See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/332103219

ANDROID APPLICATION MALWARE ANALYSIS

Article  in  International Journal of Mobile Learning and Organisation · February 2019

CITATIONS READS

0 1,293

1 author:

David Mugisha
Gujarat Forensic Sciences University
10 PUBLICATIONS   3 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Android Application Malware Analysis View project

All content following this page was uploaded by David Mugisha on 31 March 2019.

The user has requested enhancement of the downloaded file.

 ANDROID APPLICATION MALWARE
ANALYSIS
By David MUGISHA

[email protected] , [email protected]

Student of M.Sc.Digital Forensics and Information Security

FORENSIC SCIENCE INSTITUTE

GUJARAT FORENSIC SCIENCES UNIVERSITY (GFSU)

ABSTRACT:

Mobile devices have enjoyed unprecedented growth in the last decade. As devices become
more ubiquitous and users place more sensitive data on their devices, the amount of mobile
malware in the wild has grown. Nowadays, malicious software, which is also known as
malware, imposes a larger threat to these mobile devices. Recently, many news items were
posted about the increase of the Android malware.

There were a lot of Android applications pulled from the Android Market because they
contained malware. The vulnerabilities of those Applications or Android operating systems
are being exploited by the attackers who got the capability of penetrating into the mobile
systems without user authorization causing compromise the confidentiality, integrity and
availability of the applications and the user. This paper, it gave an update to the work done in
the project.

Lack of knowledge and wide spread of android devices cause a lot of crime related incidents
surrounding android devices and among them malwares play a great deal of issues. Hackers
gain access to user’s information ,monitor and record information about users’ actions on
their devices without their knowledge or permission, manipulate devices to send and
intercept text messages resulting in SMS charges, making unwanted phone calls, attempts to
steal users’ bank credentials without their knowledge, etc.

The research presented in this paper is an attempt to analyze such an android application and
to find out the backbone work of such applications by combining basic static and dynamic
analysis techniques and tools to collect and analyze data in an effort to discover infection
methods not currently found in android-based devices.

Keywords: Android; malware; dynamic; Static, analysis; malicious.

 1. INTRODUCTION
Since the launch of Google’s Android OS in 2008, the smartphone market grew stupendously
and has never looked back. Diving into the mobile device space only, similar conclusions
were found in the DeviceAtlas Mobile Report for Q2 2017. Results showed that Android
was the leading mobile OS in Q1 2017 with a massive market share of 85%, while for iOS
the market share was only 14.7%. Slightly lower numbers have been reported for Android
as the year has progressed from NetMarketShare but Android continues to dominate in the
mobile space. Due to its ever-increasing numbers and easy acceptance into Google’s App
Store, the malware market is also thriving and enjoying unprecedented growth. To counteract
these threats, anti-virus and anti-malware companies are making considerable efforts.
However, these efforts fail to keep up with the current security requirements.

Within this project we will focus on the Android platform because this operating system is
the market leader with the biggest growth-rates. It is used on smartphones, tablets and set-
top-boxes from a large variety of manufacturers while being completely open-source.and also
we will find out how such android malware application works and gain access and penetrate
to the mobile system functionality by using static and dynamic analysis.

This paper begins with the introduction of the Android OS and common known types of
android malware follow with a description of the tools used to perform static and dynamic
analysis the of the android malicious sample application (Apk file known Topspeed
Test2).Then, the results and the description of the data will be discussed and the paper will
conclude with the data interpretation.

2. LITERATURE REVIEW

Since the release of the first Android Smartphone in 2008,there not quite so many research
projects and documents on android malware analysis only basic steps needed for the analysis
and such were available are quite hard to get.

Two considerable research papers have made practical and effective use of this project, first
was “Introduction to Android Malware Analysis “published by www.uckea.com (a web
site showing the basic analysis technique) that mentions some tools and techniques used for
malware analysis. These include basic static and dynamic analysis and give an introduction
into mobile malware on android platform. This paper helps Digital forensic experts, security
researchers and developers who choose to enter in malware analysis field learn more about
mobile malware on android based system and to be more aware of some tools for analysis.

