Compromises the device and steals personal information such as IMEI number, user’s personal information, etc.

User’s phone bill is increased by making calls and sending SMS to some premium numbers

The malware will gain system root privileges and takes control of the system and modifies the information.

Artificially search for a term and simulates clicks on targeted websites in order to increase the revenue of a search engine or increase the traffic on a website.

An installed benign application downloads a malicious code and deploys it in the mobile devices.

A vulnerability in the devices that facilitates the information leak between the processes that are not supposed to share the information.

A network of compromised mobile devices with a BotMaster which is controlled by Command and Control servers (C&C). Carry out Spam delivery, DDDos attacks on the host devices.

From this point on, the structure of the paper is as follows. Section is a general overview of current security deployed by play-store. Classification of various methods used in detecting malwares in Android systems is presented in Section . The paper concludes in Section

In static analysis, the features are extracted from the application file without executing the application. This methodology is resource and time efficient as the application is not executed. But at the same time, this analysis suffers from code obfuscation techniques the Malware authors employ to evade from static detection techniques. One of very popular evasion technique is the Update Attack: a benign application is installed on the mobile device and when the application gets an update, the malicious content is downloaded and installed as part of the update. This cannot be detected by static analysis techniques which will scan only the benign application.

The most commonly used static features are the Permission and API calls. Since these are extracted from the application AndroidManifest.xml and influence the malware detection rate to a high extent, extensive research has been made with these as features as well as combined with other features extracted from meta-data available in Google PlayStore such as version name, version no., author’s name, last updated time, etc.,

(Sahs and Khan(2012)) used permissions and Control Flow Graphs(CFG) as features and used One-class Support Vector Machine(SVM). The most of training data are benign applications and the classifier will classify a sample as malicious only if it is sufficiently different from the benign cl ass. (Shabtai et al.(2010 )Shabtai, Fledel, and Elovici) used permission, framework methods and framework classes for their classification system.

(Sanz et al.(2012)Sanz, Santos, Laorden, Ugarte-Pedrero, and Bringas) extracted the strings in the application, permissions, user rating, number of ratings, size of the application and used Bayesian Networks, J48 Decision Tree and Random Forest, SVM with SMO kernel. A total of 820 samples were used to test and the authors concluded that they could achieve a very high accuracy with less false positive rate.

(Ghorba nzadeh et al.(2013 )Ghorbanzadeh, Chen, Ma, Clancy, and McGwier) used Neural Networks to detect an application’s category from permissions by means of multi layered feed forward networks. A feed forward Neural Network is built with two layers each containing 10 neurons. The hidden layer contains sigmoid transfer function and the output linear transfer functions was deployed. The suthoud assumed that the permissions declared in the manifest file may be manipulated by the malware authors and they may misrepresent the categories declared in the manifest. So to simulate this property, the authors permuted permissions of 50% of the test data and fed into the network.

(Yeri ma et al.(2013 )Yerima, Sezer, McWilliams, and Muttik) used 2000 applications with 1000 malicious and 1000 benign applications. They extracted features like Permissions, API calls, Native Linux System commands and various features from manifest and class files. The malware authors embed native linux commads such as chnown, mount, remount, etc., and run them in the Android system when the application is launched. Mutual information (entropy) is used to rank the features and then a Bayesian Classifier is used for classification.

(Sa mra et al.(2013 )Samra, Yim, and Ghanem) extracted features from AndroidManifest.xml such as count of xml elements, application specific information such as name, category, description, rating, package info, description, rating values, rating counts and price. The information from 18174 android application with 4612 business category and 13535 tools were extracted by using web crawlers. They were clustered using K-Means clustering.

(Peiravian and Zhu(2013)) utilized permission, API calls and the combination of both as features. The two types of permissions in Android, requested permission and required permission are used to express an application as a binary vector where Pi = 1 iff the Manifest.xml has the ith permission. Same as permission, API calls are also expressed as a binary vector with AP Ii = 1 iff there is the API call made in the application. These two features are concatenated and the third feature is formed. A total of 2510 samples including 1260 are malicious and 1250 benign are used. The authors concluded that Bagging, an ensemble classification method has the best performance in classifying all created datasets.

