A Survey on Security for Smartphone Device

The technological advancements in mobile connectivity services such as GPRS, GSM, 3G, 4G, Blue-tooth, WiMAX, and Wi-Fi made mobile phones a necessary component of our daily lives. Also, mobile phones have become smart which let the users perform routine tasks on the go. However, this rapid increase in technology and tremendous usage of the smartphones make them vulnerable to malware and other security breaching attacks. This diverse range of mobile connectivity services, device software platforms, and standards make it critical to look at the holistic picture of the current developments in smartphone security research. In this paper, our contribution is twofold. Firstly, we review the threats, vulnerabilities, attacks and their solutions over the period of 2010-2015 with a special focus on smartphones. Attacks are categorized into two types, i.e., old attack and new attacks. With this categorization, we aim to provide an easy and concise view of different attacks and the possible solutions to improve smartphone security. Secondly, we critically analyze our findings and estimate the market growth of different operating systems for the smartphone in coming years. Furthermore, we estimate the malware growth and forecast the world in 2020. Keywords—Smartphone Security; Vulnerabilities; Attacks; Malware


INTRODUCTION
The smartphone usage raised significantly in recent years, as smartphones provide users with several services like phone calls, Internet services, sharing data, keeping data, off-line games, online games, and some entertaining online/ off-line applications.As smartphone provides the vast services, thus are saddled with some challenges like security and privacy as well.Since most of the operations smartphones perform are on the Internet, so it is necessary to ensure security and safety of data and information.For smartphone authentication, a pattern like password, code password, PIN password, and face unlock can be used [1].But these authentication methods are not secured at high ratio because with brute forcing and guessing such measures could be penetrated.
Critically, a lot of Malware, Viruses and Trojans have been developed which are based on smartphones APIs (application program interface) and most of them look like safe software; some reliable applications (Gmail, Facebook, etc.) collect user's information such as geolocation without user's knowledge with GPS service in smartphone [2].There are many smartphone operating systems available, such as Android, iOS, Microsoft Window Phones, Symbian and BlackBerry [1].Android is the widely used smartphone operating system with better performance as compared to other smartphone operating systems.Android OS is based on Linux operating system architecture.The desktop OS and the smartphone versions of such operating systems are very different, especially in user interfaces and system architecture.Using smartphones one can connect to the Internet and instantly communicate with friends, partners and browse data/information from the world wide web [3].Now, smartphones pair mobile phones with other devices such as PDAs (personal data assistants), high definition camera, media player, GPS navigation units and other data storage and processing devices.Even the earlier mobile devices came with 3G and 4G compatibilities; but in the last decade, such devices transformed into mobile computers with the options of touch screen and laptop capabilities and can browse the Internet using wireless network and 3 rd party applications.In the 3 rd quarter of 2012, more than one million smartphones were in use [2].According to Gartner Inc., the worldwide sales of mobile phones declined 3%, and smartphones sales were increased by 47 % in the 3 rd quarter of the year 2012 [4].In November 2012, 821 million smart devices were purchased in 2012 and 1.2 billons were sold in 2013 [5].In August 2013, the smartphones sales were increased, and the growth was 46.5 % [6].Some reports state that China with the highest number of smartphone users (519 million in 2014) [7].The United States comes to the 2 nd position with 165.3 million users and India to 3 rd on the rank with 123.3 million users.

A. General Architecture of Smartphones
Smart devices are grouping of mobile phones and platform with rich connectivity and powerful computing proficiency.Therefore, a smartphone has the necessary modules of computing platforms, operating systems, third-party applications and smartphone hardware architectures, as shown in [8].Unlike Android, the iOS operating system works only on iPad, iPhone, and iPod devices.To manage all operating www.ijacsa.thesai.orgsystems and devices, the OS provide necessary technology and interface and support to implement the new application to meet a variety of smartphone user needs.
The applications allow smartphone users to control their devices by interacting with the operating system, by such interaction users can access and control data communication interfaces and services.On another hand, the operating system can access user data and communicate directly with other services as well as devices.In general operating system can only access hardware directly, but the access to user's data might result in compromising user information and the information from the smartphone can be maltreated by attackers just like attacks on the computer such as viruses, Trojans, etc.The user data or information is the most valued property of smartphones.As discussed earlier, besides communication, smartphones connect to several other electronic devices such as computer and even servers through the Internet.The data without user's knowledge is usually retrieved through the applications infested by malicious codes or programs [8].

B. Structure of Smartphones Operating System
There are many operating systems for smartphones.In this part, we discuss Android, iOS, Windows Phone and Symbian operating system.

