Android Malware Detection & Protection : A Survey

Android has become the most popular smartphone operating system. This rapidly increasing adoption of Android has resulted in significant increase in the number of malwares when compared with previous years. There exist lots of antimalware programs which are designed to effectively protect the users’ sensitive data in mobile systems from such attacks. In this paper, our contribution is twofold. Firstly, we have analyzed the Android malwares and their penetration techniques used for attacking the systems and antivirus programs that act against malwares to protect Android systems. We categorize many of the most recent antimalware techniques on the basis of their detection methods. We aim to provide an easy and concise view of the malware detection and protection mechanisms and deduce their benefits and limitations. Secondly, we have forecast Android market trends for the year up to 2018 and provide a unique hybrid security solution and take into account both the static and dynamic analysis an android application. Keywords—Android; Permissions; Signature


INTRODUCTION
Since 2008, the rate of smartphone adoption has increased tremendously.Smartphones provide different connectivity options such as Wi-Fi, GSM, GPS, CDMA and Bluetooth etc. which make them a ubiquitous device.Google says, 1.3 million Android devices are being activated each day [1].Android operating system left its competitors far behind by capturing more than 78% of total market share in 2013 [2].Gartner report 2013 of smartphone sales shows that there is 42.3% increase in sales of smartphones in comparison with 2012.According to International data corporation IDC, Android OS dominates with 82.8% of total market shares in 2Q 2015 [3]. Figure 1 shows the market shares of Android operating system on yearly basis.It could be observed that Android has become the most widely used operating system over the years.
Android platform offers sophisticated functionalities at very low cost and has become the most popular operating system for handheld devices.Apart from the Android popularity, it has become the main target for attackers and malware developers.The official Android market hosts millions of applications that are being downloaded by the users in a large number everyday [4].Android offers an open market model where no any application is verified by any security expert and this makes Android an easy target for developers to embed malicious content into their applications.The users" sensitive data can be easily compromised and can be transferred to other servers.Furthermore, the existence of third party application stores contribute in spreading malwares for Android because Google Play also hosts the applications of third-party developers.Android official market uses Bouncer for protection of marketplace against malwares [5].However, Bouncer does not analyze the vulnerabilities of the uploaded apps.Malware developers take advantage of vulnerabilities among apps by repackaging the popular apps of Google Play and distributing them on other third-party app-stores.This degrades the reputation of the app-store and of the reputation of the developer.Malwares includes computer viruses, Trojan horses, adware, backdoors, spywares and other malicious programs which are designed to disrupt or damage the operating system and to steal personal, financial, or business information.Malware developers use code obfuscation methods, dynamic execution, stealth techniques, encryption and repackaging to bypass the existing antimalware techniques provided by Android platform.In order to prevent such malwares, it is important to have accurate and deep understanding of them so that security measures to protect users" data could be taken accordingly.There are large numbers of attack scenarios where an attacker can compromise a user"s data by taking advantage of the vulnerabilities of Android operating system.For example, a www.ijacsa.thesai.orgTrojan app downloads some HD wallpapers with user"s permission but this permission may allow this app to access the user"s contacts or other personal information and it leaks user"s confidential data to some other server from the device secretly.In such a case, the wallpapers app will have Internet permissions for download purpose.The user might not give much attention towards other requested access permissions and might grant READ_CONTATCS permission accidentally.As a result, the app may modify the device settings, corrupt the user"s data and can transfer private data to some unknown remote servers.This results in user"s business data loss and other personal information.The attackers can use the stolen data for kidnapping, blackmailing or business loss purposes.In an another attack scenario, attackers distribute the malicious apps as a repackaged version of some popular apps which may offer location-based services so in that scenario malicious app kill the victim device by draining its battery with the excessive use of GPS and radio etc.Some of the malicious programs get the user"s device IMEI numbers and send it to remote server.These IMEI numbers have significant worth in black markets where IMEI numbers of stolen devices can be altered with user"s IMEI [6].
There are hundreds of malware techniques identified which attack the Android platforms in several ways such as sending messages without the victim"s knowledge and deleting them by itself, sending user"s private information to some other server and many more.So there is a great need to protect user"s data from these malwares.This ever increasing malware threats have forced the Android antimalware industry to develop the solutions for mitigating malicious app threat on Android smartphones and other Android devices.Two main approaches are used for this purpose: Static approach and Dynamic approach.Antivirus programs use any of these approaches to protect the mobile systems from the malware attacks.They detect the malicious apps and notify the user about such apps and take measures to remove these malwares.With the increasing number of threat level, the antivirus detection rate has also increased.As a result of threat & malware, and protection mechanism offered by Android antimalware programs, the overall risk situation of Android users is difficult to assess [7].
In this paper, we have analyzed different malwares, their behaviors and techniques used by different malware types to attack Android devices.Furthermore, the paper provides detailed review on different antimalware techniques, their advantages and limitations.On the basis of this review, a hybrid solution for Android security has been proposed.The rest of the paper is organized as follow.Section II classifies the existing malwares on the basis of their behavior.Section III consists of malware penetration techniques employed by the attackers.In Section IV, a detailed analysis on the malware detection and removal methods for the protection of Android devices has been performed.Section V consists of performance evaluation of antimalware mechanisms.The future trends for Android market shares and malware growth and limitations for existing antimalware approaches are provided in Section VI.A solution has also been proposed in this section which is aimed at providing better security mechanism.The paper is concluded in Section VII.

