A Survey on Various Threats and Current State of Security in Android Platform A Survey on Various Threats and Current State of Security in Android Platform

In this layer, attackers target the vulnerabilities found in the hardware components. Most of the vulnerabilities exist because of the preinstalled vulnerable components in the device provided by the manufacturers. It is tough to protect the system from attacks that target such components. These vulnerabilities are very difficult to patch, because the patches are available with the distributors and carriers only. Another possible way to attack the Android system is to exploit the security weaknesses found in the repaired components. Shwartz et al. [12] have shown how using repaired Android components like touchscreen, sensors, and near-field communications (NFC) readers from unauthorized vendors rather than from original vendors, called original equipment manufacturers (OEMs), can put the integrity of the system at stake. They have shown in their article how attacks like touch injection and buffer overflow use unauthorized components to exploit the vulnerabilities of the device and attack the system. Authors have also pointed out that designers must keep this aspect in consideration when implementing a system where replaced components fall inside the trust periphery of the system. It must be essential for the system to check the integrity of the communication between the replaced component and central processor of the system. Also, the component driver's source code should not implicitly assume that the component hardware is authentic and trustworthy.

A Rowhammer attack is an example of a hardware-based attack. The attacker uses malicious JavaScript in the browser (like Firefox) to attack an Android phone. The preliminary requirements of this attack are the installation of a malicious application in the targeted device and access to graphics processing unit (GPU) used in the device, and to speed up the attack the attackers can also use the attack speed chip's cache. To launch this attack, the attacker needs to access a specific memory location or a row in memory inside a dynamic random access memory (DRAM) chip. Hamming this row number of times causes a small amount of electrical current to leak from the target location. It results in a change in the state of memory bit or memory leak [13]. GLitch is the latest form of Rowhammer attack that allows an attacker to hack the target device remotely. GLitch is so named because attackers use WebGL, a library that renders interactive graphics code within any browser that is compatible with WebGL. These graphics can trigger a well-known glitch found in memory chips, namely DDR3 and DDR4. Attackers launching a Glitch attack exploit the GPU. The main reason for using the GPU is that its cache can be easily administered by the attacker, which gives them easy access to target rows [14], which is otherwise tricky if CPU is used instead of GPU, as used in previous versions of a Rowhammer attack. Another attack that falls under the same category is Deterministic Rowhammer Attacks on Mobile Devices (Drammer). The target component is DRAM chips. Attackers use the malicious application to exploit DRAM chips and can get access to the kernel of the devices. To date, there is no patch available to safeguard Android from these attacks entirely.

RAMpage (CVE-2018-9442) is a vulnerability, found in hardware components (LPDDR2, LPDDR3, or LPDDR4) of RAM, that implements attacks like Rowhammer. The attackers use the same strategy of using a malicious application to exploit these vulnerabilities. The strategy is to break the memory allocator ION (unified memory management interface). Once the attacker executes the attack successfully, he or she can get access to the restricted memory location in the device. The attacker can leak sensitive information from the victim's device and can also get complete control over the system [15]. GuardION is an open source technique proposed by Veen et al. This tool mitigates the threat caused by attacks like Drammer. GuardION protects the Android kernel by defending DMA allocations from these attacks. DMA allocations are shielded using rows that are empty, which results in isolated bitflips. Thus this technique helps in reducing Drammer and similar attacks [16]. QuadRooter vulnerability as the name suggests is a combination of four vulnerabilities that poses a threat for Android devices that use Qualcomm chipset. The four vulnerabilities are

• Linux IPC router binding any port as a control port (CVE-2016-2059)
  
• Ashmem vulnerability (CVE-2016-5340)
  
• Use After Free Due to Race Conditions In KGSL (CVE-2016-2503, CVE-2106-2504).
  

Attackers can launch a privilege escalation attack using a malicious application and gain root access by exploiting any of these four vulnerabilities. The drivers that manage communication between different components of the chipset for their devices are also at high risk. Since the vulnerability is present in the drivers installed in the devices, the patch to fix the vulnerability can only be availed from distributors or carriers of the component, which in turn is provided to the distributors or carriers by Qualcomm [17]. Analysis of these attacks is summarized in Table 1.