Android:
Android is an open source mobile operating system which is based on Linux OS kernel and launched by Google.Android contains four layers including kernel, libraries, Android Runtime and Application framework.Application layer consists of all Android applications including email, SMS program, instant messaging, browsers, contacts and other various applications their names list is longer than few pages [9] [10].According to the authors in [11] and [12], application framework layer recognizes all Android applications.Libraries layer is divided into two parts: Android and Android runtime library.Android runtime combines the assets of the Java Virtual Machine and machine Dalvik.Android library consists of C / C ++ language.iOS: The iOS is an operating system for Apple devices developed by Apple Inc.One obvious example is iPhone which was released in 2007.Now, iPhone is one of the larger competitors to the smartphone market shares.Application of Apple phone will need computer running MAC OS [13].Like Android, new iOS has been developed for third party to overcome the capability limitations of platform [14].
Windows Phone: Microsoft Corporation has developed Windows phone operating system.In November 2011 [15], many devices has been built up for this OS including Nokia Lumia 800 and HTC Titan.After one year, Windows became the fourth most widely used operating system on the smartphone.Windows uses Android operating system like security model.
Symbian: PSION was established in 1980 before the Symbian.In 1990 [16], Symbian was created by Psion, Nokia, and Motorola.After that, some other vendors joined this corporation like Sony Erickson, Siemens in 2002.First, Symbian mobile platform was released in 2000 (EricksonR380) then Nokia announcement couple of versions (like Nokia N series).Symbian was developed with C++.Almost all the smartphone OS provide mechanisms for users to enhance the security of their devices by certain login mechanisms.However, more than 30%, Mobile phone users do not use the PIN on their Phones.On the other hand, the amount of high valued contents stored on the phone is rapidly increasing, with mobile payment and money transfer application as well as enterprise data becoming available on mobile devices [17].The statistical data obtained from sources [18] & [19] have been computed and represented in Table 1.To understand the existing security problems that distress smartphones, we examined the threats, vulnerabilities, targeted attacks on smartphone and study security solutions to protect them.Attention has also been paid to authentication issues, data protection and privacy issues.In this study, the review of related literature is made over the period of 2010-2015, by concentrating on smartphones vulnerabilities (issues that cause the attacks) and attacks (old and new attacks).
The paper is organized as, Section II introduces some background ideas and previous studies regarding the authentication problem, data protection and privacy, smartphone vulnerabilities, and attacks.The smartphone attacks are divided into two categories: Old attacks and new attacks.Section III evaluates the related works discussed in Section II.In this section, we summarize the old and new attacks, causes of attacks (vulnerabilities) their impact and solution to protect the smartphones.Section IV is a discussion; we discussed some open issues and possible future problems of smartphones in IoT (Internet of things).Finally, Section V draws some conclusion.

II. SMARTPHONE PROBLEMS
Powerful hardware, advanced operating system, latest applications, increasing capabilities of smartphone and functionality are enough, but an increase in present security threats in smartphones became a prominent issue.Other features of the smartphone such as broad bandwidth accelerators of the Internet, multiple peripheral interfaces also spreading viruses over the network.The multi-connectivity www.ijacsa.thesai.orggains high risk and make it easier to transmit viruses those may be aggravate threats [20] [21].The security challenges in the mobile environment are similar to the problems encountered in the personal computer world.Threat means possible destructions of smartphone security.Considering that the smartphone problems can be categorized into four categories: Authentication, Data Protection and Privacy, Vulnerabilities and Attacks.Fig. 1 shows such categorization of smartphone security problems.Smartphone Authentication [2] Attacks [30] Data Protection and privacy [28] New Attacks Old Attacks Physical Attacks Backdoor [37] Virus [39] Worms [39] Malware [43] Trojan [40].