A. Trojans
Trojans appear to a user as a Benign app [5].In fact, they actually steal the user"s confidential information without the user"s knowledge.Such apps can easily get access to the browsing history, messages, contacts and device IMEI numbers etc. of victim"s device and steal this information without the consent of user.FakeNetflix [10] is an example of such malwares that provide user interface identical to original Netflix app and collect the user"s login credentials.SMS Trojans exploit the premium services to incur financial loss to the victim.Fakeplayer is a well-known SMS Trojan that sends messages to premium rate numbers without user awareness [11].Zsone [12] and Android.foney are also the examples of such SMS Trojan apps.Malwares also capture the user"s banking information such as account number and password.Zitmo and Spitmo Trojans are designed to steal the user"s mTANs (Mobile Transaction Authentication Number) which then complete the transactions silently [13].

B. Backdoors
Backdoors employ the root exploits to grant root privileges to the malwares and facilitate them to hide from antiviruses.Exploid, Rageagainstthecage (RATC) and Zimperlich are the top three root exploits which gain full-control of device [14].DroidKungFu [15] uses root exploits, Exploid and Rageagainstthecage, in an encrypted form.When DroidKungFu executes, it first decrypts and launches the root exploits.If the root exploit succeed to gain control over device and root privilege, the malware become able to perform any operation on the device even the installation of applications keeping the user unaware of this act [16].

C. Worms
Such malwares create copies of it and distribute them over the network.For example, Bluetooth worms spread malware through the Bluetooth network by sending copies of it to the www.ijacsa.thesai.orgpaired devices.Android.Obad.OS is the example of Bluetooth worm [17].

D. Spyware
Nickspy [11] and GPSSpy [18] are the examples of spyware apps which appear as benign app, but it actually monitors the user"s confidential information such as messages, contacts, bank mTANs, location etc. for some undesirable consequences.Personal spywares can install the malicious payload without the victim"s knowledge.It sends the user"s information such as text messages, contacts etc. to the attacker who installed that software on victim"s device [6].

E. Botnets
Botnet is a network of compromised Android devices.Botmaster, a remote server, controls the botnet through the C&C network.Geinimi [11] is one of the Android botnets.

F. Ransomwares
Ransomware prevent the user from accessing their data on device by locking the device, until ransom amount is paid.FakeDefender.B [19] is a malware that masquerades itself as avast!, an antivirus.It locks the victim"s device and force the user to pay ransom amount to unlock the device.

G. Riskwares
Riskwares are the legitimate software exploited by the malicious authors to reduce the performance of device or harm the data e.g., delete, copy or modify etc. [20].The statistical data obtained from [21] has been computed and plotted in Figure 3 which presents the top Android malware families recorded by TrendMicro in second quarter (2Q) of 2015.According to the report, 24% of the total malwares were guided variants, which do not have any GUIs and silently run at the background without the user"s knowledge.

A. Repackaging
Malware authors repackage the popular applications of Android official market, Google Play, and distribute them on other less monitored third party app-store.Repackaging includes the disassembling of the popular benign apps, both free and paid; append the malicious content and reassembling of app .This process of repackaging is done by reverseengineering tools.During repackaging, malicious authors change the signature of repackaged app and so the app seems new to the antimalware.TrendMicro report have shown that 77% of the top 50 free apps available in Google Play are repackaged [22].

