detection on PC and mobile devices
To understand the current security
problems affecting PCs and smartphones, we review threats, vulnerabilities and
attacks specific to smartphones and examine the existing security solutions to
protect them. In particular, we survey the literature over the period 1987-2017,
by focusing our attention on PC-based (Windows) and Mobile-based (Android) malwares.
Current mobile devices (smartphones)
provide lots of the capabilities of traditional PCs and, in addition, offer a
large selection of connectivity options, such as IEEE 802.11, Bluetooth, GSM,
GPRS, UMTS, and HSPA. This plethora of appealing features has led to a
widespread diffusion of smartphones and is now an ideal target for attackers.
In the beginning, smartphones were packaged with standardized Operating System
(OS): less heterogeneity in OS allowed attackers to exploit just a single
vulnerability to attack a large number of different kinds of devices by causing
major security outbreaks. Some of the operating systems for smartphones were
Symbian OS, Windows Mobile, Android and iPhone OS.
Even if global sales of millions of
smartphones devices are observed, the number of mobile malware is still small
compared to that of PC malware. Smartphone malwares are evolving in the same
trend as malware for PCs. As more users download and install third-party
applications for smartphones, the chances of installing malicious programs
increases as well. Mobile malware can spread through several and distinct
vectors, such as an SMS containing a link to a site where a user can download
the malicious code, an MMS with infected attachments, or infected programs
received via Bluetooth. The main goals of malware targeted at smartphones
include theft of personal data stored in the phone or the user’s credit. Many
fake mobile applications tricks shoppers into entering personal credit card
information, disclosing Facebook and Gmail logins or downloading malware that
could potentially steal or locks devices and hold it ransom.
The term evasion technique groups all the
methods used by malware to avoid detection, analysis, and understanding. The
evasion techniques can be classified into three broad categories, namely,
anti-security techniques, anti-sandbox techniques and anti-analyst techniques.
These techniques are used to avoid
detection by antimalware engines, firewalls, application containment, or other
tools that protect the environment.
These techniques are used to detect
automatic analysis and avoid engines that report on the behavior of malware.
Detecting registry keys, files, or processes related to virtual environments
lets malware know if it is running in a sandbox.
These techniques are used to detect and
fool malware analysts, for example, by spotting monitoring tools such as
Process Explorer or Wireshark, as well as some process-monitoring tricks,
packers, or obfuscation to avoid reverse engineering.
Some advanced malware samples employ two
or three of these techniques together. For example, malware can use a technique
like RunPE (which runs another process of itself in memory) to evade
antimalware software, a sandbox, or an analyst. Some malware detects a specific
registry key related to a virtual environment, allowing the threat to evade an
automatic sandbox as well as an analyst attempting to dynamically run the
suspected malware binary in a virtual machine. It is important for security
researchers to understand these evasion techniques to ensure that security
technologies remain viable.