Home > Case Studies Solutions > Suspicious Behaviors of Malware in Android

Suspicious Behaviors of Malware in Android


With the speed at which technology is developing these days, smartphones carry a great deal of risk because they hold private data that could be compromised if it is accessed by unauthorized parties. The main obstacle to combating attacks is the ignorance of different kinds of Android malware and how they behave, which renders the current detection system useless against newly created malware on the market. This paper analyzes and profiles relevant studies that can serve as a primary guideline for differentiating between malicious and benign applications in an effort to better understand Android malware and its general behavior. This study carefully examines user reports and surveys regarding the behavior of current Android malware. We have created a general taxonomy behavior for android malware based on this study, which can enhance the chosen feature and raise the detection accuracy of android malware.


A smartphone is an innovation in technology because it can perform the majority, if not all, of the functions that a computer can, and has become an essential part of daily life. It can launch applications, gain access to emails, browse the internet, play games, edit photos and videos, use location-based services to access vehicle guidance systems, and much more. Wu et al claim that smartphones are susceptible to malware attacks, just like computers. Due to the widespread use of smartphones for personal purposes, including online shopping, planning day to day activities on calendars, and other activities involving private data, they are inevitably the most frequently targeted by cyberattacks. Despite being one of the most susceptible platforms for mobile malware, Android continues to have a growing market share. Smartphone technology has advanced at an ever-increasing rate through 2015. According to IDC (2016), Android OS ruled the market from the second quarter of 2012 until August 2015. Google declared in May 2015 that it had attained one billion active Android OS users, and the company’s growth in the market is not expected to slow down. The main factor contributing to Android’s dominance is the wide range of hardware options available to users at reasonable prices, along with the ability to customize both the hardware and software to fit individual needs and budgets. One of the main factors influencing people’s decision to use Android OS is the sizeable application store market. According to Martinez Retenaga (2015), the Play Store remained the biggest platform of downloadable applications for Android users until 2015. Because Android adheres to a disclosure policy, the Play Store permits developers to promote their apps, and users may download apps from unauthorized markets—including the black market—at their own risk. This facilitates the installation of unauthorized software on Android devices from infected Android devices. Malware threats usually have a stronger financial incentive than anything else to target smartphones. AG (2015) reported that more than half of Android malware had financial motivations. According to a Kaspersky Lab report, the number of Android malware attacks tripled in 2014 compared to the previous year, and the company predicted that this trend would continue in 2015 and 2016.  

Suspicious Behaviors of Malware in Android

Android Malware

Android is a mobile operating system that was commercially released in 2005 and is based on Linux. But instead of using the standard Linux kernel, it prefers to use the Dalvik virtual machine as an implementation target. Filiol et al. (2006) state that all Android applications were created with the JAVA programming language and ran on the Dalvik Virtual Machine engine, which is comparable to the architecture of the Android operating system. Users can choose from over a million applications, both paid and free, to be installed on their smartphone through Android’s own app store, the Play store. Android smartphone users can also download apps from third-party markets, but there is a higher risk of malware attacks, according to Rai et al. (2015). Android views all versions of the third application as potentially malicious due to its wide variations in reliability. When malware is installed, it typically exhibits odd behaviors and alerts users to potentially suspicious content. If the attacker has malicious intent and the users are unaware of the impact, the special feature could become dangerous.

The term “malware” originates from the word “Malicious” software. Leita et al. (2010) define malware as an entity that invades into susceptible systems and remotely installs malicious code on desktop computers. It gives the attacker the ability to carry out a number of illegal actions, such as generating unsolicited traffic and violating data confidentiality through denial-of-service attacks. Malware, according to Preda (2008), is a program with nefarious intent that can damage the computer it runs on or the network it communicates over. Android malware is defined as an entity or a piece of code that has been maliciously written with the intention of performing tasks on the victim’s computer or device. Its goal is to alter the functionality of the Android operating system without the user’s knowledge or consent, potentially harming them for their own gain.

Types of Android Malware

According to Karresand’s (2002) classification of malware types, malware is a hybrid of a trojan horse, virus, and worm—difficult to compare because they don’t exclude one another. Based on their definitions, the variations or similarities of this malware can be observed. Malware can be broadly categorized into seven types, according to Mathur (2013): adware, bot, rootkit, spyware, trojan, virus, and worm. Nevertheless, since no review papers have identified the virus as Android malware, we have excluded its type from this paper. As a result, the six categories of malware for Android that are covered below are as follows: adware, bot, rootkit, spyware, trojan, and worm.