B. Drive By Download
It refers to an unintentional download of malware in the background.Drive by download attacks occur when a user visit a website that contains malicious content and injects malware into the victim"s device without the user"s knowledge.Malware developers use Android/NotCompatible [23] which is one of the drive-by download app.

C. Dynamic Payloads
Malwares also penetrate into Android devices through dynamic payload technique.They encrypt the malicious content and embed it within APK resources.After installation, the app decrypts the encrypted malicious payload and executes the malicious code.Some malwares, instead of embedding payload as resource, download the malicious content from remote servers dynamically and are not detected by static analysis approach [24].

D. Stealth Malware Techniques
On Android device malware scanners cannot perform deep analysis because of the availability of limited resources such as battery.Malware developers exploit these hardware vulnerabilities and obfuscate the malicious code to easily bypass the antimalware.Different stealth techniques such as key permutation, dynamic loading, native code execution, code encryption and java reflection are used to attack the victim"s device.

IV. ANDROID MALWARE DETECTION
There are mainly two approaches to analyze the Android malwares: Static and Dynamic Approach.We have further categorized the antimalware using static and dynamic approaches.Figure 4 shows the taxonomy of existing antimalware techniques based on our study.www.ijacsa.thesai.org

A. Static Approach
Static approach is a way to check functionalities and maliciousness of an application by disassembling and analyzing its source code, without executing the application.It is useful for finding malicious behaviors that may not operate until the particular condition occurs.

1) Signature Based Approach
Signature based malware detection methods are commonly used by commercial antimalware products.This method extracts the semantic patterns and creates a unique signature [25].A program is classified as a malware if its signature matches with existing malware families" signatures.The major drawback of signature based detection is that it can be easily circumvented by code obfuscation because it can only identify the existing malwares and fails against the unseen variants of malwares.It needs immediate update of malware variants as they are detected.
Faruki et al. [26] proposed AndroSimilar, a robust statistical signature method to detect the unknown variants of existing malwares that are usually generated by using repackaging and code obfuscation techniques.It generates the variable length signature for the application under test and compares it with the signatures in AndroSimilar malware database and identify the app as malware and benign on the basis of similarity percentage.Authors tested the AndroSimilar against 1260 apps among which 6779 apps were Google Play apps and 545 apps were from third party app store.They also used code obfuscation techniques such as method renaming, string encryption, control flow obfuscation and junk method insertion techniques to change the signature of the code and tested the effectiveness of AndroSimilar against 426 samples.The solution detected more than 60% samples correctly.AndroSimilar compares the signatures of the applications in order to distinct between the malwares and benign apps but it has limited signature database as compared to the other antivirus solutions.So any unseen malwares will remain undetected.Also the similarity percentage creates the false positives as it may classify the clean apps as malicious on the basis of percentage.
DroidAnalytics [27] is a signature based analytic system which extract and analyze the apps at op-code level.It not only generates the signature but also associate the malware with existing malwares after identifying the malicious content.It generates 3 level signatures.First it generates signature at method level by API call tracing then combining all the signatures of methods in a class it generates the class level signatures and at third level it generates the application signature by combining the signatures of the classes in the application.Authors have used DroidAnalytics to detect 2,494 malware samples from 102 malware families and 342 repackaged malwares from other six malware families.The limitations of this method includes, it classifies the apps as malware on the basis of classes mostly used by malware families but during experiment they found some signatures that are used by both the legitimate apps and malwares.Also the similarity score used for detection of repackaged malwares do not provide 100% solution or it may also provide false positive, classify the legitimate app as malware.
 Limitation of Signature Based Detection: Although signature based detection is very efficient for known malwares but it cannot detect the unknown malware types.Also because of limited signature database most of the malwares remain undetected.