(Liu(2013)) investigated three specific types of malware: SMS-related, control-related and spy-related. An application’s permission and ¡uses-feature¿ xml tag which requests the necessary hardware devices needed to run the application, is extracted and used as features. Information Gain is used to select important features and SVM with the basic classifier is used to detect the malicious application. The authors could detect Spy-related applications with an accuracy of 81%, SMS-related with malicious applications with an accuracy of 97% and Control-related malicious applications with an 100% accuracy and could detect benign applications with an accuracy of 88%.

(Glodek a nd Harang(2013 )) constructed five Random Forests with 5-fold cross validation and compared their performance in detecting malicious applications. They have used 500 malicious and 500 benign from North Carolina State University’s malware project. Permission, broadcast receivers and native code embedded in the application are used as features and they concluded that their method outperforms a lot of commercial anti virus detection tools.

(Jero me et al.(2014 )Jerome, Allix, State, and Engel) extracted the opcodes from class.dex file and translated into opcode sequences, binary sequences of k-grams that characterize the least functionalities required by a program. They trained their model with Gnome Project dataset and randomly picked 1246 applications from the Google Play Store. The test dataset consists of 25,476 malware samples, 15670 benign applications from VirusTotal. Information Gain was used to select important features among the available ones. The author used a linear implementation of SVM to classify application samples. The results were compared with the detection rate of 25 anti virus tools. The study release an interesting signature patterns of Malware, Goodware, False Positives and False Negatives of their classifier. The false negatives were found out to be adwares and they were also considered a threat by the tool.

( Pehlivan et al.(2014 )Pehlivan, Baltaci, Acarturk, and Baykal) used 3748 application packages, developed C# scripts to automatically extract about 182 attributes that include Permissions, version no and version name of the applications. The study compared feature selection methods such as Gain Ratio Attribute Evaluator, Relief Attribute Evaluator, Control Flow Subset Evaluator, and Consistency Subset Evaluator and machine learning algorithms Bayesian classification, Classification and Regression Tree (CART), J48 DT, RF, SMO. Using the feature selection methods, they came up with 97 features that could represent the whole dataset. Finally the authors conclude that, with just 25 features, the Control Flow Subset Evaluator selection gave a good performance and Random forest and J48 performed better than Bayesian classifier.

(Chan an d Song(2014 )) analyzed 796 benign and 175 malicious applications for their study. Permissions used from the manifest.xml file and API call info from the classes.dex file are extracted and with Information Gain they selected a set of 19 relevant API calls. They compared the results obtained by machine learning algorithms such as Naive Bayes, SVM with SMO algorithm, RBF Network, Multi Layer Perceptron, Liblinear, J48 decision tree and Random Forests.The authors concluded that the were able to get 90% of the accuracy by using the API calls and permission combined than using the individual features alone.

(Liu an d Liu(2014 )) combined the two types of permissions, required permission and requested permission and designed a two layer approach with these features and employed machine learning algorithms to detect the malicious applications. A total of 28,548 benign applications and 1,536 malicious applications and permission pairs i.e., combination of any two requested permission are analyzed. The two layered approach helped to balance the detection accuracy and detection speed of the classifier. In Phase 1, requested permissions and the J48 Decision Tree algorithm is used in detection and in Phase 2, requested permission pairs and the J48 Decision Tree is used for detection. If there is any contradiction in the results obtained from both the phases, used permission pairs and J48 is used to classify again. The authors achieved a good result with this approach and recommended using the permission in component level than the application level for better detection of malicious activities.

(I deses and Neuberger(2014 )) used permission, broadcast receivers and activities, byte code fragments, system-calls as features and trained SVM with the training dataset. The researchers tested their proposed Malware detection system with a security tester for benchmarking where their system was tested with 7,000 samples. They conclude that their system could achieve about 99.3% positive rate with just 0.14% false alarm rate.

(Yerima et al.(2014a)Yerima, Sezer, and McWilliams) presented and analyzed three Bayesian classification approaches for detecting Android malwares. Permissions and code based properties such as API calls, both Java system based and Android system based, Linux and Android system commands are also extracted from the sample applications. A list of top 20 permissions and top 25 API calls used by benign and malicious applications are presented.