Another example of related work was “Analysis of Malware Detection Techniques in

android “submitted by Ms Prajakta D.Sawale. It covers motives to create mobile malware,
malware attack techniques, malware method of propagation and malware detection
techniques. This works aims to explore and describe analysis of different mobile malware
detection techniques on android platform.
Taking into fact of both the papers, it gave me the idea onto how the analysis procedure must
move forward and how should I gather more information on such malware android
application includes its functionality and how affects android based system data .

3. The Android Operating System

Android OS is a Linux-based platform for mobile phones. Android was released under
the Apache v2 open source license. Android was developed by Google and the Open Handset
Alliance (OHA), a coalition of hardware, software and telecommunications companies.

Android OS has become one of the most popular OS in the world. Most Android applications
are written in Java and compiled to Dalvik byte code which is the official language of
Android development. The first version of Android was released in September 2008 with no
specific code name and Android P 9, released in August 2018n as latest version. Today,
Android OS is not only developed for computers and phones, but for all of things we interact
with on our daily basis such as a refrigerator, an air conditioner, oven, and more.

The most interesting feature about Android is that the kernel places each application in a
sandbox when it executes. This isolates the application from all the other applications and
other parts of the operating system. This involves the use of standard UNIX process
separation techniques which allow the application to access its stored data and memory
without being able to interfere with the other applications hardware, memory and data usage.

Each application is assigned a unique UID (user ID) and GID (group ID). User can install
their choice of applications from the Google Play Store or they can directly install them in the
memory card. While installing the applications, the user is presented with certain permissions
requested by the application like access to the Internet, access to GPS coordinates, accessing
contacts, etc. The user can either choose to accept all permissions requested by the
application or choose to not install the application.

4. Need for App Analysis

Since their initial introduction to this world, mobile devices have seen considerable
innovation and creativity in terms of their features and functions. From devices that once
were only used to make calls and send texts, mobile phones can now present users with
calendars, web browsers, task managers, games, and email access, among other features,
resembling desktop computers in terms functionality.

This increasing complexity of Smartphones brings with it increasing vulnerabilities and also
Due to its ever-increasing numbers and easy acceptance into Google’s App Store; the
malware market is also thriving and enjoying unprecedented growth. Users entrust more and
more sensitive data like banking data, social networking identification to the security
mechanisms embedded within these mobile devices and operating systems. It is apparent that
the current security technologies are insufficient and there is a need to assess the Android OS
and application software for malicious activity.

5. The Basics of Android Architecture

Android is an open source, Linux-based software stack divided into five main layers as
shown in the architecture diagram below, Figure 1. Basically, it is designed in the form of a
software stack architecture that contains four core layers: an applications layer, application
framework layer, libraries layer, a runtime environment, and Linux kernel layer.

Figure 1 Five core layers of Android

5.1. Application layer

The application layer is the top layer of the stack. It contains native applications and third
party applications that are installed by a user such as (WhatsApp and Snapchat).

5.2. Application Framework layer

The application Framework layer provides many upper level services to applications that
manage and control the application layer. In this layer, the developers of the application are
the only people who are allowed to control installed applications.
5.3. Libraries

This layer controls and accesses applications data . Android provides a lot of C/C++ libraries
for different uses. Here some of the most useful libraries:

 System C Library: It allows developers to create applications.

 Media framework: It is useful to program video and audio files.
 android.content: It allows messaging between applications and application
components.
 Android.webkit: It provides access to the internet within an application.

5.4. Android Runtime

This layer consists of Dalvik Virtual Machine (DVM) and a set of core java programming
libraries. Before running any java applications, java files are converted into Dalvik format
(dex) to be optimized for a minimum memory.

5.5. Linux Kernel

This layer is the most important layer because it controls core services such as hardware,
memory management, power controls, security, and rest of the software stack.

6. What is a mobile malware?

Mobile malware is malicious software specifically written to attack mobile devices such as
smartphones, tablets, and smartwatches. These types of malware rely on exploits of particular
mobile operating systems and mobile phone technology. Although mobile malware is not as
pervasive as malware that attacks traditional workstations, it is a growing threat to consumer
devices. Mobile malware is becoming a challenge to the security industry as attacks increase
in frequency and strength.The most common mobile malware attacks are explained below :

 Viruses
Mobile viruses are adapted for the cellular environment and designed to spread from one
vulnerable phone to another.