2) Permission Based Analysis:
In Android system, permissions requested by the app plays a vital role in governing the access rights.By default, apps have no permission to access the user" data and effect the system security.During installation, user must allow the app to access all the resources requested by the app.Developers must mention the permissions requested for the resources in the AndroidManifest.xmlfile.But all declared permissions are not necessarily the required permissions for that specific application.www.ijacsa.thesai.org Ref. [28] has shown that most of the time developers have declared the permissions that are not actually required by the application which makes it difficult to detect the malicious behavior of application.Antimalware analyzes the Android Manifest.xmlfile where all the permissions for the resources required by the app are mentioned.Stowaway [28] exposes the permission over privilege problem in Android where an app requests more permissions than it actually uses.Stowaway performs static analysis to determine the API calls invoked by the application and then it maps the permissions required by the API calls.They found that one third applications are over privileged among 940 Android application samples.It cannot resolve the API calls invoked by applications with the use of java reflections.
In [29], authors have proposed a light weight malware detection mechanism which only analyze the manifest file and extract the information such as permissions, intent filters ( action, category and priority), process name and number of redefined permissions to detect the malicious behavior of an application.After extracting such information, they compare it with the keyword list provide in the proposed method and then calculate the malignancy score.They used Weka [30] which is a data mining tool for calculation of threshold value.At last they compare the malignancy score with threshold value and classify the app as malware if malignancy score exceeds threshold value.They have used 365 samples to test the efficiency of proposed solution and the solution provides 90% accurate detection.It is cost saving mechanism as it only includes the analysis of manifest file and can be implemented in other detection architectures easily to detect malwares efficiently.Also it can detect even those malwares that remain undetected by signature based detection method.This proposed solution is limited to manifest file information.Also it cannot detect the adware samples.C. Y. Haung et al. [31] proposed a method for better detection of permission based malware detection which includes the analysis of both requested and required permissions as most of the time malware authors declare more permissions in the manifest file than they actually require for the application.Also it analyses the easy to retrieve features and then labels the application as benign or malware.Three different labeling types are used for this purpose which includes site based labeling; scanner based labeling and mixed labeling.In site based labeling it labels the app as benign if it is downloaded from Google official app market and if it is downloaded from some malicious source then the app is labeled as malicious.In the second labeling scheme, if the antivirus scanner declares the app as benign the app is label as benign and same for the malware case.In the mixed labeling the app is labeled on the basis of both site based and scanner based labels.After labeling all the samples are divided into three datasets and requested permissions of these datasets are analyzed by the machine learning algorithms such as Naive Bayes, AdaBoost, Support Vector Machine and Decision Tree [32].On the basis of results generated by these classifiers we can evaluate the performance of permission based detection method.in [31] authors have performed experiment on data set of 124,769 benign and 480 malicious apps.They analyzed the performance of permission based detection of malware and showed that more than 81% of malicious apps samples can be detected by the permission based detection method.Proposed method provides the quick filter for malware detection but the performance values generated by the classifiers are not perfect and we cannot completely rely on those results.Sanz Borja et al. [33] presented PUMA for detection of malicious apps by analyzing the requested permissions for application.They used permission tags such as <uses-permission> and <uses-features> present in AndroidManifest.xmlfile to analyze the malicious behavior of apps and applied different classifier algorithms on dataset of 357 benign apps and 249 malicious apps.The solution provides high detection rate but results generated have high false positives rate also it is not adequate for efficient detection of malware it still requires information related to other features and dynamic analysis.
Shin et al. [34] used a state machine based approach and formally analyze the permission based Android security model.They also verified that the specified system satisfy the security property.
Tang, Wei et al. [35] proposed a Security Distance Model for mitigation of Android malware.Security Distance Model is based on the concept that not a single permission is enough for an application to threaten the security of Android devices.For example an application requesting permission READ_PHONE_STATE can access the phone number and IMEI but it cannot move data out of the device.There must be a combination of permissions to affect the security model of device such as INTERNET permission allows to concept the device with the network and will be needed to move data to some remote server.The SD measure the dangerous level of application on the basis of permissions requested by the app.Authors classify the combinations of permissions into four groups and assigned threat points (TP) to each group such as TP-0, 1, 5 and 25 to Safe SD, Normal SD, Dangerous SD and Severe SD.Before the installation of new application it calculates the threat point from the combination of permissions requested by the application.That helps the user to get aware of more dangerous permissions while installation of app.It can easily detect the unknown malwares with very high threat points.They found 500 threat points for the Geinimi malware which is a very clear variation from benign apps.A limitation of this solution includes that applications with threat points between 50 and 100 are not easy to identify as benign and malware.They could be the benign apps with such permission combinations or malwares.
Enck et al. [36] developed KIRIN, a tool that provides light weight certification at installation time.It defines the security rules and simply compares the requested permissions of app with its security rules and certifies the app as malware if it fails to pass all the security rules.The installation of app is aborted if the app is attributed as malware.Authors have tested 311 applications downloaded from official Android market and found that 5 applications failed to pass the specified rules.Proposed solution is light weight as it only analyzes the Menifest.xmlfile.The limitation of KIRIN includes that it may www.ijacsa.thesai.orgalso declare some legitimate applications as malware because the information provided for application certification is not adequate for detection of malware.
DroidMat [37] is a tool that extracts the information from manifest file such as permissions, message passing through intents and API call tracing to analyze the behavior of application.It applies K-means clustering that increases the malware detection capability and classify the applications as benign or malware by using KNN algorithm [38].It is more efficient than Androgaurd [39] as it takes lesser time to identify the 1,738 apps as malware or benign.Also it is cost saving as it doesn"t require dynamic simulation and manual efforts.But as a static based detection method it cannot detect the malwares which dynamically load the malicious content such as DroidKngFu and BaseBridge.