A kernel is the heart of the Android system. Attacks targeting kernel are aimed at getting root access to the system and can cause severe damage. The Linux kernel [18] is directly or indirectly responsible for every action performed on the system and also for the management of different components of the Android system. The Linux kernel also takes care of Android runtime environment functionalities. Attackers are continually working in the direction of exploiting vulnerabilities in the kernel and related components like device drivers, memory, and Android Runtime (ART). Android has come out with many security features that include Android Sandbox, secure Inter-Process Communication (IPC), Encrypted File System, Cryptographic APIs, and so on [18]; still, many vulnerabilities continue to be exposed. In the recent past, the Android system has faced highly severe attacks exploiting vulnerabilities found in all these security features.

Next, the article will discuss attacks exploiting vulnerabilities found in different components of kernel.

This layer includes library modules that implement interfaces for Camera, Bluetooth, Wi-Fi, GPS, Radio, and other components in the Android system [18]. Attackers target the interfaces and use these components to peek into the system. In Broadcom Company's Wi-Fi chipset, which is present in most Android and iOS devices, attackers found a highly dangerous vulnerability that allowed the attacker to get control of the complete system by using Booby-Trapped Signals [70]. Later a patch for this vulnerability was released. Researchers [71] have exposed severe vulnerabilities in Wi-Fi security protocol WPA2 that is used in most of the modern operating systems, including Android version 6.0 (Marshmallow) and higher. This vulnerability is present even in iOS, Windows, and OpenBSD. Researchers have also listed the vulnerabilities found in the WPA2 that are exploited by attackers by using a novel method of attack known as Key Reinstallation Attack (KRACKs). For exploiting this vulnerability, the attacker needs to be within the Wi-Fi range of the target system. This attack can be used to steal the confidential data of the victim and can even decrypt the encrypted file in the system. Attackers can use applications to spy on the user's data using Audio Channels, GPS, Camera, and other components. Google Play Services offers some unsafe features to the applications that can be exploited by the intruders. Some of these features are by default enabled by the service. If the user disables them, then it will affect the normal functioning of the fundamental features of the system. A brute-force attack is used to intrude into the Android file system, which stores the system's private keys. The attack targets the kernel by cracking the system passwords [72].

First, the attacker works on gaining comprehensive knowledge of the security measures and weaknesses in Android's encryption system and then uses that information to break through the system and gain control over the kernel. It is done by repeatedly guessing the pair of keys until the exact match is found. Attackers these days are using jailbreaking or rooting tools like Aircrack-ng to guess the passwords. After gaining control over the kernel, the attacker has the full access to all the resources and data stored on the system. A robust encryption mechanism is needed to tackle such attacks. Lately, Android systems incorporate strong encryption algorithms and Key Derivation Process (KDP) employing SCRYPT function for generating key-based password [73]. This process makes it challenging for attackers to execute a brute-force attack, as it will require intensive knowledge and a significant amount of memory and resources for computation.

The Sturdy Android Keychain Management system also plays a crucial role in improving the defenses against brute-force attacks. A two-factor authentication keys system is incorporated into Android Oreo, which further strengthens Android's security [21]. Malware known as Invisible Man [74] gets into the system when the user installs fake Flash updates, disguised as authenticated ones, from the unauthorized website. This malware, once installed into the system, can get the bank details of the user by acting like a key-logger. Simultaneously, it installs itself as the default text message application and grants itself access to send and receive text messages in the system. Such records can be used by attackers, as well as analyzers, for spying on the user's data. Malicious applications, installed into the system, can also use the Audio channels to steal the password. Such applications send deceitful commands, through the speaker of the victim's system, to its microphone, which behaves as confused deputy. Talk Back Accessibility Service of Android is used to accomplish the purpose of this attack, as it reads out the password typed by the victim to the attacker [75–77]. AuDroid [75] is a policy enforcement technique that is employable with SELinux for preventing and detecting attacks that use audio channels for exploiting the system. SemaDroid [78] is a method to protect from attacks, like covert channel attacks [79], that target the sensor data, which includes data related to Camera, GPS, Microphone, Motion Sensors, and other sensors in the system. They enforce user policies that put restriction on the applications installed on the system from collecting the critical information from sensors. Such policies can control the type of information applications are collecting from the host device. It can defeat any stealthy attack on the sensors, thereby protecting the user's private information.