A. Authentication in Smartphones
Authentication could be achieved using one of the following three methods.The first one is to use what users knows such as PIN or password.The second method is which users have certain code such as a token.The third method is commonly known as biometric.After introducing the general architecture of smartphone and its main parts or assets, we classify smartphone's security threats and vulnerabilities.In the study [2] the authors proposed a hierarchy of security www.ijacsa.thesai.orgframework, consists of hardware, operating system application user data, communication as security.
Wei-Han proposed a multi-sensors-based system for smartphones to achieve the implicit authentication.The system incessantly learns the user's behavior patterns and setting by allowing the user to use a phone without disturbing the user's actions.This approach also has the capability to update user model.The experiment shows that the efficiency of this model only requires 10 seconds to run the model, 20 seconds to detect abnormal or fake request.In this model, the level of accuracy achieved can reach up to 90-95% [22].
Zahid et al. [23], proposed the user identification system to monitor the mobile phone key users to distinguish authentic consumers from quacks dynamically.The authors used custom data set of 25 users to point out the suggested system.That gives the fault rate lesser than 2% after detection mode, and the election of nearly zero after PIN authentication.They also connected their approach with five state-of-the-art procedures existing to identify basic user keystroke.
Authors in [24], suggested TAP (Typing authentication and protection), a virtual key based on a typing system for smart devices.There are two steps to improve the security of mobile by TAP, first is the login stage and second is the post login stage.In the first phase, TAP controls biometric information and hand morphology to secure the user's identity.In the second phase, TAP controls the dynamic behavior of the TAP Virtual user key.The experiments demonstrated that TAP preserves security and usability for the smartphone devices.
Chine-Cheng et al. have suggested the non-intrusive authentication method that uses the collected information from the orientation sensor of mobile devices.It is a new tactic that is operated by user's smartphone in its own unique way, and orientation sensor captures this type of behavioral biometrics.They use stepwise linear regression to select the feature set for each user.For classification, they used the k-nearest neighbor algorithm.The experimental results show equal error rate about 6.85% in method suggested.Their authentication model satisfies the performance that varies 3 to 8 different end users.The authors conclude that the non-intrusive mechanism can be used with the intrusive mechanism.For example, PIN or Password can be used with the biometric (finger-prints) to increase the security of smartphones [25].
Morris worked on combining traits from three different methods, i.e., biometrics, hand-written signature, face, and modalities of speech.He reported the authentication accuracy of a mobile device that would have been acceptable with a wide range of applications [26].According to Gobbo et al. [27], SIM allows the user to access the network; make the user registration and authentication devices.Without a valid SIM module and a successful verification, mobile devices do not have access, so all the traffic on mobile infrastructure cannot inject.Firstly, SIM that enables the collection of resources is needed to launch an attack without disrupting users and risk found; secondly, the use of devices that are not in ownership of naive users can take part in the attacks as a botnet network nodes.

B. Data Protection and Privacy
Boshmaf et al. [28], address the problem of data protection from user-centered perspective and analyzed the user's need for data protection for smartphones systems.The authors outlined the types of data that users want to protect; they also investigated the practices of current users in the protection of such data and show how the security requirements vary across different types of data.They report the results of an exploratory study of the user in which 22 participants were interviewed.Overall, it was found that users want to protect the data on their smartphones, but find it inconvenient to do it in practice, by using the available solutions today.
Muslokhlove presents the problems of data protection against physical threats and possibility to overcome weak authentication.In that study, user's requirements to data protection are highlighted after interviews and survey studies.Finally, the author concludes that detection malicious data access approaches are not covering enough security although there remain several vulnerabilities but for data traffics these approaches are good.Upgrading the lock screen system for supporting authentication and user's accessibility and provide suitable security will increase the confidence of user and safety of smartphones [29].
Ghosh et al. worked in the context of privacy, protection and user data regarding semantic reasoning and user context modeling.In this work, the authors state that the privacy of users and smartphone under this framework are protected using embedded semantic policies that are based on the user's privacy and settings [30].Kodeswaran et al. [31] have shown a framework to execute the privacy policies on smartphones, and to protect the enterprise data.The authors have defined their privacy policies of acceptable information flow on mobile devices.This flow of information depends on the object involved in conforming IPC (Inter-Process Communication) and its data.They have described their framework design which is based on policies for Android platform and have shown the results measuring executed by the framework.

C. Vulnerabilities
There are many several attacks and vulnerabilities in smartphones as shown in Fig. 1.According to [32] Smartphones have many vulnerabilities that can lead to insecurity or be victimized by malicious attackers to create attacks.Smartphones vulnerabilities include the following: System fault/defects, insufficient management of applications, insecure wireless network and lack of user awareness.

 System Fault / Defects
It is inconceivable for a smartphone to avoid both hardware and software defects.Such defects are only reveals after the device usage.Some defects can be observed / identified sooner and some later.The software defect can easily be corrected but the hardware faults may cause irregularities, and can be rectified by changing the hardware or by changing the device architecture.Such defects can be exploited by the attackers to initiate the attacks on smartphones.www.ijacsa.thesai.org Insufficient Management of Apps Most distinctive feature of the smart devices is their flexible APIs which are mostly used for application development.However, deficient API management is responsible for many malicious code infections.Thus, the API mismanagement is a main reason for malicious code attacks.APIs are classified into Open APIs, third party application development and control APIs; used to remote maintenance.Controlled APIs have particular higher privileges for updating system, file destruction, and information fetching.If attackers gain the APIs control, could easily initiate attacks and exploit the privileges of the APIs [32] [33].

 Unsecure Wireless Network
In wireless network, we use Wi-Fi technology, Bluetooth, cellular network and GPS to connect with any network or Internet.On any network device hacker can retrieve or fetch the packets on the network.So it is a vulnerability, and we can overcome it by using the encryption/decryption method in communication.