 Limitation of Permission Based Detection: Permission
based detection is a quick filter for the application scanning and identifying that whether the application is benign or malware but it only analyses the manifest file it do not analyze other files which contain the malicious code.Also there is very small difference in permissions used by the malicious and benign apps.Permission based methods require second pass to provide efficient malware detection.

3) Dalvik Bytecode Analysis:
In Android, Dalvik is a register-based VM.Android apps are developed in java language, compiled in java bytecode and then translated to dalvik byte code.Bytecode analysis helps us to analyze the app behavior.Control and data flow analysis detect the dangerous functionalities performed by malicious apps.
Jinyung Kim et al. [40] developed SCANDAL, a static analyzer that analyze the dalvik byte code of applications and detects the privacy leakage in applications.It determines the data flow from information source to any remote server.Dalvik bytecode contains branch, method invocation and jump instructions which alters the order of execution of code and obfuscates the code.During execution, the possible paths that an application can take can be identified by the Bytecode analysis.In [40] Authors have examined 90 applications from Android official market and 8 malicious applications from third party market place.They found privacy leakage in 11 Google market applications and 8 third party market applications.There is a need of performance optimization techniques to implement as SCANDAL consumes more time and memory for analysis of application.Also it does not support the applications which use reflections for data leakage.In the SCANDAL authors have implemented reflection semantics manually to detect the privacy leakage in malicious apps taken from black market.Karlsen et al. [41] presented the first formalization of Dalvik Bytecode along with java reflective features.They examined 1700 popular Android Apps to determine what Dalvik Bytecode instructions and features are mostly used by the Android Apps.Such formalization helps to perform control and data flow analysis in order to detect the malicious apps or to identify the sensitive API calls invoked during execution.It supports the dynamic dispatch and reflective features.But it requires extension in analysis of concurrency and reflection handling.
Zhou et al. [42] implemented DroidMOSS that extract the Dalvik Byte code sequence and developer information of application by using baksmali tool [43] and generate finger prints for each app by using fuzzy hashing techniques to create the fixed sized 80 byte signature to detect the repackaged applications.On the basis of similarity score it identifies the repackaged apps.Authors have applied DroidMOSS to test 200 samples from six different third party market places and detected that 5% to 13% apps were repackaged.The proposed solution cannot detect the repackaged apps if the original app is not present in database.Also because of limited database most of the malwares remains undetected.Google play store may also contain malwares.The limitation of this solution also includes that they have assumed all the Google Play apps as legitimate apps and then matched the signature of the apps taken from other app store to detect the repacked apps.
DroidAPIMiner [44], build upon Androgaurd [39], identifies the malware by tracking the sensitive API calls , dangerous parameters invoked and package level information within the bytecode.To classify the application as benign or malware it implements KNN algorithm [38] and detected up to 99 % accuracy and 2.2% false positive rate.
Fuchs et al. [45] presented SCandroid which analyze the Android application statically as they are installed and performs data flow analysis to checks whether the data flow through the applications is consistent or not.On the basis of data flows it declares the application as safe to be run with requested permissions.Authors use it as a security certification tool for Android apps.
Many researchers worked on conversion of Dalvik bytecode to Java bytecode and then performed static analysis on java code to detect the malicious behavior of the app.ded [46] and Dare [47] are the tools used for conversion of dalvik bytecode into java bytecode.These tools are also useful when developers don"t distribute the java source code, in such case one must analyze the source code to detect the malware through static analysis.Dexpler tool [48] converts the Dalvik bytecode into Jimple code which is used by static analysis framework named Soot [49].It makes the Soot to read the Dalvik Bytecode directly and perform the static analysis without converting Dalvik bytecode into java bytecode.Well known static analysis framework used by researchers is WALA which perform static analysis on java bytecode to detect privacy leakage within malicious apps [50].
Chin et al. [51] presented a tool named ComDroid that detect the communication based vulnerabilities among Android apps.They have analyzed 20 samples and detected 34 exploitable vulnerabilities among 12 applications.It uses Dedexer tool [52] to disassemble the dex files in the app.It performs the static analysis on Dalvik files, analyzes the permissions listed in the manifest.xmlfile of the app, performs intraprocedural analysis and examines the Intents of the apps to detect the communication vulnerabilities  Limitations of Dalvik Bytecode Detection: In this method analysis is performed at instruction level and www.ijacsa.thesai.orgconsumes more power and storage space.As the android devices are resource poor so they limits this detection approach.

