Android malware is likely one of the most severe threats on the web and has witnessed an unprecedented upsurge in recent times. There is a must share the elemental understanding of behaviour exhibited by outstanding Android malware classes and households.

With the growing variety of Android customers and gadgets, the variety of exploits on Android apps can also be on the rise. It has affected all sectors of enterprise together with healthcare, finance, transportation, authorities, and e-commerce. As the present pattern continues, cell attackers are creating extra refined intrusions by deploying malicious apps and malware. The Understanding Android malware households (UAMF) sequence options six articles that may spotlight the principle Android malware classes and households. Readers will be taught in regards to the threats’ behaviour and study mitigation procedures. The articles on this sequence current the outcomes of our Android malware evaluation analysis undertaking, which has been underway since 2017. We generated 4 datasets AAGM2017, AndMAl2017, InvestAndMAl2019, and AndMal2020 and associated educational articles together with proposed Android malware detection and characterization options and methods. 


Android is the main working system that gives high-performance platforms for customers. According to a report printed by the International Data Corporation (IDC), Android is dominating the market with 85 per cent of the worldwide market share within the final quarter of 2020. Further, the annual cargo charge of Android is anticipated to develop by 150 million models in 2021. With the surging demand for Android within the international market, the challenges related to Android malware are additionally escalating at a speedy charge. According to a report, as of March 2020, the entire variety of Android malware samples amounted to 482,579 per 30 days [3]. These statistics are alarming and draw our consideration to the menace accompanied by the legacy of the Android working system. These malware samples can create havoc, if not detected.

Android malware is malicious software program that targets smartphone gadgets working Android working programs. It is like different malware samples that run on desktops or laptop computer computer systems. Android malware is alternatively known as cell malware which is any piece of malicious software program supposed to hurt the cell machine by performing some illegitimate actions. It might be labeled into completely different malware classes resembling adware, backdoor, file infector, probably undesirable software (PUA), ransomware, riskware, scareware, spy ware, and trojan. Each malware class has some distinctive traits that differentiate it from the opposite malware classes. Android malware additionally grows like people. Every malware class has a number of malware households related to it. 

The unrivalled risk of Android malware is the basis reason behind myriads of safety issues on the web and is an open problem for researchers and cybersecurity consultants. The solely method to eliminate this risk is to well timed detect and mitigate the malware samples. Fundamental data of Android malware classes and households is the important thing to doing so. This article goals to make clear outstanding Android malware classes and associated households underneath every malware class. In addition, it additionally makes the reader conversant in irregular actions carried out by every malware class. Finally, the article suggests some mitigation or prevention measures for Android malware. 

Android malware classes and households

The outstanding Android malware classes embody adware, backdoor, file infector, PUA, ransomware, riskware, scareware, spy ware, trojan, trojan-sms, trojan-spy, trojan-banker, and trojan-dropper. This part discusses the capabilities carried out by every of those malware classes and names some vital malware households underneath these malware classes.