 Lack of User Awareness
User awareness to the security is important all the times especially when the smartphone is connected to the Internet for installing an unknown application or downloading data from insecure sources.There are many application available online that look like a legitimate source, but their save button is linked to some malicious codes.Also, activating wireless and Bluetooth interfaces can be executed secretly.Using protected access 2(WPA2) based on IEEE 802.11i is a new security protocol ensuring that only authorized users can access the network [32].

D. Attacks of Smartphone
Attacks are common in all computing devices and smart devices such as smartphones, tablets, etc., in the coming lines we will explain important attacks to the smartphones.The attacks are classified into two categories:

 Old Attacks
In this category, the most common attacks have been discussed.It includes physical attacks, viruses, worms, Trojans, malware, etc.
Physical Attacks: Smartphones and tablets are easily lost or stolen.Then, Sensitive data can be accessed and manipulated directly.Physical attacks also damage fallen or covering harmful disposals.

Radio and Wireless Network Attacks:
Because the accessibility of wireless communication intruders can create wireless network attacks, they could be grouped into active attacks (Spoofing, corrupting, blocking and modifying) and passive attacks (sniffing and eavesdropping).Passive eavesdropping, the information is detected by listening to the message communication in the broadcasting wireless medium using malicious nodes.In wireless attackers create a fake Wi-Fi network to connect other users, thus, a common advice for smartphone users is to beware of what networks they are connecting to and using if it appears a fake wireless network; immediately disconnect and it is also a good practice to Switch off Wi-Fi sensors [34].
Jermyn and Zonunz, [35] studied the DoS attacks on the LTE and MAC uplink scheduler that cause several attacks.They state that such attacks depend on the QoSs (Quality of Services) requested by the clients.The authors proved the feasibility of suggested attacks on the Android-based simulator.C. Guo et al. [36], warm about the dangers of potential smartphone attacks to telecommunication infrastructure, the damage that can range from invasion of privacy and identity theft to emergency harassment centers that can result in a state of crisis.The authors outline various defensive strategies, many of which require a lot of research.It is also suggested to the system architect to concentrate on Internet insecurity in bringing new hardware to the Internet.
Backdoor: Backdoor accepts attackers to establish a connection with their network while evading detection [37].Research has revealed many backdoor uses in target attacks.Backdoors result mainly from a system, bug, and revelation of controlled APIs.Some of smartphones come with insufficient authentications, based on these vulnerabilities.Backdoor bypass access to the attacker in a normal security [38].Example Netcat and Virtual network security.
Virus: Virus infects executable files, boot sectors and normal files such as word processing documents, PDF, etc.The virus makes replication to the file with consuming the capacity of the system.Viruses also give a link to an unknown source like installation software without a request from a user [39].Cheng and Lu [40], introduce a virus detection system and alert system for smartphones.This system detects viruses from the information of communication actions.They study the unusual behavior of the smart device, and develop a SmartSiren system and grab the result to show that the developed system avoids viruses effectively with reasonable overhead.
Worms: Worms are the programs that transport their copies from one device to another device with the help of different transport mechanism throughout the network without user interference [39] [41] [42].
Malware: Malware attacks harm smartphones by creating an application and provide it to a user to download that application, but that application is a malware.Malware constitutes a serious security threat that slows down the large scale wireless application development.Sometimes your data can crash once you accept or install malware software [43][44] [45].
Shabtai et al. suggested a framework (Host-based Malware detection system) that observes features and events acquired from smartphones and then apply a machine learning anomaly detectors to categorize the normal or abnormal data [46].Peng [44] provides a study of malware, including the advancement of mobile malware, correlated concepts, and the risk of infection vectors.This article shows that the multiplicity and complication of mobile malware poses a major challenge in containing malicious software modeling.
In this paper, the authors suggested assessment criteria to evaluate the development of smart phone malware.They www.ijacsa.thesai.orgprovide a comparative analysis of case studies in which the progress malware detection and distribution concept of location data is attempted in the current smartphone platform [47].E. Gelenbe and R. Lent [48], propose taxonomic malware attack vectors studies to better understand the Android malware; the attacker ways to infect smartphones, and a component of the project responsible for the detailed examination and finding of malware Android that NEMESYS structure.Infrastructure intended understanding and network attacks and smartphones detection.
To examine existing development of malware on smartphone platform and average programmer those have access functionary tools and library of smartphone, research [26][49] suggest specific evaluation criteria measuring the level of security of common OS such as Android, Apple iOS, BlackBerry, Windows phone and Symbian in the term of development of malware, and give comparative analysis and based on the proof of the study.However, this proof would not stop the easiness developing of malware attacks in all smartphone.Finally, they suggested solution against that malware, (a) users to be aware, (b) giving or using saves applications.
Trojan: Trojan is a program which is mostly useful, but it has hidden malicious functionality.The purpose is sneaked into the system without the knowledge of the administrations [43] [50].Smartphones are becoming more complex and more dominant in providing more functions; growing concern about the opposite of smartphone users security threats.Same software architecture is used by smartphones just like a personal computer; they are susceptible to the same class of security hazards such as viruses, Trojans and worms [51].Houmansadr et al. [51], suggest a cloud-based smartphonespecific intrusion detection and response engine, which unceasingly accomplishes a detailed forensics examination on the smartphone to notice any misbehavior.Misbehavior is detected; the suggested engine decides upon and takes optimal response actions to avoid the current attacks.
Spam: Spam is kind of malware attachments can be appended to electronic mail and MMS messages reach to smartphones.Sometime a user opens an attachment at this time smartphone can be infected by malicious codes such as Trojan, worms, etc. which appears as a normal attachment.Attackers manipulate smartphones zombies by sending junk messages and those message used as a door by the attackers to compromise smartphone [36] [52].
Xu and Zhu have studied the possibility of launching attacks and spam with Trojan applications installed by abuse customized notification service.The experimental results are presented and the fact of attacks in four major smartphone platform.Also, the authors present an approach to stealth spam content delivery that can help in identifying application Trojan that ignores the review process of the application in app stores.To maintain the proposed strikes propose design principles Semi-OS-controlled to see notifications, see a safe framework for public view and authentication services to log notifications review notification [53].
Threat: Delac et al. [54], show the threats and deeply study the threat mitigation mechanism.They show the attacker centric threat model for smartphones.They evaluated the vectors of attack and strategies and give a security model for two main smartphone Operating system; Android and iOS.