(Fazeen and Dantu(2014)) used combines Intentions of the applications esp., Task Intentions with permission as feature in developing their model. At first the requested permissions are extracted and a histogram is constructed for that task-intention category. Normalizing this results in an I shaped PMF. This shape is used to compare and detect the unknown applications as benign or malicious based on their Task Intentions. The system works as follows: • Phase I trains and uses machine learning algorithms to find the task intentions of the sample applications. • Phase II uses the knowledge from Phase I to find the task intention of an unknown application and classify as benign or malicious. The I shape is compared with the requested permission by using a using a matching ratio, that is generated by a machine learning algorithm. If the ratio is in a threshold, then the application is potentially safe. The authors used Naive Bayes, Multi Layered Perceptron and Random Forests and compared their performances. (Xiaoyan et al.(2014 )Xiaoyan, Juan, and Xiujuan) extracted permissions from the manifest and represented as a binary vector. Then Principle Component Analysis (PCA) is performed to select the best features. A linear SVM is trained to classify the app samples. The author compares the result with other classifiers such as J48 Decision Tree, Naive Bayes, BayesNet, CART, RandomForest and concludes that SVM gives a better performance.

(Yerima et al.(2014b)Yerima, Sezer, and Muttik) came up with a parallel implementation of their system to detect malicious android applications. They used application related feature such as permissions, Standard OS and android framework commands. They developed parallel implementation of Logistic function based classifier, Naive Bayes - probabilistic method and PART, RIDOR which are rule based classifier. with the features extracted, the classification is performed with the individual algorithms and then parallel implementation is carried out. The maximum probability scheme fetched an accuracy of 97.5%.

(I drees and Rajarajan(2014 )) combines permissions and Intents and used 292 applications for training and 340 for testing their model. The study describes some usage statistics of benign and malicious applications with regards to intents and permissions and developed Naive Bayes, Kstar, Prism to detect the maliciuos applications from benign applications.

(Munoz et al.(2015)Munoz, Martin, Guzman, and Hernandez) The authors collected the information from Google Play meta-data such as intrinsic application features, Application category, Developer related feature, certificate related feature, social related feature. They concluded that certificate and developer information, intrinsic application feature are the most promising feature to determine a malware with just meta data.

( Westyarian et al.(2015 )Westyarian, Rosmansyah, and Dabarsyah) used 205 benign and 207 malicious application files and extracted API calls that are only related to the permission declared in ¡used-permission¿ label in manifest.xml file. The study concluded that 97% of the malware requests telephonyManager and connectivityManager are the most important features. Random forest classification obtains 92.4% with cross validation as feature selection algorithm and SVM obtain 91.4% with percentage split as feature selection algorithm.

(Chuang and Wang(2015)) collected API calls from benign application separately and API calls from malicious applications separately and used these as features for classifying an unknown sample. The APIs in the unknown are ranked according to their difference in the number of occurrences in benign and number of occurrences in malicious applications. Then they deploy single a model approach where they will combine the two feature sets into a single vector. In Malicious model approach only the hypothesis from Malicious tended APIs is used for classification. The Hybrid approach combines two separately trained SVM models. These results are then compared to predict whether the unknown sample is malicious. The Hybrid model behaved much better than the Malicious model but the single model obtained from combined features outperformed the Malicious model.

Table 1 shows the top frequent used features in static analysis. Table 2 summarizes the top features that are combined with other features to produce better detection rate. By observing the table 1 and table 2, it can be clearly seen that Permission and API calls, the two features extracted from Manifest file and .dex file produces higher detection rate and inorder to make them more fail safe these can be combined with other features such as mate-data collected from Google Play Store or the features extracted from the XML elements. (Wei et al.(2012)Wei, Mao, Jeng, Lee, Wang, and Wu) used Droidbox, a tool to monitor the application real time, to dynamically analyze the behavior of android applications. IP address of the source is extracted from the network traffic after then application is run in a sandbox environment. The research concentrated only on the network characteristics of the malwares leveraging the fact that they will find their next target soon. The extracted IP address is used to find the spatial address using external services and to determine the uniformity of geographic distribution of the hosts because infected hosts will be distributed worldwide. After extracting the features, a M xN APP-GEO Matrix is constructed with M representing the android applications(rows) and N network features. ICA (Independent Component Analysis) to extract the latent concept or sparse from the noisy spamming data. The researchers used Weka and FastICA, the two open source libraries to evaluate their model. A total of 310 malware samples were used and they could achieve about 93% accuracy rate.

