ABSTRACT
Contents Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 9.2 Android Banking Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
9.2.1 Android Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 9.2.2 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
9.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 9.4 Overview of Android Banking Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
9.4.1 Brief Summary of Malware Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 9.5 Analyzing the Impact of Android Banking Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 9.6 Analyzing the Encryption and Obfuscation Technique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 9.7 Analyzing the URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 9.8 Android Banking Malware Similarity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 9.9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
9.9.1 Implication of Our Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Abstract Information technology’s rapid evolution was always closely followed by the sophistication of malware. With ubiquitous shift to the mobile platforms, the rise of mobile malware and, in particular, banking malware came as no surprise. In general, any financial operation on the mobile platform potentially exposes a user to a variety of threats including data leakage, theft, and financial loss. Driven by financial profits, banking malware leverages user’s cluelessness, openness of mobile platforms, and lack of security measures. In this work, we aim to give insight into mobile banking
malware and explore unique characteristics of its communication patterns. Given the popularity of Android platform, in this work, we focus on Android banking malware detected since the first appearance of Android platform in 2008. Through static and dynamic analysis combined with visualization, we analyze patterns of benign and malicious URLs employed by malware, their common characteristics, encoding trends, and the relationships with other types of malware. Through our study, we reveal methods (e.g., hidden encryption techniques) currently adopted by attackers to avoid detection. As a part of this study, we compile and offer to the research community a dataset containing 973 samples representing 10 Android banking malware families.
