An Assessment of Static and Dynamic malware analysis techniques for the android platform
Date of Award
Master of Science (Computer Science)
School of Computer and Security Science
Faculty of Health, Engineering and Science
Dr Zubair Baig
Associate Professor Andrew Woodward
Associate Professor Ken Fowle
With Smartphones becoming an increasingly important part of human life, the security of these devices is very much at stake. The versatility of these phones and their associated applications has fostered an increasing number of mobile malware attacks.
The purpose of the research was to answer the following research questions:
1. What are the existing methods for analysing mobile malware?
2. How can methods for analysing mobile malware be evaluated?
3. What would comprise a suitable test bed(s) for analysing mobile malware?
The research analyses and compares the various tools and methods available for compromising the Android OS and observing the malware activity before and after its installation onto an Android emulator. Among several available tools and methods, the approach made use of online scanning engines to perform pre installation of mobile malware analysis and the AppUse (Android Pentest Platform Unified Standalone Environment) tool to perform post installation.
Both the above approaches facilitate better analysis of mobile malware before and after being installed onto the mobile device. This is because, with malware being the root cause of many security breaches, the developed mobile malware analysis allows future security practitioners in this field to determine if newly developed applications are malicious and, if so, what would their effect be on the target. In addition, the AppUse tool can allow security practitioners to first establish the behaviour of post installed malware infections onto the Android emulator then be able to effectively eliminate malware from individual systems as well as the Google Play Store. Moreover, mobile malware analysis can help with a successful incident response, assisting with mitigating the loss of intellectual property, personal information as well as other critical private data. It can strive to limit the damage of a security breach or to reduce the scope of damage of an attack.
The basic structure of the research work began with a dynamic analysis, followed by a static analysis:
a) Mobile malware were collected and downloaded from the Contagio website to compromise an Android emulator,
b) Mobile malware were uploaded onto five online scanning engines for dynamic analysis to perform pre installation analysis, and
c) AppUse tool was implemented and used for static analysis to perform post installation analysis by making use of its: a. Android emulator and, b. JD-GUI and Dex2Jar tools.
The findings were that the AppUse methodology used in the research was successful but the outcome was not as anticipated. This was because the installed malicious applications on the Android emulator did not generate the derived behavioural reports; instead, only manifest files in xml format. To overcome this issue, JD-GUI and Dex2Jar tools were used to manually generate the analysis results from the Android emulator to analyse malware behaviour.
The key contribution of this research work is the proposal of a dynamic pre-installation and a static post-installation analysis of ten distinct Android malware samples. To our knowledge, no research has been conducted on post installation of mobile malware analysis and this is the first research that uses the AppUse tool for mobile malware analysis.
Access to this thesis - the full text is restricted to current ECU staff and students only. Email request to firstname.lastname@example.org
Al Awadi, W. (2015). An Assessment of Static and Dynamic malware analysis techniques for the android platform. Retrieved from http://ro.ecu.edu.au/theses/1635
Access to this thesis is restricted. Please see the Access Note below for access details.