Droidbox
Taintdroid
Aurasium
Dynodroid, Game Based Malware
Monkey
Battery consumption
Data Usage
Crowdroid
Bouncer
The connections between components of a program can be used as features in application verification.
Graph Centrality
Malicious applications have significantly more services and receivers than benign ones.
The permissions requested by an application often indicate how dangerous it is. Several tools look for unusual permission request as one of many ways to characterize malware. For example a flashlight application should not need access to SMS functionality. Malicious applications tend to have more permissions than benign ones.
User-Centric Analysis
The linked paper describes DROIDMoss which uses a rolling hash to detect repackaged applications.
DroidMoss
DroidRanger uses imported packages as one means of detecting malware.
Features such as price, author, description, number of downloads, etc. can help identify malware.
Apps that load native code in an unusual way are likely to be malicious.
DroidMat
Androguard
Hard to separate malicious code from benign
Malware Provenance and Phylogeny
Poor Application Verification, Weak Default App Scanner, Limitted AV Products, Anti-malware against Transformation Attacks, Partial Solutions, Acquiring VirusTotal, Private App Channels
obfuscation
dynamic code loading
limitted availability of tools
Proposes a P.O.C. method for device to device infection of iPhones. The method is based on evil twin networks.
Proposed a method for using a mobile botnet to attack network infrastructure. Very thorough in suggesting attacks that require less resources and maximize damage done.
Proposed a very effective design for a mobile botnet.
A network of participating/infected mobile devices can track other mobile devices that are near them, but not participating/infected.
83% of users don't pay attention to permissions. 42% do not know what permissions are.
Modifying an application ads so that ad revenue is sent to the hacker instead of the original developer.
Apktool
Dex2Jar
Dexdump
Link is to a video game demonstration. Players are able to hack mobile devices and see relevant, private information about the people they hack. In order to find the relevant information there would need to be an AI that determines what is most interesting.
password cracking, smudge detection, brute force, bypass
access data on RAM, FROST
survey of attacks
The linked paper describes why rooting is possible and what it allows malware to do.
The link contains intuitive figures describing sms fraud.
Simply put, the way FakeInst is distributed enables promoters to slightly modify or customize their app for distribution, resulting in a completely unique instance of malware, while the executable code remains identical. Though simple, this technique yields a massive growth in the number of unique identifiable samples in the wild that vastly outstrips the growth of new malware families.
Defeats Signature Based Detection
Malware Phylogeny Could Fight This
Applications can produce fake notifications that lead to phishing sites. For example a notification that is ostensibly from Facebook requires a log in when you tap it. The log in credentials are sent to the hacker.
Remote Revocation
Discusses trends in malware and several examples in detail. Pointed out repackaging as a common trend. Discussed evasion techniques and attacks performed by malware.
One can attack the cellular baseband stack of smartphones instead of the application processor.
Upload an apk and get back a report based on static and dynamic analysis. Uses a combination of several publicly available tools.
Uses static and dynamic analysis to look for malware on entire markets.
The permissions requested by an application often indicate how dangerous it is. Several tools look for unusual permission request as one of many ways to characterize malware. For example a flashlight application should not need access to SMS functionality. Malicious applications tend to have more permissions than benign ones.