 New Attacks
In this category new types of network or system attacks have been discussed.It includes Brute force, DoS, smudge attacks, etc.
Relay Attacks: It involves only future applications on mobile phones.Elements and application access security relays APDU command interface / response network (GSM, UMTS, and Wi-Fi).Attackers can use victims' secured as if they have their physical possession.Relay application can access additional resources (address book, keyboard, etc.) [55].In article [56], Peer-to-Peer communications in NFC (Near field communication) are being deliberated for a variety of applications with payment.Relay attacks are a threat and can circumvent security measures and encryption/decryption using temporary contracts.The author's contributions in this work include the implementation of practical demonstrations of the first relay attack using NFC mobile platform technology.They show that the attacker using NFC can create a proxy for the development and introduction of the software (without hardware change) of the MID let appropriate for mobile devices.The attack does not involve any code validation and software to be installed on the insurance program.It also uses ordinary, readily accessible APIs such as JSR 257 and JSR 82, need for action measures.Such attacks can be controlled intensely using location-based solutions discussed in [56].
Cold Boot Attack: Smartphones and tablets are easily stolen or lost.In paper [57], it is discussed that, this makes them vulnerable to low-grade memory attacks such as coldboot attack using a bus, monitor to keep an eye on the memory bus and DMA attacks.The article further describes the Sentry, a system that permits applications and operating system modules to stock their code and data on the System-on-Chip (SoC) instead of DRAM.They propose the use a special mechanism of ARM-specific was specially intended for embedded systems, but it is still in existing mobile phones, to defend applications and OS in contradiction to a memory subsystem.
Brute Force Attack: Kim [58], proposed a keypad to make the brute force and smudge attacks difficult.This type of keypad increases the time that is required by both brute force and smudge attacks.Keypad time is increased by the formation of random buttons and display delay time.[59], proposed a new denial of service oriented attack for the smartphones used by ordinary operators who are not tech savvy.This type of attack which they call the DoS attack, does not prevent future technical perception to use the service through the operation of data management protocol connection to find your smartphone with Wi-Fi antenna.By creating a false eye Internet access Wi-Fi (using devices such as a laptop), the attacker can ask for a smartphone with a Wi-Fi enabled to dismiss the supply of mobile broadband connections that is authorized automatically and link to a bogus Wi-Fi www.ijacsa.thesai.orgconnection.As a result, it avoids the target smartphone to have any Internet link, unless the dupe can identify the attack and manually disable the Wi-Fi capabilities.They have shown that the most popular smartphones, with iPhone and Android mobiles susceptible to denial of accessibility.To counter these attacks, they propose a new enactment of Internet access authentication protocol to send secret passphrase from authentication server to Internet using a cellular network.Then you try to recover the secret key phrases via Wi-Fi channel that you created to verify the Wi-Fi access point.They have fully evaluated the attack, and defense prototype that runs on Android phones.