(Ha m and Choi(2013 )) used 30 normal apps and 5 malware samples (GoldDream, PJApps, DroidKungFu2, Snake and Angry Birds Rio Unlocker) in this study. The allocated resources when the app starts are monitored and the behavioral pattern is extracted. hese resource data are stored within the device and are converted into feature vectors. Each feature is subdivided to 7 categories, 1. Network, SMS, CPU, and power usage, Process ( like ID, Name , running process), memory Native, Dalvik and other and Virtual Memory.32 features are related to malware detection and applied Information Gain to select features. They used Naive Bayes, Random Forest LR, SVM with 10 fold cross validation.

The authors concluded that Naive Bayes/LRs confusion matrix are irregular in distribution with these features. SVM correctly classified normal type data almost 100% but falsely detected malicious applications as benign. Random Forests outperformed all the algorithms and correctly classifies the majority of normal and malware applications.

(Lu et al.(2013)Lu, Zulie, Jingju, and Yi) compared Bayesian method alone and Bayesian method combined with Chi Square feature selection method results are compared to evaluate the performance of the two ML algorithms. The study concluded that Bayesian method with Chi Squared yielded an accuracy of 89% while Bayesian method alone yielded 80%.

(Tenenboi m-Chekina et al.(2013 )Tenenboim-Chekina, Barad, Shabtai, Mimran, Rokach, Shapira, and Elovici) used 5 to 10 self-written Trojan malware with two versions of the malware, one benign and other malicious which is repacked version of the benign with malicious code. While the application is running, Many network based features are extracted. The self-written applications are installed in the devices and their behavior was collected and analyzed. This helps the traffic patterns distinguishable from benign and malicious. Feature measurements are performed at fixed time intervals and then aggregation functions are computed over these measurements. Cross feature analysis is used to explore the correlation between features. The deviations caused by abnormal activities from normal activities are observed. With labeled samples a threshold of deviation is obtained during the algorithm formulation. The study could successfully detect the repacked malicious applications using the network features learned.

(Ala m and Vuong(2013 )) rooted the mobile device to get the details such as, data being sent by applications, IP address being communicated, number of active communications, the system calls and used Random forest with 1330 malicious and 407 benign applications. The authors concluded that with more trees and less feature per tree in the Random Forest, they could achieve an accuracy of 99%.

( Mas’ud et al.(2014 )Mas’ud, Sahib, Abdollah, Selamat, and Yusof) monitored the system call of 30 normal applications and 30 malicious applications. The study compares 5 feature selection methods and 5 Machine Learning classifiers KNN, Decision Tree, Multi Layer Perceptron (MLP), Random Forests, Naive Bayes. The applications are run in real devices and are monitored for system calls generated by Strace, an application used to log various system activities in android systems. Then the features are selected by Information Gain and Chi-Square. A set of 5 feature sets are devised and used to compare the efficiency of 5 Machine Learning algorithms. The study concluded that the MLP achieves a highest accuracy and True Positive rate for one feature set while J48 Decision Tree achieves high performance rate for another feature set.

(Ng an d Hwang(2014 )) also used Strace to monitor the application for 60 secs. The features taken into account were Strace logged ProcessID, system calls, returned values and times between consecutive system calls. The no of times each invoked call is counted. PCA is used in selecting the important feature and then the classifier classifies the application sample malicious or benign based on anomaly score obtained by the input. The author compared their system’s performance with classifiers such as Naive Bayes, J48 Decision Tree and SVM and claims that they could achieve 98.4% detection rate.

(Ki m and Choi(2014 )) Linux based features are extracted from the Android Os and used as feature to detect malicious applications. There were 59 features obtained like, Memory, CPU, Network, etc. 6 malwares were run on the system and the system is monitored to collect the above said features. Every 10 seconds the data is collected and sent over to a server and the server does the classification. Out of 59 features, 36 are selected and the results are compared before and after applying feature selection. It has been said that the feature selection improves the accuracy and reduces the False Positive Rate of the classification.

(Kurniawan et al.(2015)Kurniawan, Rosmansyah, and Dabarsyah) used Logger, a default application which is inbuilt in Android was used to extract the sum of Internet traffic, percentage of battery used and battery temperature for every minute. These information collected as set of features and is fed into weka, a open source learning library for testing and training with Naive Bayes, J48 decision tree and Random Forest algorithms. The author concluded that Random Forest has high accuracy of 85.6% with these features and proposes other features that can be combined with existing system to improve the accuracy.