 Worm
A computer worm is a type of malware that infects other devices while remaining active on
infected systems. Cybercriminals can transmit worms through short message service (SMS)
or Multimedia Messaging Service (MMS) text messages and typically do not require user
interaction to execute commands.
 Bot
A mobile bot is a type of malware that runs automatically once a user installs it on a device. It
gains complete access to the device and its contents, and starts communicating with and
receiving instructions from one or more command and control servers. A cybercriminal
called a botmaster adds and manages the infected devices to a network of mobile bots
(botnet).
 Phishing
Mobile phishing attacks often come in the form of email or SMS text messages. SMS
phishing, sometimes called SMiShing, uses text messaging to convince victims to disclose
account credentials or to install malware. The attack masquerades as a reputable entity or
person and distributes malicious links or attachments that can extract login credentials or
account information from victims.
 Ramsonware
Ramsonware is a type of malware that locks the data on a victim's device or the device itself,
typically by encryption, and demands payment before the data or device is decrypted and
access returned to the victim. Unlike other types of attacks, the victim is usually notified that
an exploit has occurred and is given instructions on how to recover the data. Cybercriminals
often demand payment in a cryptocurrency such as Bitcoin, so that the cybercriminal's
identity remains unknown.
 Spyware
Spyware synchronizes with calendar apps, passwords, email accounts, notes and other
sources of personal data, collects that data and sends it to a remote server. It is often attached
to free software downloads or to links clicked by users. Peer-to-peer (P2P) file sharing has
increased the amount of spyware and the ramifications. Adware is a type of spyware.
 Trojan
A Trojan horse virus requires users to activate it. In mobile devices, cybercriminals typically
insert Trojans into non-malicious executable files or apps on the device. The user activates
the Trojan virus when he or she clicks or opens a file. Once activated, Trojans can infect and
deactivate other applications or the device itself and paralyze the device after a certain period
of time or a certain number of operations. Banking Trojans target both international and
regional banks by using fake versions of legitimate mobile apps or through phishing
campaigns.
 Wireless Application Protocol (WAP) clickers
Wireless Application Protocol (WAP) clickers are Trojan viruses that use WAP billing to
charge fees directly to a user's mobile phone bill. Mobile network operators use WAP billing
for paid services or subscriptions. This form of payment charges fees directly to the user's
service account, avoiding the need to register a credit card or set up an account. A WAP
clicker covertly subscribes to a cybercriminal's services and charges the mobile device
owner's account.
 Mobile Malware Symptoms:

These types of mobile malware differ greatly in how they spread and infect devices; they all
can produce similar symptoms. Signs of malware infection can include unwanted behaviors
and degradation of device performance. Mobile malware can reduce battery life or processing
power, hijack the browser, send unauthorized SMS message and freeze the device entirely.
 7. Overview of analysis methods used
First, malware sample was retrieved from security research repositories and quarantined and
sorted into categories like Trojan, worm, spyware, etc.

Also this apk sample named (Topspeed Tes)t is one that listed as android malware app
suspected as mentioned in security research online news
(https://clark.com/technology/google-play-malware-app-hummingbad/).The methodology to
be followed for reviewing android malware application sample (Topspeed Test2) has two
phases:

1) Static Analysis: The Basic Static Analysis step utilized multiple tools and techniques to
analyse the .apk file.

2) Dynamic Analysis; Dynamic analysis accomplishes dynamic testing. It attains

application’s behaviour exemplary via virtual machine or simulates the application at
runtime. It performs real-time detection, traces communication between disbelieving IP
addresses and employs packet sniffing for dynamic malware detection.

BASIC ANALYSIS STUCTURE

Figure- Basic Analysis Structure.

Malware Analysis Tools Used

Tool Name Purpose Process Used

Virus Total Scanning service checks apk file Static Analysis
AndroTotal Online service to scan suspicious apk files Static Analysis
NVISO Apkscan Online service to scan suspicious apk files Static & Dynamic
Analysis
Dex2Jar Dex to Java bytecode translation Dynamic Analysis
JD-GUI Java disassembly and analysis Dynamic Analysis
Apktool Android package (apk) management Dynamic Analysis
Android Emulator Android device emulation Live Testing
Apk Analyser Provides immediate insight into the Dynamic Analysis
composition of your APK after the build
process completes.
HTMLViewer HTML source viewer that helps to detect Dynamic Analyisis
malicious code
Data Monitor Monitoring online data usage Dynamic Analysis
Networklog Tools logs network activity Dynamic Analysis

7.1.STATIC ANALYSIS

The Basic Static Analysis step utilized multiple tools and techniques to analyse the .apk file.