Security of HAL has been substantially improved in Android Oreo. Now, different device drivers have separate HALs. Each driver is controlled only by the HAL to which it is assigned. When a process requests for a device driver, it gets a particular HAL, and together they run in a sandbox. Thus, the process gets only necessary privileges that are required to complete its job. This way the processes will not be able to access device drivers directly, and they can also not access device drivers that they have not requested. It helps in limiting privilege escalation attacks and even phishing attacks, which use combined privileges on different components for spying or stealing users’ data [80]. Analysis of these attacks is summarized in Table 3.

malware developers exploit the vulnerabilities of default applications, as well as the applications installed into the system, from Play Stores and websites. Applications request for the privileges, from the system, at the time of installation, for smoothly running, later on. Various researchers have suggested that the applications that users install from websites request for unnecessary permissions, which they do not require to performing their job. Attackers take advantage of this situation and use attacks like privilege escalation [81], for exploiting the target system, at different levels. Attackers are also misusing the flaws in native libraries and the third-party libraries found in the applications. They use these libraries to request for combined permissions. Escalated privilege rights give attackers access to any component of the victim's system, including the kernel. Attackers can even gain root privileges and can cause irreparable damage to the system. After sneaking into the system, attackers can spy on the user's data for personal motive or can sell it to third parties for money. Privilege Escalation attacks and attacks based on libraries, both have placed Android security in peril. Malicious applications are used by the attackers to breach into the Android system and steal vital details. Runtime Information Gathering Attack (RIG) is an attack through which attackers can accumulate information from the victim's system, during the runtime of the malicious application. The malicious applications exploit the permissions, given to the application, at the installation time to perform this attack. Researchers [82] have shown how this attack can pose a severe threat to the Internet of Things, administered by Android. They have also implemented the technique, called App Guardian, which helps in preventing from the RIG attacks. App Guardian keeps a check on the suspicious application running and stops all other processes running in the background. Once the process stops the executing, it restarts the stopped processes and cleans the memory used during runtime by the suspicious application so that no trace of information is left for the attackers to steal from the system. The application-based attacks are targeting the resources of the Android system like memory, CPU, files, disk, battery to damage the system. The malicious application can consume more memory, battery, and processing power than their regular counterparts. Malicious applications can exhaust the system and bring it to a standstill. Attackers can use multimedia for targeting the battery of the system. Well-designed multimedia files, which remain stealthy, are used by attackers for such attacks. These files consume more battery power, and the system will get exhausted quickly, and its processing power will slow down. It will not be able to perform any normal operation and will ultimately collapse. Such attacks are the example of energy-based attacks [83].

As the Android system continues to evolve, so does its permission system, which is becoming exposed to malware attacks. Malware developers are taking advantage of weaknesses of not only permission system but also exploiting Android infrastructure susceptibility to attacks. the Android system comes with its in-built security mechanism based on a Linux kernel [107]. The permission system forms the critical component of the Android security mechanism. It restricts the applications from accessing user's personal information like user's identification number, bank account number, and contact numbers. For an application, to utilize any of the system's resources and interface, it requires separate permissions [108]. Presently, 146 permissions [109] have been included in the permission system to provide a flexible environment to the applications to run on the latest versions of the Android system. The Android Manifest Permission file, used for static analysis of applications, includes the permissions required by the application. The present permission system includes risky permissions that are complex and makes it difficult, not only for the user's to understand [110], but also becomes a challenging task for system's security mechanism to restrict the requesting application access from accessing user's confidential information. During installation, applications request for permission to access different components of the system as and in case the user does not grant all the permissions, the application does not run. So, users accept such permissions, to be able to use the application; giving knowingly or unknowingly consent to the attackers to get into the system. Attackers can use benign as well as malicious applications for this purpose.

Research suggests that malicious applications generally request for more number of permissions than benign applications [11]. All these permissions are coarse-grained, so users are left with no other options than to accept them. Until Android Marshmallow (API 23), users had to accept all the permission requests of the application at the time of installation [111]. After crossing this checkpoint, the malicious application can gain root access to the system by exploiting kernel-level vulnerabilities and can initiate privilege escalation attacks [81].