B. Dynamic Approach
Dynamic analysis examines the application during execution.It may miss some of the code sections that are not executed but it can easily identify the malicious behaviors that are not detected by static analysis methods.Although static analysis methods are faster to malware detection but they fail against the code obfuscation and encryption malwares.
In [53] , Egele provided a detailed overview of different dynamic analysis methods used for discrimination between malware and benign apps.Dynamic analysis approach is effective against polymorphic and metamorphic code obfuscation techniques employed by the malwares [54] but it requires more resources.

1) Anomaly Based Detection
Iker et al. [55] proposed CrowDroid to detect the behavior of applications dynamically.Details of system calls invoked by the app are collected by the Strace tool [56] and then crowdsourcing app, which is installed on the device, creates a log file and sends it to remote server.Log file may include the following information: Device information, apps installed on device and system calls.2-mean clustering algorithm is applied at server side to classify the application as malware or benign.Results are stored at server database.The solution provides deep analysis and thus require large amount of resources.The solution requires client app to be installed on the user" device and may classify the legitimate app as malware if it invoke more system calls.Shabtai et al. [57] proposed Andromly , a behavior based Android malware detection system.In order to classify the application as benign or malware it continuously monitor the different features and patterns that indicate the device state such as battery level, CPU consumption etc. while it is running and then apply the machine learning algorithms to discriminate between malicious and Benign apps. the solution can detect continuous attacks and can notify the user about these attacks.
AntiMalDroid [58], a malware detection framework using SVM algorithm is proposed by Zhao, can identify the malicious apps and their variants during execution.First it monitors the behavior of applications and their characteristics then it categorize these characteristics as normal and malicious behavior.Then it puts the two types of characteristics into learning module and generates the signatures for the behavior characteristics, produced by learning module.Then it store the signature in database and compare it with the already existing malware and benign app signatures.It classify the app as benign if the signature matches with already existing benign app" signatures.The solution can extend the signature database dynamically and can provide high detection rate.But it consumes more time while detection process.

2) Taint Analysis
Enck et al. [59] proposed TaintDroid which provides system-wide information flow tracking for Android.It can simultaneously track multiple sources of sensitive data such as camera, GPS and microphone etc. and identify the data leakage in third party developer apps.It labels the sensitive data and keeps track of that data and app when tainted data leaves moves from the device.It provides efficient tracking of sensitive information but it do not perform control flow tracking.Also it cannot track information that leaves deice and returns in network reply.

3) Emulation Based Detection
Yan et al. [60] present Android dynamic analysis platform DroidScope, based on Virtual Machine Introspection.As the antimalware detect the presence of malwares because both of them reside in the same execution environment so the malwares also can detect the presence of antimalware.DroidScope monitors the whole operating system by staying out of the execution environment and thus have more privileges than the malware programs.It also monitors the Dalvik semantics thus the privilege escalation attacks on kernel can also be detected.It is built upon QEMU.DroidDream and DroidKungFu [61] were detected with this technique.
Blaising et al. [62] proposed Android Application Sandbox (AASandbox) which detect the suspicious applications by performing both static and dynamic analysis on them.It first extracts the .dexfile into human readable form and then performs static analysis on application.Then it analyzes the low level interactions with system by execution of application in isolated sandbox environment.Actions of application are limited to sandbox due to security policy and do not affect the data on device.It uses Money tool to dynamically analyze the application behavior which randomly generates the user events like touches, clicks and gestures etc. it cannot detect the new malware types.

V. PERFORMANCE EVALUATION & ANALYSIS
In this section, we evaluate the performance of different parameters and provide a comprehensive comparison of different attributes.Table 2 provides the limitations of the static and dynamic approach of the malware detection.The malware detection through static analysis and dynamic analysis is provided in Table 3 and Table 4 respectively.