7.1.1. Direct accessible evidence obtained

The direct accessible evidence which we are able to see can only be viewed by extracting the
android files, and the extraction methodology was as follows:

 The first step was to Download apk file from known application repository

Source : https://www.apkmonk.com/download-app/com.speed.top/2_com.speed.top_2017-01-16.apk/

Figure- Apk file from known source

 Steps that were helped to reach to the source code of apk files and will be explained
in details.

Figure-Decompilation of apk file.

 Apk sample from android application repository saved in project /APK_Monk on

Desktop as shown below :

 Second was to use apk tool which was built-in santoku emulator which is an
application that helps to convert .apk file to .dex file using the following command :
 Apktool d –r Topspeed_Test2.apk
  After this the files can be viewed on the location as shown below :

 The Next step is to convert .apk file to jar file so that it can be analyzed. in order to so
dex2jar tool should be downloaded
 It helps convert the .dex file to .jar file but be sure to install java 7.0 or above in order
for it to work.
 The command use to convert was d2j-dex2jar Topspeed_Test2.apk

Figure- Dex2jar command

 After that, a new file called Testspeed-dex2jar.jar will be generated in the same
location/folder. Figure shows a the. dex apk files converted into .jar files.

Figure - A new file called Tospeed_test2-dex2jar.jar was generated in the same folder.

 Until this stage, we will not be able to access the java files as shown in Figure below.
 So, we will use JD-GUI tool, a Java decompiler, that helps to access the source code
of any jar files. This tool built-in Santoku emulator.
 Figure - Unreadable java file

 By using JD-GUI tool, we will be able to display and access all Java files of any apk.
This tool was built-in the Santoku Linux, so we only needed to open the
Topspeed_test2-dex2jar.jar file within JD-GUI tool. We first navigated to:
Santoku > Reverse Engineering> JD-GUI as shown below:

Figure- Path to reach to JD-GUI tool

The below window will pop up, then we could choose any jar file to decompile it.

Figure -JD-GUI tool loaded apk file

Figure below shows that we were successfully able to view the original code of
Topspeed_test2 application.

Figure- View the original code of Apk file

 At this point, we could view and modify all the applications that we installed and it is
completely readable.
 Source code of MainActivity file was accessed and analyzed

Figure- MainActivity file source code

7.1.2. Analysis results after uploading the file onto VirusTotal

VirusTotal is an online scanning technology which decrypts the files which are being
uploaded onto it and generates a result which gives us in depth knowlde onto the applications
processes and the tasks which it gets.

By using virusTotal to scan apk file.

Figure-Basic file information

 The Data obtained from VirusTotal are mentioned below:

An overall information and the virusTotal benchmark with the list of malware currently
known.

Figure- Detection ratio malwares detected

 Other information related to apk file generated by VirusTotal

 Figure-other information describing apk file

 Required Permissions

Permission apk has

without knowledge of
user

Figure-Permissions used by the apk file

Lets us look about apk permission mention above :

 Android.permission.ACCESS_COARSE_LOCATION and
android.permission.ACCESS_COARSE_LOCATION

It helps in providing location updates, user movements, more accurate positioning services.
In Android, getting locations work by requesting location updates from the LocationManager
by means of a callback. Location determining providers can be accessed only by using, Fine
and Coarse Locations permissions in the android manifest file.

 Android permissions needed to access the internet and check the network state/status

<uses-permission android:name="android.permission.INTERNET" />

<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
As the names imply, the first permission requests access to the internet, and the second
permission is needed to check the internet status/state.

 com.speed.top.permission.C2D_MESSAGE

Cloud to Device Messaging (c2dm), a service to send small amounts of data to an android
phone. It works by having the application register with the service and then having a remote
server send a message to the c2dm google API, which is then forwarded to the device.means
that it gives permission hackers to remote device using this android application.

 android.permission.KILL_BACKGROUND_PROCESSES

kill background processes Allows an application to kill background processes of other

applications, even if memory is not low.It allows application to
call killBackgroundProcesses(String).this is very dangerous because it disturb other apps
running under the mobile device.

 android.permission.WAKE_LOCK

One legitimate case for using a wake lock might be a background service that needs to
grab a wake lock to keep the CPU running to do work while the screen is off. Again,
though, this practice should be minimized because of its impact on battery life.This is also
permission to hacker to be able to access mobile services even if the screen can be off.

 com.google.android.c2dm.permission.RECEIVE

The receiver for "com.google.android.c2dm.intent.RECEIVE" will be called once a new

message is received, while the receiver for
"com.google.android.c2dm.intent.REGISTRATION" will be called once the registration code
for the app is received.This permission gives opportunity to hacker to retrieve user data
realated to other application like some registration information and other information like
messages.