Cloak and Dagger attack is a case of permission system exploitation of the Android system. It is the result of design vulnerabilities in Android. This attack needs two permissions, SYSTEM ALERT WINDOW, and BIND ACCESSIBILITY SERVICE for getting complete control over the User Interface (UI) Feedback Loop. The system grants these permissions to the malicious application without taking approval from the user. With the help of these permissions, the application takes control over the visuals of the phone and carries on malicious activities without the user even noticing them. Researchers [112] have uncovered various loopholes in the Android system design that, if exploited, can be fatal for the system.

Android developers, while developing the application, do not give much emphasis on secure communication of data. Android SDK provides packages for the Internet connection that can support Internet connection via both HTTPS and HTTP. Developers’ lack of coding skills and partial understanding of SSL can lead to a compromise, with the security of the application. Using SSL certificates, which are signed by the Android trusted Certificate Authority, and Android's application interface that is in-built, helps in securing the data from intruders. Because of the high cost involved in debugging, Android applications using SSL certificates, developers prefer using development servers consisting of unauthorized certificates for debugging. Not validating or verifying the certificates and host Names is also a part of poor developing practices [113]. HTTPS and the TLS/SSL are a set of standardized protocol that the applications must use for the exchange of data. Using HTTP instead of HTTPS for URL connection and WiFi, and Bluetooth for Internet connection, further adds to the problem of information leakage. It encourages Man-In-The-Middle attack, where the attacker tries to sniff the data between the two parties, by pretending to be one of the trusted host. The developers should use TLS Public Key Infrastructure for authenticating the two parties in communication; however, its complex architecture demotivates them from using it [114]. Rather than sending data over HTTPS and in plaintext format, proper use of SSL helps in sending the data in a ciphertext format, protecting it from the attackers. Bouncy Castle Crypto APIs [115] and OpenSSL [85] are open source platform that supports cryptographic libraries and provides the toolkit for SSL/TLS protocol. Users are generally unaware of the consequences of using HTTP and of the importance of proper usage of security protocols in the application.

Android developers are continuously working in the direction of making the Android system more secure. Recently, to make Android Oreo more secure, TLS version fallback is eliminated from HttpsURLConnection. This feature was used in previous versions to support HTTPS stack for connecting to the servers in which TLS protocol version implementation was not proper. In case, TLS handshake failed to connect, then HttpsURLConnection used to disable the newer version of TLS protocol, from retrying the handshake. Disabling the TLS protocol results in downgrading of protection. It makes the system vulnerable to attacks that is why in Android Oreo, TLS version fallback is removed to avoid such reattempts to establish connection [116].

Lack of documentation by developers can be misleading for the users and for other developers who are not directly involved in coding but with different modules of application development. Developers’ lack of knowledge regarding security protocols can prove fatal for the Android system. Error in the application coding does not mean it is malicious, but it can serve as a gateway for malware developers. If the developer does not write SSL/TLS code correctly or does not follow proper steps for establishing the secured connection, then it can lead to cryptographic attacks.

For establishing a secure connection via SSL, the first and foremost step is to authenticate the server certified by a trusted Certificate Authority. It is essential to check the validity of the server's authentication, and sometimes a certificate is revoked by the CA in the case where a server has been compromised or is not behaving as per the norm. In Reference [117], rules for developing and validating certificates are defined based on the X.509 protocol. This document also explains how to check whether the CA has revoked the certificate. The status of the certificate can be checked using the Online Certificate Status Protocol (OCSP) [118]. OSCP provides up-to-date information regarding the status of the certificates as compared to the Certificate Revocation List (CRL) [117]. In Reference [119], researchers found that many critical applications and libraries were not verifying the SSL certificate at all. A list of software found violating the SSL certificate validation included Amazon's EC2 Java library and all cloud clients based on it: Amazon's and PayPal's merchant SDKs, integrated shopping carts, and AdMob code. For example, AdMob provided code that used data-transport library cURL for connecting SSL to AdMob's server, however, the code would turn off the SSL certificate validation. In this article, the author has also listed the “dos” and “don'ts” for the application and SSL library developers. Further, while analyzing 137 of 200 applications [113], which used SSL, it was found that 84 applications used SSL incorrectly. Of 137 applications, in 58 applications, TrustManager used Trust All strategy, and in 13 applications, HostnameVerifier used the Allow All strategy. The remaining 13 applications used both the strategies (Trust All and Allow All). SSL code uses TrustManger and HostnameVerifier classes for verifying and validating server. If the application uses Trust All with Trust-Manager, then it will not require verification of the server. Similarly, if it uses Allow All with the HostnameVerifier approach, then it will not require validation of server.