Denial of Service Attack: Dondyk and Zou
Smudge Attack: Gibson [60], explored smudge attacks using oil on the mobile touch screen and captured the smudges.They emphasized on the effect on password pattern of smartphone.They provide a primary study of applying the information learned in a smudge attack to predicting a pattern password.
Cross-Site Scripting (XSS) Attacks: Jin and Hu run the risk of systematic reviews in HTML5 -based mobile application, discovered a new injection code attack, which inherited a cross-site scripting (XSS) attacks (basic cause), but several channels used to insert XSS code.These channels exclusively for mobile devices, including contacts, SMS, bar codes, and MP3 to assess the occurrence of addition code susceptibility in mobile application based on HTML5.They developed a screening tool to analyze the weaknesses of 15,510 applications in Google Play, Phone Gap, 478 applications likely the rate of 2.30% error-positive rate and developed a model called No injection as a cover for the Android hone GAP to protect it from attack [61].
The problem is that HTML5-based malicious code can be inserted into any automated software or application and run.This is the cause of cross-site scripting (XSS) attacks are one of the most common attacks on Web-based applications or programs.Cross-site scripting can only target web application [62].
SMS Based Attack: Attacker can advertise and distribute phishing links via SMS attacks.Text messages can also be used by attackers to feat vulnerabilities [63] [64].Rieck and Stewin [62], study the security of SMS OTP (One-Time password) system architecture and attacks that present a hazard to service learning authentication through the Internet and authorization.They resolute two basic SMS OTP erected on wireless networks and mobile devices have totally dissimilar when SMS OTP is intended and introduced.During this exertion, which showed why SMS OTP system is not safe again?Their results based on proposed mechanisms to ensure SMS OTP against collective attacks and precisely against Trojan.
Hamandi et al. [65], examine some of the messaging design verdicts that cause a set of vulnerabilities in the Android operating system, and they show how applications can be built for malware detection to avoid abuse by this vulnerability.These applications appear as a normal application SMS messages and use them fundamental truths to send/receive short messages.Since many operators around the world offer a service that allows users to transfer credit/unit via SMS, cause the misuse of this service to transfer credit illegally.Subsystem "permission", subsystem "broadcasting receiver," and ordering mechanism to contribute to the establishment of a haven for SMS malware, giving them total control over the sending, receiving and hiding SMS messages.Therefore, the application hides the malicious confirmation from telecom operators that can arise after the transaction for credit transfer.Such subsystems allow users to stream and balance malware attacks that have the potential to cause damage to a large number of users and telecommunications operators.The application has been shown in local control and successfully passed the standard inspection procedure aimed to catch malware.A set of possible solutions is also presented to decrease the risk of such attacks.
Counter Attacks / Escalation Attack: In [66], authors proposed a scheme for detection and prevention that protects Android with features like counter-attacks or escalation attack that attempt to gain full access to all data.These systems monitor the proposed scheme essentially used to call for the application process.If the call system is called by special components of the Android system in normal operation, the regime prevented it from performing.The scheme can detect and block new and unknown malware.

USSD Attacks: USSD (Unstructured Supplementary
Service Data) is a protocol used by operators of www(world wide web) to run specific functionality between users and operators [67], examples such as functions including credit check and credit of USSD, USSD can send a prepaid callback, Mobile-Money services.The USSD contains following components: Main Activity, USSD interceptor Service, Boot service and Permission testing.
Hamdani, and Elhajj [68] identified and evaluated two types of Android smartphone based attacks.The first is done by sending an SMS in the background and push notifications network to steal customer credit.Also, they show how the SPM security structure in Android has grown, but they showed how the attack can still be performed.The second attack using the mobile dialler application using the USSD protocol on the target user background.
USB Connection Attacks: Decker and Zúquete [69], exposed serious weaknesses in some private provider's Android operating system.They described the proof-ofconcept to them, which can be used to explore the implications of vulnerability, such as root access.For advanced features are intended for use by suppliers of computer applications to configure and control the device, developed on purpose and with the intention stated.In their observation, the installation of such "features" must be at least possible released to the user, so they recognize the risks of an unprotected USB connection.
Camera based Vulnerabilities and Attacks: Currently, almost all smartphones have features like camera and touchscreen.These functions can lead to attacks on smartphones.Users change device through third party applications from the "app stores" or traditional websites.Source application is a problem, so users are constantly at risk of installing malicious programs that steal personal information or gain root access to their device [64] [70].www.ijacsa.thesai.org In article [71], it is figured out the weaknesses associated with Android phones are also for those versatile and sound applications.The authors talked about pieces of spy cam (use of smartphone as spy cam), can play for their attack or gain customers.The authors argue that they found some spy camera forward attacks, including attacks related to continuous monitoring, remote control and two pass-code once led to the raid.Meanwhile, they suggested a plan to ensure a strong guard mobile phone spy cam all this aggression.They explore the possibility of conducting espionage attack (grab information used to launch a successful attack).
Control Flow Attacks: Runtime attacks and control flow (such as code injection or return-oriented programming) is one of the biggest threats to software programs [72] [73].These attacks are common and have been recently applied to smartphone applications that are downloaded by many users.Davi et al. presents a mobile CFI (MoCFI) framework that provides a general countermeasure in contradiction of control flow attacks on smartphone platform by CFI.A typical smartphone that is involved because of two different architectures ARM and Intel.The authors prove that MoCFI is efficient for all smartphone OSes excluding iOS [74].