 Discussed above permission gives us image how bag this apk file is to mobile device and
how hacker remotes device which is using it ,how retrieves user data and detects
Network status and devices location, etc.
 Activities and services run by the application

Figure-Activities and services run

 Http requests.Dns Resolutions and files opened

Figure-files opened and other information

  Relational graph between the all the modules which were linked in between or while
running the apk.

Figure- Relation graph

7.1.3. Static and Dynamic Analysis using NVISO Apkscan tool

Is online service that Displays a large amount of data using static and Dynamic analysis
Techniques.

 General information of Apk file

Figure-Basic information of apk file

 Overview of all Permissions requested by apk file

Figure-apk files permissions

 An overall information and NVISO benchmark with the list of malware currently
known.

Figure- Detection ratio malwares detected

 Hardcode URLs found are the unfortunate practice in which hackers store
configuration or input data, such as a file path or a remote host name, in the source
code rather than obtaining it from a configuration file, a database, a user input, or
another external source. Some Hardcode URLs found mentioned below:

Figure-Hardcode URLs found in apk file

 Local files that were accessed by apk file on mobile storage device were shown below

Figure- local files that were accessed by apk

 Unsecure network connections were found by NVISO Tool during dynamic analysis,
most often refers to a free Wi-Fi (wireless) network. It means there's no special login
or screening process to get on the network, which means anyone else can use it to get
access.

Figure-Network connections that were opened during the dynamic analysis of the apk
  Services that were started automatically during dynamic analysis of application

Figure-Services that started automatically by apk file

7.2. Dynamic Analysis

In dynamic analysis we execute the applications which are supported by a program in the
background, on an actual or computer-generated processor. Analysis can
be prepared operative, with sufficient test inputs producing interesting behavior. Dynamic
analysis minimizes the consequence of arrangement on the performance of the target
program.

Dynamic analysis accomplishes dynamic testing. It attains application’s behaviour exemplary

via virtual machine or simulates the application at runtime. It performs real-time detection,
traces communication between disbelieving IP addresses and employs packet sniffing for
dynamic malware detection.

In our work, we made use of manual Dynamic APK analysis tools include apk
Analzer,HTMLViewer, Data Monitor, SysLog, and NetworkLog tools for manually learning
the behavior of an APK, when it executes in a device and analysis of the APK reveals detail
on an app’s behavior, invoked Java methods with parameter resolution;return values and
textual representations of objects , records network communication, user interface, internal
function, Java code executed, emulates user interaction and system logs. It reveals malicious
intents of an app, maximizes the malware behavior, simulates events,permission requested,
eases post-analysis of unknown applications and measures the effectiveness of the
analysis.analysis and tools used are shown below:
 Genymotion emulator interface showing how apps were installed

Figure- Genymotion emulator works as mobile device interface

 Interfaces shows apk file running process

Figure- Apk file before and after running

 Dynamic analysis Using apk Analzer which provides information of running apk file.

Figure – apk Anayzer tool in analysis process

 Dynamic analysis of AndroidManifest.xml file code: This is one of the main file of
android apk file contains permissions and other main control activities.

Figure- Anaysis of AndroidManifest.xml file code

 HTML Viewer helped to analyze and access source code of extracted
androidManifes.xml file.

Figure- Souce code of androidmanifest.xml file

 Dynamic analysis of apk file using Data Monitor as tools helped to analyze network
traffic and trying to trace remote addresses.

Figure- Dynamic Analysis process of Data Monitor Tools

 SysLog tools was used to analyze deeply system logs after running apk file, to check
how apk file trying to access and change system functions.

Figure-SysLog tool captured running system logs and saved in SD CARD

 After running apk file, SysLog tool generated more unknown permissions requested
by apk file.