Vulnerable cryptographic keys and digital certificates were found to be the root cause of such attacks. SSL Blacklisting and Pinning are two methods offered by Android for protecting the system from the threat caused by breached CAs (e.g., Comodo, DigiNotar) and from the use of certificates issued deceitfully. SSL Blacklisting allows blacklisting of certificates and CAs as well. SSL Pinning restricts the number of CAs to be trusted [120].

Google has found security flaws in more than 275,000 applications found on the Google Play Store [121]. The App Security Improvement Program notifies the developer quickly whenever it finds a vulnerability. This program started with scanning the Google apps for embedded Amazon Web Services (AWS) credentials and Keystore file. The revelation of credentials and keys were posing grave threats to users’ private information and for data transfer at that time. In reference [122], the authors have provided a list of the latest security loopholes flagged to developers on Google Play along with the respective vulnerability and solution.

This section has highlighted the common factors that are responsible for the proliferation of attacks that were discussed in Section 2. The next section discusses defensive tools and techniques used to defend the Android system from various attacks and malicious activities.

eXtended Monitoring on Android (XManDroid) [19] prevents privilege escalation attacks dynamically based on the system policy already defined in the system database. For this purpose, researchers have designed the Policy Check Algorithm, which is embedded in the Decision Maker component of the XMandroid framework. This algorithm keeps track of Inter-component Communication (ICC) among the applications. With the help of policies defined in the policy database that are the security rules, it decides whether it should allow the action or reject it. User confirmation is also taken into account whether to allow ICC call. XMandroid helps in preventing an ICC-based privilege escalation attack. A sample of 50 applications was taken in which XMandroid dynamically observed 11,970 ICC calls that occurred during runtime. The total number of cache hits = 11,592 and cache miss = 378. According to the researchers, the tool performed consitently in cases of ICC between applications as well as in case of ICC with content and service providers.

The Extending Android Permission Model (Apex) [123] helps users grant permission to applications for accessing resources during runtime selectively. For this purpose, an application installer named Poly is implemented, which is an extension to the already-existing installer in the system. It provides users with an easy interface to imply constraints on access to resources requested by the applications at installation time.

AdSplit (separating smartphone advertising from applications) [124] separates the advertising libraries from the host application, both run in a completely separate environment. Unique UID and separate permissions are given to applications and the advertising libraries by the UNIX process so that applications need not request for additional privileges for the advertising libraries. Then, for coordination between two processes, an advertising service is there. It keeps track of user actions, performed at UI and sends it to related advertising activity. With the help of a centralized advertising service component, AdSplit can identify any fake UI event, and this component is also responsible for proper display of advertisements. This framework combines two security modes HTML and smartphone applications, which is the current need for smartphone security, as most of the applications and libraries use Java and HTML script.

Like AdSplit, AdDroid (A Privilege Separated Advertising Framework) [125] also wholly separates the advertising component from the parent application by integrating advertising component into the Android framework itself rather than the parent application. It helps in restricting the advertisement component from gaining access to any security-critical information, even if the parent application has the privilege of accessing the same information. The AdDroid framework achieves this goal by introducing the advertising API (AdDroid API), which is an extension of the Android API, it is responsible for data and application. AdDroid also includes two new permissions, ADVERTISING, and LOCATION_ADVERTISING. For using AdDroid, applications need to request for any of these two permissions. These permissions give requesting application access to the advertising API calls; rest AdDroid handles all the decisions regarding advertising and events related to user interactions. Of 473 advertising libraries of corresponding applications, the functionality of 456 advertising libraries was satisfied by the AdDroid permission system. Thus, a 96.4% satisfactory rate was achieved.