  • Adware

Installed apps might have harmless ads, but frequent popups and a constant barrage of ads eventually drive users crazy.

  • Bot

The command and control (C&C) remote server, BotMaster, will be in charge of the device. It will await orders from the BotMaster to gather and transmit personal data, launch a denial-of-service attack, or start downloading the malicious payload automatically.

  • Rootkit

Through an infected app, it takes advantage of smartphones’ vulnerabilities to obtain privilege control over the user.

  • Spyware

Penetrates smartphones via downloaded apps, emails, adverts, and websites. It keeps track of or looks for contacts, messages, browsing history, and people.

  • Trojan

It poses as safe apps but uses the user’s Android smartphone to perform harmful actions without authorization.

  • Worm

An Android OS background-running self-replicating program that propagates via removable media or networks.

Behaviours of Android Malware

Based on knowledge, more analysis of the behavior of Android malware is required. There are six major practice categories found in the six varieties of Android malware. The following working links also address the actions:

1- Existing Form
  • Masquerade: posing as trustworthy applications to gain privileged access to a user’s gadget.
  • Autonomous identity: without assistance from humans, they self-replicate and spread thousands of copies.

2- Propagation Mode: Additional Content Download: After installing trustworthy apps, the malware typically downloads more content. The extra material is either hidden as an app update or is downloaded dynamically by the application. It disguises itself as an update, plugin, or extension to fool users into downloading the spyware data package.

2- Repackaging: A collection of reverse engineering techniques that include distributing apps in third-party markets, reassembling trojan apps, inserting or attaching malware payloads, and disassembling or decompiling apps. Users of Android can always download any application from other unofficial stores in addition to their own. Malware authors typically possess the ability to reverse engineer legitimate apps and repackage them with malicious code. Attackers usually trick users into downloading and installing their malicious apps on their devices by using well-known, legitimate apps. Users are ignorant of the extra settings that are being made on their device, though, which could have a negative impact on them.

3- Self-Replicate: Create thousands of copies of oneself on its own without assistance from people. A malware code writer will insert a few code lines to establish communication with the remote server rather than embedding the malicious payload in the available app. Once the malware has begun to operate, the remaining malicious code will be downloaded from the remote server. permits the malware to successfully dodge the malware detection system.

  1. Data theft:

This is the theft of private user information, including messages, login passwords, images, and videos. This data might end up in the hands of cybercriminals, or worse, it might be sold to interested parties. Additionally, some Android malware is capable of imitating user actions like texting or calling, sending and receiving messages, and using the internet. Due to this phenomenon, Android smartphones are a prime place for credentials to be stolen.

  1. System damage:

It can result in altered system configurations, like switching the device’s wallpaper, and functional disability, which prevents the system from functioning normally.

Gain Privileges Access

This gives malware for Android the ability to take over the program. Malware for Android has the ability to add, remove, download, install, and change any apps or other data without the user’s consent.

Draining Resources

Fake transactions are constantly being executed in the background by an Android smartphone. It uses up all the disc storage or memory and uses a lot of resources, including cycles and battery life.

Premium Rate SMS

The primary goal of the malware is to profit financially from the victim. By sending messages to premium rate numbers without the user’s permission, SMS messages are used to gather money. These premium rate phone numbers are those that charge more than regular phone numbers because they use specific services. Consistently sending SMS to these numbers can result in a substantial financial loss for the victim.

Conclusion and Future Work

The most recent developments in mobile technology have made mobile devices the target of malicious attacks, particularly when Android provides ubiquitous services. Even though there are a lot of Android malware detection tools available today, there are still an increasing number of reported malware attacks. The primary cause of our continued inability to stop the spread of Android malware is the secret strategies employed to avoid the detection system. Android malware that gains unauthorized access has the potential to steal confidential information and cost victims money. This study has thoroughly examined pertinent literature on the various types of Android malware and how they behave. We have presented a general behavior taxonomy from the review that is present in all varieties of malware for Android devices.

This study is the first step in separating malware from benign behavior. Certain features that will be used in the next phase of the development of more dependable and effective Android malware detection systems can be improved. The results will help generate ideas for a practical approach to creating an Android malware detection system.

Related Posts

Leave a Comment

6 − 6 =