Figure- Unknown permissions requested by apk file while was running

 NetworkLog tools hekped to check how apk file communicated through network (
source, Data send and received while was running ).

Figure- NeworkLog Tool Report while apk file was running and graph mention how data
was accessed by apk file in running process.
8. OVERALL SUMMARY
After doing a through study on Topspeed Test2 android apk file there was quite a lot of
information which we were able to understand and work with .

They are as listed below :

1. If the APK (which is a program file for Android) is run on an Android-powered

smartphone,then it will gain administrator rights on the victim’s device and does as
follows

ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, INTERNET,

ACCESS_NETWORK_STATE, KILL_BACKGROUND_PROCESSES, -RECEIVE.SMS,
C2D_MESSAGE.

2. It generates a backdoor to monitor and control the devices

3. It is remotely controlled by unhidden address, send and receive heavy packet to the
remote address.
4. Gain admin privileges and full access to device in the sense that the attacker on the
remote end can do whatever he wants.
5. It has also ability to disable another apps running and make memory busy and can’t
be able to execute other process.
6. It can also make device awake even if screen is off. This gives opportunity to remote
controller to access device anytime is power on.
7. Save actions in phones settings etc.

The overall idea of the Topspeed Test2 malware application is go gain access to the android
system and give the user private information to remote attackers.
9. CONCLUSION AND FUTURE SCOPE

9.1.Conclusion

Static and dynamic analysis of Android malware is an important step towards Android
Security. It can tremendously help Investigators,Security Analysts and Researchers, having
the right to access confidential data, to take corrective measures against system and network
vulnerabilities.

The overall conclusion of the Topspeed Test.apk is that the application itself is very tricky.
Once being installed onto a device gains user credential private information and gives
attackers access and can be remove device anytime even if screen can be off.This mentioned
that Topspeed Test2.apk is nasty malware and forth extreme care must be take in order for it
not to spread into the system.

Detailed and conclusive study are yet to be needed in order for deep understanding Topspeed
Test2 android application.

9.2. Future Scope

 Futute work can include advanced static and Dynamic analysis on the Topspeed
Test2.apk.
 Can also include implementation of the app which will be a packet capture classifier
framework It is necessary to implement such a framework to distinguish the suspected
and legitimate apps and safeguard the truthfulness of the device and the data it
contains and exchanges with other Android devices.
 Determining the source of the attack and inducing the application into sandboxing
technologies.
 References

 https://searchmobilecomputing.techtarget.com/definition/mobile-malware
 Introduction to Android Malware Analysis
(https://www.exploit-db.com/docs/english/33093-introduction-to-android-malware-
analysis.pdf)
 https://www.nyxbone.com/malware/android_tools.html
 Static and Dynamic Analysis of Android Malware and Goodware Written with Unity
Framework (https://www.hindawi.com/journals/scn/2018/6280768/)
 https://www.intechopen.com/books/smartphones-from-an-applied-research-
perspective/malware-analysis-and-detection-on-android-the-big-challenge
 PENETRATION TESTING FOR ANDROID APPLICATIONS WITH SANTOKU
LINUX
(http://csufresnodspace.calstate.edu/bitstream/handle/10211.3/204208/AlmusallamAh
lam_Project2018.pdf?sequence=3)
 https://andrototal.org/sample/
 https://www.virustotal.com/
 https://apkscan.nviso.be/
 https://www.researchgate.net/publication/314521542_Static_and_Dynamic_Analysis_
of_Android_Malware
 Malware Analysis for Android Operating
(https://pdfs.semanticscholar.org/55fc/740fe35ca430fae17eec737950ef41adb0a7.pdf)
 https://hydrasky.com/mobile-security/android-malware-analysis-tool-dynamic-
analysis-tools/
 https://www.nyxbone.com/malware/android_tools.html
 https://santoku-linux.com/
 https://resources.infosecinstitute.com/android-malware-analysis/#gref
 Static and Dynamic Analysis of Android Malware
(http://www.scitepress.org/Papers/2017/62567/62567.pdf)
 The Evolution of Android Malware and Android Analysis Techniques
(https://pure.royalholloway.ac.uk/portal/files/28069262/computingsurvey.pdf)
 A comparative study of static, dynamic and hybrid analysis techniques for android malware
detection
(https://www.ijedr.org/papers/IJEDR1702223.pdf)

View publication stats