  1. Adware: Adware represents commercial malware. It is a malicious software that throws undesirable commercials on the consumer display, particularly when accessing internet providers. Adware lures the consumer in direction of flashing commercials that supply profitable merchandise and entice them to click on on the commercial. Once a consumer clicks on the commercial, income is generated by the developer of this undesirable software. Some widespread examples of adware embody weight reduction packages, earning profits in much less time, and bogus virus warnings on display. This will not be the one means that adware assaults customers. Some adware samples are downloaded when any software program or software is put in on the smartphone. Some vital adware households embody gexin, batmobi, ewind, shedun, pandaad, appad, dianjin, gmobi, hummingbird, mobisec, loki, kyhub, and adcolony. Adware, basically, collects private info from the machine resembling telephone quantity, e mail deal with, software accounts, IMIE variety of the machine, machine ID, and standing. Some adware households entry machine cameras to gather photos. In some circumstances, adware makes an attempt to encrypt knowledge on gadgets and set up different malicious functions, code, or recordsdata.
  2. Backdoor: Backdoors act as hidden gateways right into a smartphone. In different phrases, backdoors are a method to bypass the authentication of a smartphone and lift privileges permitting the attacker to entry the machine any time. Backdoors facilitate the launch of distant assaults with out having the machine bodily. They might be utterly new packages or a part of an present one. Attackers cleverly embed the malicious code in legit packages in order that it’s executed solely when a particular atmosphere or situation is met. It’s noticed in some circumstances that if customers don’t change their default passwords of any account that they created on their machine; these passwords can be utilized as backdoors to inject malicious code for remotely controlling the machine. Some widespread examples of backdoor Android malware households embody mobby, kapuser, hiddad, dendroid, levida, fobus, moavt, androrat, kmin, pyls, and droidkungfu. Backdoor malware collects private info from the telephone, sends/receives messages, makes telephone calls and collects name historical past, collects lists of put in and working functions, and creates reminiscence area within the machine. In some extreme circumstances, the backdoor is rooted to the Android machine on which it was put in. Backdoors might be linked with adware. Attackers typically use commercial malware to lure the customers in. Once the consumer clicks the commercial, a backdoor is put in on their machine.
  3. File infector: A file infector is malware that attaches itself to APK recordsdata. APK stands for Android Package Kit which incorporates all the information associated to an software. The file infector will get put in with APK recordsdata. The malware is then executed when APK recordsdata are put in. The APK file might be any Android software resembling a recreation, phrase processing file, location navigation, or every other software. Recently, Google deleted a number of apps from the Play Store suspected of containing malware. Some widespread file infector households embody leech, tachi, commplat, gudex, and aqplay. File infector households try to decelerate the machine and eat a number of battery. These households gather machine ID, IMEI quantity, and telephone standing. They could block, delete or use telephone functions. They can modify, gather, and entry recordsdata and machine settings. In the worst case, file infectors can root for the machine.
  4. PUA: PUAs are probably undesirable functions that come bundled with real functions which are out there freed from value. They are typically known as probably undesirable packages (PUPs). PUAs usually are not at all times harmful. It all is dependent upon their use. A PUA routinely will get put in when the appliance it’s bundled with is put in. It can take the type of adware, spy ware, or hijackers. When PUAs begin popping up commercials, it’s known as adware. PUAs decelerate the machine by consuming reminiscence. They may result in different PUPs and spy ware packages that goal to steal delicate knowledge from the goal machine and ship it to the attacker. Some well-known PUA malware households for Android gadgets embody apptrack, secapk, wiyun, youmi, scamapp, utchi, cauly, and umpay. PUAs gather private info and consumer contacts from the machine. They can entry the machine’s location by way of Global Positioning System (GPS), show pop-up commercials, notifications and warnings, objectionable URLs, and shortcuts on the consumer display.
  5. Ransomware: Ransomware is malware that encrypts recordsdata and directories on the machine to make them inaccessible to customers. It asks for a good-looking quantity of ransom to offer the decryption key that’s used to unlock the information. Ransoms are sometimes paid for bitcoins. Certain incidents, nonetheless, have confirmed that some customers had been unable to get their knowledge again after paying the ransom. Some of them reported receiving incomplete recordsdata. At occasions, recordsdata merely vanished. We can’t verify that paying a ransom is useful. Android ransomware has developed considerably and new variants are rising. Some ransomware samples masquerade as common apps and handle to flee detection. Some widespread ransomware malware households embody congur, masnu, fusob, jisut, koler, lockscreen, slocker, and smsspy. Ransomware households are concerned in sending/receiving SMSs, locking SIM playing cards and smartphones, stealing community info resembling Wi-Fi connection particulars, and speaking to the distant server controlling the ransomware assault.
  6. Riskware: Riskware is a legit program that poses potential dangers to the safety vulnerabilities on the machine. Although it’s a real program, it’s used to steal info from the machine and redirect customers to malicious web sites. It might be alternatively termed as dangerous software program that performs capabilities at the price of machine safety. Some widespread riskware households embody badpac, mobilepay, wificrack, triada, skymobi, deng, jiagu, smspay, smsreg, and tordow. Riskware households gather private and telephone info, ship/obtain SMSs, steal community info, hook up with malicious web sites, set up malicious content material on gadgets, present malicious commercials, and modify system settings and recordsdata on the machine.
  7. Scareware: Scaeware is a worry coaxer that raises worry in customers’ minds to obtain or purchase malicious apps. For instance, convincing customers to put in a pretend software that pretends to safeguard the machine. Famous scareware households embody avpass, mobwin, and fakeapp. Scareware households try to gather machine info and GPS location and set up malicious code on the machine.
  8. Spyware: Spyware is malicious software program that may steal delicate info as soon as put in on the machine. The knowledge collected by spy ware is handed to advertisers, exterior companies, or companies. This knowledge is later used to hold out malicious actions. Android asks customers to offer permission to entry machine info resembling location, digital camera, and settings, however spy ware is put in with out the consumer’s authorization. Common spy ware households embody spynote, qqspy, spydealer, smsthief, spyagent, spyoo, smszombie, and smforw. Spyware households gather private info, ship/obtain SMSs, gather telephone info and machine location, steal community info resembling Wi-Fi connections to which the machine is linked, and entry system recordsdata and settings to switch them.
  9. Trojan: Trojans are sneaky impersonators that behave like legit packages. They can conceal within the background and steals info from the machine. It’s the largest malware class that represents a number of malware classes together with trojan-banker, trojan-dropper, trojan-sms, and trojan-spy. Extremely common trojan households embody gluper, lotoor, rootnik, guerrilla, gugi, hqwar, obtes, and hypay. Trojans typically have interaction in deleting, modifying, blocking, and copying knowledge to disrupt providers offered by the working system.