Component-Level Access Control (Compac) puts a restriction on the privileges, given to the third-party elements at component level. It achieves this by letting the system decide that request from third-party elements for accessing the private information need to be accepted and which not. The system can make the decision based on the information excavated from the application's components, using runtime information of Java package. Compac gives privilege to the users and system to assign a subset of permission to the application component rather than giving similar access rights to all the components of the application. This approach helps in enhancing the security of the Android model, in context of the attacks, caused due to third-party libraries or components. The approach achieved 97.4% success rate in performing privilege escalation (as per Antutu benchmark). The researchers considered a dataset of 18,566 applications in which 16,000 was benign data and remaining 2,566 was malware [126].

Unlike AdDroid, in Privilege De-escalation (PEDAL) [100] researchers have included a module, called separator that allows users to assign privileges to ad libraries selectively. This module forbids ad library from inheriting permissions, which are granted to their parent applications by the system at the time of installation. PEDAL achieved 98% accuracy rate in detecting ad libraries. Further analysis of these tools is given in Table 6.

A number of tools and techniques has been developed so far by researchers to minimize the unnecessary permissions requested by the applications and their respective ad libraries. These tools can identify and protect the system from different types of privilege escalation attacks. Based on the user experience and attacks, these tools decide which permission request should be entertained and which one should be denied. These tools serve as an extension to the already existing security model of Android. Android Security Model comprises of security features like Application Sandbox, Cryptography, and IPC [127]. Even then attackers are continually working to explore the vulnerability of these defensive mechanisms against privilege escalation attacks. For example, app-in-the-middle attacks can bypass Android Sandbox [128]; such attacks pose a serious threat to the user's private content.

Completely blocking the ad libraries will not give an appropriate solution as this is a source of revenue for advertising industry. So it is necessary to extend the Android security model, and this can be achieved by using these defensive tools and increasing permission constraints. Application developers also need to minimize the number of permission requests they include in the application they develop. It will help in reducing the ambiguity caused due to the large number of permissions requested at the installation time, which are mostly tricky for the users to understand. The naive users just want to use the applications. So they accept all the permissions, without giving it much thought. It gives attackers and analysts the opportunity to peek into the system, which can prove fatal for the system.

The malware detection tools use static and dynamic detection mechanisms for identifying attacks and blocking them from penetrating into the system. Static detection is a passive approach where the tool extracts features from the application file without executing the application. This methodology is resource and time efficient, as the application is not required to be executed. A dynamic approach is an active approach; it identifies attacks in the real environment. Unlike a static approach, it is not easy to evade dynamic detection tool with the help of code obfuscation attack. A static approach monitors features like permissions, API calls, .dex files for opcodes, and metadata. The dynamic approach analyzes features, while the application is running; it includes network traffic, battery usage, CPU utilization, IP addresses opcodes. Most of the dynamic and static detection mechanisms incorporate machine-learning techniques for fine results. Once the model is trained, using machine-learning Algorithm, it can work automatically in the detection of attacks and human intervention is not required. It helps in improving the detection of attacks that are otherwise not detectable during manual analysis. Moreover, data mining helps in identifying the class of attacks that are previously unknown, with the help of ample experience. This technique helps in proper resource utilization. Figure 3 provides a classification of these approaches.

Fig. 3. Detection approaches.

There are broadly two categories of static detection: (i) Op-Code analysis and (ii) Manifest and API Calls analysis. In Op-Code analysis or N-Gram Opcode analysis [132], the detection tool extracts N-Gram Op-Codes from the dataset of malware and benign applications. The dataset is used to classify application using Pattern Recognition and machine-learning techniques. One of the most widely used classifier for this purpose is Support Vector machine. In Manifest and API Calls analysis [131], the tools use machine learning to learn features such as permissions, intents, component deployment from the Manifest file, and API Calls details from the dataset of malicious and benign applications, these data are then used to classify the target applications. Dynamic analysis is of two types: (i) in-the-box analysis and (ii) out-of-the-box analysis [11]. In case of in-the-box analysis, data collection and analysis is performed on the same privilege level as the malware. The detection tools use ART for this purpose.