III. PERFORMANCE COMPARISON
In this section, we review present solutions, settled to avoid different types of smartphone threats, attacks and vulnerabilities.To respond to the increasing number of attacks and malware with the vulnerabilities on smartphones, we have several solutions for the problems.So, we show all attacks and their solutions in tabular form.Table 2 shows the old attacks, causes of old attacks and their suggested solutions.Similarly, Table 3 shows a new form of attacks, the cause of these type of attacks and their solutions.
In article [28], 22 participants were interviewed and it was found that each participant wanted to protect data.For data protection and privacy many of the researchers proposed various solutions some of them are discussed here; In Musklokhlove et al. [29] authors gave solution for data protection and authentication.They purpose detection malicious data access approach for data protection and upgrade the lock screen system for smartphone authentication.The [30] and [31], articles provide a framework to execute privacy policies to protect user data and enterprise data.
In [18] and [19], it is discussed that the growth of selling smartphone is increasing gradually.In 2014, the shipment values were as the following with respect to Mobile Phone Operating System, Android phone: 950.5 million, iOS: 179.5 million, Windows Phone: 47 million, BlackBerry: 11.9 million, and other (Symbian, etc.): 15.1 million.And in 2018, their market share will increase 11.5%.Fig. 2 show the estimated market share and shipment values of 2018 with the help of 2014's data of shipment and market share.
According to report [75], they said that by the end of 2015, there will probably be more smartphones than people and in 2016 there could be 10 billion smartphones.So, it can be true if sale or shipment of smartphones could gradually increase.Because many peoples may has more than one device.
Table 4 shows the distribution of new mobile malware by their types (first is Installation program and the second is new mobile malicious programs) from the Quarter 4 (Q4) 2014 to Quarter 3 (Q3) 2015.The statistical data obtained from sources (Kaspersky Lab) [76] & [77] have been computed and represented in Table 4.The Q denotes quarter at x-axis in Fig. 3. Q4 2014 to Q3 2015, the mobile malware increase gradually.This shows in Q4 of 2015 the malware will increase.So, we can say that mobile malware will increase gradually till Q4 2020 shown in Fig. 3.But it is possible that the graph is stable or decrease if any control mechanism will introduce.This estimation is shown in Fig. 3.The middle line shows the stability of the malware and the bottom line is showing the decreasing in malware if a control mechanism is introduced.
These estimations show that due to increasing growth of selling smartphones, malware writers develop a lot of malware software that causes the security threats in smartphones.www.ijacsa.thesai.org

Physical Attack
System defects / fault.Re-manufacturing whether is software or hardware.
Weak the security of mobile phone.
Insufficient APIS Management.
Use trusted application from sources.
Malicious code can infect user's data or files.[33] Radio Wireless attack Eavesdropping sniffing and spoof computing blocking.
Suddenly disconnect from the wireless network.
Data can be hacked easily.
Only use trusted network.
Using encryption / decryption method to secure communication.
Information can be hacked during communication.[34] Backdoor System bugs and disclosure.
Update your device and install strong antivirus.
Security of smartphone can weak.
A backdoor for viruses can be made.[38] Virus Target finding, replication file with unknown source.
Install update Antivirus in your system.
Abnormal behavior of application.
Information or applications may be corrupted.
Transfer malicious program.
Use updated Antivirus.
Can create the backdoor for hacker.
Intertwined with the system files. [39] Malware Downloading file from interested resources.
Use updated anti-virus, install malware prevent software.
Use host-based malware detection system, use safe application.

Disturb computer operations.
Gather sensitive information.
Hidden malicious functionality.
Smart phone specific intrusion detection system.
Use anti-virus.
Disturb computer operations.
Gather sensitive information.
[78], [51] Spam Any attachment with malicious code transfer via E-mail or MMS.
Attacker can advertise phishing links.
Avoid opening these types of emails and MMS.
Only taking authentic services and using authentic application.
Avoiding responding to any emails that you never asked for.
Fills your Inbox with number of ridiculous emails.
Degrades your Internet speed to a great extent.
Steals useful information like your details on you Contact list.
Alters your search results on any search engine.
Use CTM (Cyber threat management) software.
Corrupt data.
Weaken computer security.
Provide back doors into protected networked. [79]

Relay Attack
Insecure network environment.
Use of unauthentic proxy service.
Use secure network and trusted proxy application.
Information hacked during communication.