Table 1 gives a short description of Android malware classes and lists some widespread malware households underneath them.

Table 1: Summary of Android malware classes
Malware Category General Description of Behavior Common Malware Families
Adware Serves undesirable pop-up commercials to the consumer. gexin, batmobi, ewind, shedun, pandaad, appad, dianjin, gmobi, hummingbird, mobisec, loki, kyhub, and adcolony
Backdoor Exploits the machine covertly by hiding within the background. mobby, kapuser, hiddad, dendroid, levida, fobus, moavt, androrat, kmin, pyls, and droidkungfu
File Infector Contaminates the recordsdata, particularly the executable (APK) recordsdata. leech, tachi, commplat, gudex, and aqplay
PUA Acts as an undesirable interruption to regular actions carried out by the machine. apptrack, secapk, wiyun, youmi, scamapp, utchi, cauly, and umpay
Ransomware Acts as a crypto locker that encrypts the recordsdata and directories and calls for a ransom from the consumer to entry his personal knowledge. congur, masnu, fusob, jisut, koler, lockscreen, slocker, and smsspy
Riskware Poses threat to the potential vulnerabilities on the smartphone. badpac, mobilepay, wificrack, triada, skymobi, deng, jiagu, smspay, smsreg, and tordow
Scareware Serves as a worry coaxer that ignites worry within the consumer’s thoughts and forces them to obtain malicious apps. avpass, mobwin, and fakeapp
Spyware Indulges into spying actions to steal helpful info from the machine and ship it to a remotely managed server. spynote, qqspy, spydealer, smsthief, spyagent, spyoo, smszombie, and smforw
Trojan Behaves like an impersonator within the background that retains stealing info from the machine. It is represented in a number of types together with trojan-banker, trojan-dropper, trojan-sms, and trojan-spy. gluper, lotoor, rootnik, guerrilla, gugi, hqwar, obtes, and hypay

Mitigating Android malware

Android malware attaches itself to a legit APK file to keep away from detection. As a cybersecurity skilled, mitigating Android malware entails a deep understanding of some crucial technical ideas resembling packing methods, supply code evaluation, and reverse engineering. All these ideas are launched beneath for a greater understanding. We’ve additionally listed vital instruments which are used to carry out all these duties.