Data collection and analysis can be meddled with by malware, as it shares the same privileges as the analyzer. This approach allows interception of data at the OS level, access to memory architecture, libraries, API, and other methods. However, at the same time, it makes the critical data vulnerable to attacks. In the out-of-the-box analysis approach, analysis is done taking the security of the system as well as that of the analyzer into consideration. To achieve this, a virtual environment is created to deceive the attackers. It allows the analyzing technique to understand the nature of the attack securely. VM-based analyses and emulators are key techniques used for performing out-of-the-box analysis. Attackers have also explored this detection mechanism and have found the methods to evade such emulated environment and use strategies to remain undetected. Such attacks are stealthy and are often difficult to detect. Dynamic analysis mechanism performs better in identifying attacks that use code obfuscation technique as it analyzes the program in runtime environment. Static analysis approach is better equipped to identify previously known attack for which the detection mechanism has been trained. Researchers have also developed a hybrid approach, a combination of the approaches mentioned above for improving the detection mechanism. A malware detection system can be host based or network based. In a host-based system, the detection tool is incorporated in the system itself and can better analyze malicious activities occurring within the system as well as defend the system from outside attacks. A network-based detection system is responsible for monitoring the whole network to which host is connected and has access to complete network as well as to the system. A network-based detection mechanism cannot analyze the malicious activities occurring within the system like at the kernel level. Such details are hidden from the network-based detection mechanism. Moreover, a network-based detection mechanism requires more software and hardware resources as compared to the host-based detection mechanism and is costlier as well. As host-based detection mechanisms are located on the system itself, they are easy targets for attackers. A network-based detection mechanism fails against previously unknown attacks. A network-based detection mechanism has to analyze heavy network traffic, so its performance suffers from the intense workload and leads to a poor detection rate. The main aim of these detection mechanisms is to reduce the false alarms raised during analysis and detection. Researchers have developed a huge variety of analysis and detection tools that are capable of identifying a wide range of attacks. Table 7 summarizes some of these tools. In the table, ML denotes for “machine learning.”

In 2012, Google introduced Google-Bouncer [135], an anti-virus system to automatically detect malicious content in applications on the Android platform. Researchers have exposed many security weaknesses present in Google-Bouncer [136, 137]. Google is continuously trying to improve the security features of Google-Bouncer. However, attackers are also continually working in the direction of finding methods to breach this security mechanism. In 2017, malware named Judy [7] was able to bypass the Google-Bouncer security system. The malware itself clicks on ads in the background without knowledge of the user, thereby earning revenue for the hackers. Further, Google-Bouncer is effective only when applications are downloaded from the Google Play Store; problems arise if the user downloads applications from a third-party or unauthorized sources [138]. It exposes the operating system to attacks. So, to protect the the Android system from such attacks, large numbers of anti-virus products for Android (more than 50) are also available in the market. These tools detect and protect the system from malware. The detection mechanism of these anti-virus applications can be broadly classified into four categories [139]:

• API based
  
• Dataflow based
  
• Interaction based
  
• Signature based
  

Researchers have shown how malware developers can fail these detection mechanisms. These anti-virus products do not provide a robust solution and are easily evadable. For example, a signature-based anti-virus product looks for a particular pattern or signature in the program, and, if found, the program is considered malicious and, otherwise, benign. anti-virus applications, just like any other application, are prone to attacks themselves. For example, the Automatically Bypassing Android Malware Detection System (AVPASS) developed by researchers can evade most anti-virus products, with a minimum detection ratio of 5.8% (3.42/58). AVPASS uses a binary obfuscation method to infer the features and rules of anti-virus running on the targeted system. After learning the rules, it can behave in a way such that the anti-virus tool is not able to detect the malicious application, as they behave like any other normal application. Code obfuscation techniques are used by malware developers to create polymorphic and pligomorphic malware that can easily bypass such anti-virus applications and tools, thus limiting the utilization area of these anti-virus applications. Moreover, many anti-virus tools are freely available and can be downloaded from app stores, which can themselves be malicious programs, and even in case of genuine anti-virus applications, once installed they become an integral part of the system. The attacker can then look for the vulnerabilities in these programs to exploit them and gain access to the system. Zero-day exploits, used by malware developers for attacking the system, are extremely hard to detect by anti-virus applications and other tools developed for malware detection. Much work is required in the direction of making strong anti-virus products that are almost impenetrable for the malicious content to pass through.