Cold Boot Attack
Unauthorized access to RAM and encryption / decryption key of system Use a system that store code and data on the SOC (System on chip) instead of RAM i.e.Sentry.

Use powerful encryption decryption method
Encryption key may be hacked.

Brute Force Attack
Try again and again to unlock phone using many combination and no limit to prevent from hacking.
Set a limit for try again and again to unlock device and display time delay.
Password cracked.

Smudge Attack
By keep touch screen dirty or using oily hands.
Keep clean and clear screen and use clean hand to operate device.
Easily guess the pattern password.

Denial of Service Attack
By using other device dismiss the supply of mobile broadband connection.

Link to bogus Wi-Fi connection
Use internet access authentication protocol.
Busy the network.
Busy smartphone and block other services.
[59] XSS Attack HTML 5 based malicious code inserted into an application or software.
Use popular and authentic apps.
Use screening tool to check the weakness of the apps.
Smartphone infected by inject malicious code via HTML page or any other untrusted script.
Cause of hacking information or provide backdoor.

SMS based Attack
Attacker can advertise phishing links.
Device can protect by setting up the Message settings, or to disallow auto receiving MMS or text.
Sensitive information can be fetch.

Use Anomaly based Intrusion detection system
Personal data can be fetched.
Cause the damage on the cell phones.
[74] www.ijacsa.thesai.orgAn appropriate solution to authentication problem can overcome many authentication problems and saves smartphones from security breach.All users want to protect their data.So, Data Privacy is one of the biggest concerns to the smart phone users.Thus, the data privacy issues, can most of times could be addressed by using trusted sites and applications.Most of the smartphone attacks occur due to vulnerabilities.If the vulnerabilities are minimized, it can save the smartphones from most of the attacks.But in rapidly growing field where development occurs at large scale it is hard to achive100% security, but the careful design and development processes lead to more secure smartphones.Number of smartphones is increasing rapidly.The reason behind this increment is the frequent technological changes and evolution.But with this technological evolution, more malware attacks are being launched.If we look upon the Kaspersky Laboratories reports regarding these attacks, we come to know that number of malware attacks is increasing every year, which is also included in this review paper.So, we should neither be satisfied upon the increasing in number of smartphone sales, nor it should be merely lookup for solution by the developer against the malware attacks being launched.But manufacturers as well as developers have to look around the reason behind these attacks, launched for smartphones which are obviously because of the loophole present in the architecture and software of the smartphone being provided by the manufacturer and the software developer.
The future belongs to IoT (Internet of Things); technology where all the devices remain online and interconnected.So, almost each routine gadget would be controlled by smartphone via IoT.Which includes electronic devices, machines, vehicles, security based entrances, etc.So, this will cause a lot of issues regarding smartphones such as battery drainage issue, performance issue and security issues regarding not only data privacy but also illegal access to the personal devices via IoT.So, it is required to have a smartphone that used for IoT, must have best battery consumption, efficient processing and maximum security.So that we would be able to achieve maximum benefits from IoT.As we know that we don't have a mechanism for complete security regarding smartphone.We can't say that our data privacy and access is completely safe and sound.So that manufacturers as well as developers require building and presenting a mechanism that provides maximum security.
The purpose for writing this review is to provide a holistic account of smartphone vulnerabilities and problems and to look at various possible solutions suggested in the literature.These solutions and problems have been collected from review of previous researches.

V. CONCLUSION
Smartphones are the multipurpose handheld devices that contain a lot of third-party applications that extend the functionality of the device.With the quick production of smartphones prepared with many features such as several connectivity links and sensors, the mobile malware are growing.The smartphone environment is different from the PC environment.Similarly, the solutions to prevent the infections and diffusion of malicious code in smartphone are different from PC or other computer devices.Smartphones have insufficient resources, including power (battery) and processing unit.Increasing the capabilities of the smartphone, these features can be misused by attackers, as different types of links, sensors, services and user's secrecy.
In this work, at first, we discussed the current authentication problems, data protection and privacy problems.We investigated the vulnerabilities in smartphones and attacks that can occur in smartphones.Secondly, we have characterized identified attacks in contradiction of smartphones, concentrating on why attacks occur and what are their effects on smartphones.Finally, we have studied existing security results to prevent smartphones from infections, malicious codes and intruder's attacks.

TABLE II .
OLD ATTACKS, THEIR VULNERABILITIES AND SOLUTIONS