Packing methods

Android malware samples are packed utilizing packages known as packers. Packers conceal the malicious packages in an envelope in order that it stays undetected. They encrypt the malicious APK file and use the machine’s reminiscence to execute it. Packers had been initially created to guard delicate functions from leakage. These functions embody mental property rights. However, packers had been utilized to hiding malware samples later. Packers have change into extra refined and sophisticated over time. They pose severe challenges to cybersecurity professionals. Loads of Android malware is filled with providers offered by packers. To detect Android malware on a tool, it’s essential to unpack it to take away it from the envelope. Unpacked malware is then analyzed to find out its behaviour. To establish the behaviour, malware is executed in a particular atmosphere in order that it doesn’t have an effect on the Android machine. and are one of many first packers that present on-line packing providers for Android apps.

Source code evaluation

After unpacking the malware samples, the very first step is to research its supply code to disclose its performance and behavior. Source code might be analyzed statically or dynamically. In static malware evaluation, supply code will not be executed. It offers with the logical construction and stream of directions in this system. On the opposite hand, dynamic malware evaluation prepares a particular run-time atmosphere known as sandbox to execute the malware and decide its behaviour. Dynamic malware evaluation reveals extra info in comparison with static malware evaluation as a result of it executes the malware in a sandbox. However, some complicated malware samples are programmed to detect the sandbox atmosphere earlier than execution. Once they discover themselves in a sandbox atmosphere, they don’t seem to be executed. This makes dynamic malware evaluation a difficult activity malware analyst. Frida is a well-known software for performing a dynamic evaluation of Android malware.

Reverse engineering

Reverse engineering is a means of figuring out the performance of any object. It’s used to acquire the supply code of the cell app from the APK file. Several reverse engineering instruments are used to examine hidden malicious code inside a legit software. Some widespread reverse engineering instruments for Android apps embody APKInspector, APKTool, Bytecode Viewer, Smali, and Jadx. These instruments take APK file because the enter and procure its authentic supply code to construct the performance of the app.

How to safe your machine?

There are a number of preventive measures to undertake by a layman to stop Android malware. Some vital measures embody:

  1. Do not obtain apps from unreliable sources: Users are inspired to not obtain any apps from unreliable sources. Even all of the apps in Google Play Store usually are not safe. Google Play often deletes suspicious apps from its repository.
  2. Avoid third-party app shops: Third-party app shops don’t include legit apps. At least Google Play Store is protected to obtain apps. Moreover, third-party apps could require rooting for the machine.
  3. Say no to clickables: Avoid clicking any commercial in an app with out correctly studying and understanding it. Adware and PUA malware assault focused telephones by displaying luring commercials that may entice customers to click on on the flashing hyperlink within the commercial. Once the consumer clicks on the hyperlink, he could also be redirected to malicious web sites which are used to obtain malware on the focused machine. In some circumstances, clicking the flashing hyperlink itself results in downloading malicious software program on the telephone.
  4. Assigning permissions to apps: Most apps ask consumer to assign permissions and rights to the appliance in order that they will entry machine settings, contact particulars, and digital camera. Avoid assigning such permissions to all apps till it’s required for the functioning of the app.
  5. Install system updates: It is extremely really useful to put in system updates in order that apps put in on the smartphone are at all times up to date. Upgrade to the newest model of the working system, if potential. 

What’s subsequent

This article introduces the basics of Android malware, outstanding malware classes, their behaviour, irregular actions, and vital malware households underneath them. We’ve additionally included some vital mitigation methods utilized by malware analysts. The subsequent article of this UAMF sequence might be a deep-dive introduction to the trojan malware class, which acts as an impersonator within the background.

Would you suggest this text?

Thanks for taking the time to tell us what you consider this text!
We’d love to listen to your opinion about this or every other story you learn in our publication. Click this hyperlink to ship me a be aware →

Jim Love, Chief Content Officer, IT World Canada

Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO

Cybersecurity Conversations along with your Board – A Survival Guide
Download Now