensors available on most smartphones as well as machine learning classifiers. If a human user attempts
to access a service, the gesture would be present and access will be allowed. In contrast, if the malware
program makes an access request, the gesture will be missing and access will be blocked. Example:
Suppose malicious program tries to send sms, the operating system will not service its request because
the tap gesture required for sending sms is missing and OS can distinguish between malicious and
legitimate requests.
May 28, 2015 Page 13
References:
[1] Suarez-Tangil, Guillermo, et al. "Evolution, detection and analysis of malware for smart devices."
Communications Surveys & Tutorials, IEEE 16.2 (2014): 961-987.
[2] Ramu, Srikanth. "Mobile malware evolution, detection and defense." EECE 571B, TERM SURVEY
PAPER (2012).
[3] Moser, Andreas, Christopher Kruegel, and Engin Kirda. "Limits of static analysis for malware
detection." Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual. IEEE,
2007.
[4] Mahinthan Chandramohan and Hee Beng Kuan Tan. “Detection of Mobile Malware in the Wild” InfoQ.
Nov 05, 2012.
[5] Guo, Chuanxiong, Helen J. Wang, and Wenwu Zhu. "Smart-phone attacks and defenses." HotNets III.
2004.