An Approach to Network Traffic Based Android Malware Detection

Now a day, demand of smart phone apps is at its peak level. Every day millions of apps are uploaded and many of them are vulnerable which will compromise our important phone data. There are many techniques have evolved which will help the user to detect such malware and stay protected. But none of the existing malware detection technique mainly focused on the malware detection by using the network traffic behavior. In the following proposed work


Introduction
There is a tremendous amount of growth in smart phone users these days. Most of the users use their smart phones for online banking, messaging, Google map, internet surfing, etc. More than 75% of total market share consumed by android operating system. The number of malicious applications targeting the android system are also explored in recent years. The attackers use new techniques to compromise your smart phones data.
So, the security of your device is a very important question. We are having a different techniques to carry out detection of the different malwares. These techniques and their limitations are as follows Signature-based detection works by scanning the contents of computer files and cross-referencing their contents with the "code signatures" belonging to known viruses. Clearly there will always be new and emerging viruses with their own unique code signatures. So once again, the anti-virus software vendor works constantly to assess and assimilate new signature-based detection data as it becomes available, often in real time so that updates can be pushed out to users immediately and zero-day vulnerabilities can be avoided. [9] Behavior-based malware detection system is composed of several applications, which together provide the resources and mechanisms needed to detect malware on the Android platform. Each program has its own specific functionality and purpose in the system and the combination of all of them creates the behavior-Based malware detection system. [9] Application permission based malware detection approach is, applications run in a sandbox environment however they need permissions to access certain data. At the time of installation, Android platform asks the user to grant or deny permission for the application based on the activities the application can perform. [9] Cloud Based Malware Detection, Google Play applications are scanned for malware. Google uses a service named Bouncer to automatically scan applications on the Google Play Store for malware. As soon as an application is uploaded, Bouncer checks it and compares it to other known malware, Trojans, and spyware. Every application is run in a simulated environment to see if it will behave maliciously on an actual device. The applications behavior is compared to the behavior of previous malicious apps to look for red flags. [9] Most of the applications communicates to their particular remote server. When a hacker use an application to compromise victim data it will gather the data from victim"s device and leaked to the remote server. Spyware are these kind of malwares who particularly do such kind of work. [1] Whatever techniques present today to detect malwares of smart phone, none has particularly focused on detection based on network traffic. By analyzing network traffic of smart phone we can verify that whether it"s a vulnerable one or not.

Name
Based Background Theory:-Related Works:-Anubis is a service for analyzing malware files. We have to submit the windows executable file or android APK file and after analysis you will receive an analysis report about what the file is does. We can submit any URLs too. For that also it will provide an analysis report.
Virus total is also a service for analyzing malware files. Working is same as Anubis. Droid Box is a dynamic malware analysis tool. In a paper of "Mehedeezaman" and "Tazriansiddiqui" demonstrate a detection method based on network traffic. It is based on logging the URLs of all the remote locations that are contacted by application for a specific period of time.
They have a database of known malicious domain. The application contact any of those malicious domain can be flagged as malware. In this case we have to update malicious domain list on regular basis. It will be difficult if any server which is malicious and it"s not there in list. [1] In another paper by "Anshul Arora" amd "Shree Garg", they differentiate the normal mobile traffic and malicious traffic on the basis some parameters and features of packet. They create a table regarding traffic features and the parameters of packet like size, incoming and outgoing flow ratio, duration of sent and received packets. They didn"t mention the dumping process of a network packet. They only shows that if any application sending data to malicious server then it"s flow ratio, size of packet will vary from normal traffic. [2] Proposed work:-In this proposed system for analyzing network traffic, take the network dump and find out which device generate that traffic. On the basis of some parameter feature, find the malicious application which is leaking important files, contacts and other important files from device.
To get the network traffic of any smart phone, we are going to use logcat command. The Android logging system provides a mechanism for collecting and viewing system debug output. Logs from various applications and portions of the system are collected in a series of circular buffers, which then can be viewed and filtered by the logcat command. You can use logcat from an ADB shell to view the log messages You can run logcat as an adb command or directly in a shell prompt of your emulator or connected device. To view log output using adb, navigate to your SDK platform-tools/ directory and execute: >adblogcat You can have all the results in a text file using following command. >adblogcat -b >file1.txt In android studio once you run DDMS(Dalvik Debug Monitor Server), to debug your applications. You can see at the bottom side all logcat results are given.
From file1.txt you can get the applications and the site they are communicating with. If any application is communicating with a malicious site is also shown there. Likewise you can differentiate genuine and malicious application.

Conclusion:-
In this paper, we define the various techniques to detect malware inside smart phone. We try to give an idea to implement a detection techniques on the basis of network traffic analysis of a smart phone. We use logcat and DDMS (Dalvik Debug Monitor Server) to see the results and then find out if any application is communicating with malicious server.