Table 3 summarizes the most frequently used features in Dynamic analysis. As seen, Network traffic which includes data packets sent, and other behavioral patterns can lead to quick detection of malicious activity. Tracing the IP address can help us to get the geographical landscape of the attack surface. Other than this, SMS, information logged by Logger and Strace is very much helpful in achieving a higher detection rate.

The hybrid methodology involves combining static and dynamic features collected from analyzing the application and extracting information while the application is running, respectively. Though it could increase the accuracy of the detection rate, it makes the system cumbersome and the analysis process time consuming.

(Sh abtai(2010 )) extracted opcodes from the executable and proposed a framework that monitors the device state at every instant such as CPU usage, number of packets sent over network, number of running process, battery level. Applications are downloaded from play store. The authors examine the applicability of Knowledge Based Temporal Abstraction (KBTA) which helps continuously monitor and measure events on a mobile system. The study was concluded with 94% detection rate with the feasibility of running such a system with just 3% power consumption. The authors also recommend the implementation of SELinux to enhance the security mechanisms of Android. Efficiency of Machine Learning algorithms such as Decision Trees, Naive Bayes, BayesNet, K-Means, Histogram and Logistic Regression are compared and evaluated.

(Xu et al.(2013)Xu, Yu, Chen, Cao, Dong, Guo, and Cao) proposes a system, MobSafe that combines the dynamic (Android Security Evaluation Framework - ASEF) and static (Static Android Analysis Framework - SAAF) analysis methods. They used 100,000 active android applications from AppChina. Static features include the information from apk files and decoded smali files were analyzed to extract the permissions, heuristic patterns, and program slicing for functions of interest NO ML: analyzing takes within 2mins and For dynamic analysis ADB logging and TCP DUMP were used. The application is launched on a Virtual Machine and subjected to human level interaction simulation. This is then compared with a CVE library and its Internet activity with Google Safe Browser API to check the URLS the app requested is malicious or not.

(Wei et al.(2013)Wei, Zhang, Ge, and Hardy) analyzed 96 benign applications and 92 malware samples to extract static features such as software profiles. Strace is used to record system calls along with the process ID while the application is running for dynamic features. These information are collected and applied over Support Vector Machones and Naive Bayes.

(Feld man et al.(2014 )Feldman, Stadther, and Wang) proposes a system, Manilyzer which uses requested permissions, High Prior receivers, Low version numbers and abused services as features and test their model with 617 applications 307 malicious 310 benign applications. Efficiency of Naive Bayes, SVM, K-Nearest Neighbours, J48 Decision Trees are compared and concluded with saying the most number of malware were labelled with 1.x application version number. And also that high priority intent filter were closely associated with SMS malware as 88% of the applications with this characteristics were malicious. Manilyzer is less effective but can be enhanced with other features associated with permissions such as API calls. Manilyzer is effectively used to detect adware spywae and SMS malware.

(Hsieh et al.(2015)Hsieh, Wu, and Kao) studies and summarizes the threat from malware on handheld devices, how malware writers evade the anti virus detection on mobile devices and the techniques that were used to deliver the malicious payload onto the mobile systems. The authors conclude the research by giving out the analysis methodologies in detecting the malwares.

(Lindorfer et al.(2015)Lindorfer, Neugschwandtner, and Platzer) proposes a system MARVIN with large-scale Android malware analysis sandbox ANDRUBIS to provide users with a risk assessment for an application. They developed an end user app into which users will submit their app and receive the score that tells the users how malicious the application is. MARVIN has 98.24% accuracy with less than 0.04% false positives. Static features such as permission, API Calls based on used-permission, reflection API, cryptographic API, dynamic loading of code are combined with dynamic features such as File operations, Network operations, Phone events, Data leaks, Dynamically loaded code, dynamically registered broadcast receivers. SVM with a linear classifier is used as a model of classification. The authors made use of labeled data set obtained from play-store, gnome project and used their system to classify samples from VirusTotal.

Table 4 summarizes the static an dynamic features combined and used as part of hybrid analysis. As seen from Table 1, Permissions is used mostly as a feature along with dynamic features like Logged information, API call traces and Network Traffics.