Permission based detection
May consider benign app as malicious because of very small difference between permissions requested by both types.
Dalvik bytecode detection More power and memory consumption.

Anomaly detection
Incorrect if a benign app shows same behaviors e.g., invoke more API calls or consumes more battery and memory.
Taint Analysis Not suitable for real time analysis Reduce performance.20 times slowdown system Emulation based detection More resource consumption.www.ijacsa.thesai.org On the basis of their working techniques we have deduced major limitations and benefits for each detection mechanism.The popularity of Android operating system is increasing tremendously.The yearly records, presented by IDC [3], show that Android OS market shares in second quarter (2Q) of 2015 are 82.8%,which is 2% decrease from the 2Q 2014.If the value remains the same till the end of year and keep on decreasing every year with the same rate then we can expect that in 2018, the Android market shares will drop to 76.8%.According to same record, the Android shares have increased 5% in 2014 from previous year.If it keep on increasing with the same rate and increases up to 89.8% till the end of 2016 then we can say that the Android shares will grow up to 99.9% in 2018.Furthermore, it is predicted that the market shares of the Android will be on average 88.4% in 2018.The estimations and future predictions of the Android market are computed and plotted in Figure 5.It should be noted that with the increased usage of the Android based devices, the number of malwares attacking Android is increasing at an exponential rate.In 2015, number of Android malwares spiked to 7.10 million.This figure is 2.84 million more than the previous year [8][9].If the malware growth keeps on increasing with the same ratio, it is expected that this number will be increased up to 15.8 million in 2018.The malware growth trends are predicted and estimated values are provided in Figure 6.
In contrast to malwares, the antimalware have been designed and developed in a wide range in order to protect the devices.It is inferred that an antimalware using static approach is less efficient in detecting the malicious contents that are loaded dynamically from remote servers.Although, the dynamic approach is efficient as it keeps on monitoring the application and able to detect the malicious content at execution time.However, the portions of malicious code that are not executed remain undetected.It is believed that any single security solution in Android cannot provide full protection against the vulnerabilities and malwares.It is better to deploy more than one solution simultaneously for example, a hybrid of two approaches, i.e. static and dynamic.The hybrid approach will first statically analyze the application and will then perform dynamic analysis.This hybrid solution may be an expensive method to apply because of the limited available resources such as battery, memory etc.However, the limitation of this hybrid solution can be addressed in twofold.Firstly, the static analysis can be performed locally on the Android device; and afterwards, the dynamic analysis could be performed in a distributed fashion by sending the malicious activity or event in the form of a log file to a remote server.The remote server can perform the dynamic analysis quickly and efficiently as the server will have enough resources to perform dynamic analysis and can generate rapid responses against the application behavior and the user can be instantly notified.However, this hybrid solution needs more investigation and is subject to the design tradeoffs.The future works will focus to develop such hybrid antimalware to provide better security for android devices.

VII. CONCLUSION
In this paper, the malwares and their penetrations techniques have been thoroughly analyzed.The antimalware are categorized on the basis of detection methods they use.A detailed performance evaluation of these antimalware

Growth
Percentage www.ijacsa.thesai.orgtechniques is also provided and the benefits and limitations of these antimalware are deduced comprehensively.At the end, a concept of hybrid antimalware is presented which will address the limitations of existing static and dynamic approaches.In future, it is aimed to implement the proposed hybrid solution which will be a generic antimalware that will provide better security for Android devices by firstly statically analyzing the Android applications on local device and then it will perform dynamic analysis on a remote antimalware server.This will consume very small amount of memory space on the device and the battery consumption will also be low as all dynamic analysis will be performed at the remote server.

Fig. 2 .
Fig. 2. Android Malware Growth II.ANDROID MALWARE ANALYSIS Wide range of malwares has been detected and the number of malwares are increasing every year.According to TrendMicro, malwares have increased to 7.10 million in first half (1H) of 2015 [8][9].Figure 2 shows the increased number of Android malwares over the years.The behavior of different malware families is provided in subsequent sections.

TABLE I .
TOP ANDROID MALWARE TYPES IN 2015

TABLE II .
LIMITATIONS OF STATIC AND DYNAMIC APPROACHES

TABLE IV .
MALWARE DETECTION THROUGH DYNAMIC ANALYSIS OS www.ijacsa.thesai.org