Android Spyware Disease and Medication Mustafa Hassan Saad, Department Of Computer Engineering MTC Cairo, Egypt [email protected]

Abstract—Android-based smartphones are gaining significant that user may download and use these malicious applications advantages on its counterparts in terms of market share among which cause privacy leakage allowing attackers to put man- users. The increasing usage of Android OS make it ideal target in-middle (MiTM) visibility into every user transaction like for attackers. There is an urgent need to develop solutions that the proposed spy-ware in this paper. The application layer guard the user’s privacy and can monitor, detect and block has the largest attack surface where maximum damage to these Eavesdropping applications. In this paper, two proposed security occurs. In this paper an exploit to the broadcast paradigm are presented. The first proposed paradigm is a spy- ware application to highlight the security weaknesses “disease”. receiver has been presented for intercepting Received SMS, The spy-ware application has been used to deeply understand Incoming, and Outgoing calls information and silently transfer the vulnerabilities in the Android operating system, and to study these information to the developed cloud database using the how the spy-ware can be developed to abuse these vulnerabilities mobile Internet capabilities. Hence to keep a check on the for intercepting victim’s privacy such as received SMS, incoming malwares and the authenticity of the application, a medication calls and outgoing calls. The spy-ware abuses the Internet service solution is needed to dynamically analyze the behavior of to transfer the intercepted information from victim’s cell phone the already installed applications, and to work as a spy-ware illegally to a cloud database. The Android OS permission subsys- alarm system. This alarm system will warn the user about any tem and the broadcast receiver subsystem contribute to form a running application eavesdropping his privacy. haven for the spy-ware by granting it absolute control to listen, intercept and track the victim’s privacy. The second proposed In this paper, The formulation to the problem of sensitive paradigm is a new detection paradigm “medication” based on privacy leakage has been presented as a two side game fuzz testing technique to mitigate known vulnerabilities. In this problem. The first side presents an indication about how these proposal, anti-spy-ware solution “DroidSmartFuzzer” has been sensitive information can be intercepted and transmitted out designed. The implementation of the anti-spy-ware application to a cloud database with the help of Broadcast receivers sub- has been used to mitigate the risks of the mentioned attacks. system. A spy-ware application will be presented to illustrate It should be noted that the proposed paradigm “DroidSmart- the techniques of attackers in intercepting these privacies and Fuzzer” and its fuzzing test cases are designed not only to catch will lead to stand on weakness points. The other side game the proposed spy-ware application but also to catch any similar malicious application designed to intercept one or more of the introduces an automated fuzzing approach solution referenced listed privacies. here as DroidSmartFuzzer. Based on the deep understanding of the previous spy-ware behavior, DroidSmartFuzzer is a Keywords—Android spyware, fuzz testing, malware behavior light-weight, yet effective, technique for fuzz-testing security analysis, android smart fuzzer, anti spy-ware. protocols. The proposed technique is modular. It generates valid inputs, and mutate the inputs using a set of fuzz operators. I.INTRODUCTION A dynamic Internet usage analysis execution as a reaction of NDROID is a Linux-based operating system designed fuzz test cases will detect the vulnerabilities exposed by the A primarily for mobile smartphones and tablet computers. Application Under Test (AUT). Initially developed by Open Handset Alliance which Google The fuzzer provided with the necessary keys and algorithms backed financially and later purchased in 2005. Android has in order to properly mutate SMS messages, Incoming Calls and expanded beyond its roots as a mobile phone operating system, Outgoing Calls. According to high rate installation of Com- providing a consistent platform for application development mercial Spy-ware which has increased in 2014 as mentioned across an increasingly wide range of hardware (smartphones, in Google Android Security report [1] , Lacoon research team tablets, smart TVs, android wear). report [2], ALCATEL-LUCENT mobile malware reports [3], Android offers new possibilities for mobile applications [4], [5], [6], and Joshua Dalman and Valerie Hantke research by offering an open development environment built on an on Black Hat USA 2015 [7]. DroidSmartFuzzer has been tested open-source Linux kernel. As an application-neutral platform, against the top 15 commercial spy-ware [8], [9], [10], [11], Android gives you the opportunity to create applications that [12], [13], [14], [15], [16], [17], [18], [19], [20], [21], [22], are as much a part of the phone as anything provided out-of- two free spy applications on Google Play[23], [24], two free the-box through a series of API libraries, and this openness spy applications on Amazon store [25], [26] and the proposed attract large number of attackers which use this platform to spy-ware application. implement a malicious applications, but here comes the risk An adaptive, modular, and real time design of the fuzzing test protocol has been used for generating valid inputs to the that malware are actively intercepting various information on AUT and then monitoring its malicious behavior dynamically. the infected phones, including SMS messages, phone numbers For example, to test the behavior for a doubtful spy application as well as user accounts. In particular, there are 13 malware according to eavesdropping on Received SMS , we use the families (138 samples) in this dataset collect and upload SMS PDUs format to generate a valid SMS [27] and inject it dy- messages and 15 families (563 samples) gather incoming and namically from the DroidSmartFuzzer to the Android mobile. outgoing phone numbers, and 3 families (43 samples) obtain The evidence for the AUT Internet usage behavior according and upload the information about user accounts. to SMS injector will be accurate as will be illustrated in the This paper is organized as follows, Section II illustrates experimental evaluation section. an overview of android OS and Android malware, Section III explains proposed spy-ware application model, Section IV explains our DroidSmartFuzzer approach, Section V discusses A. Contributions the results of various experiments and Section VI concludes To summarize, our contributions are fourfold. First, we the paper with future possible work. developed a real android spy application to deeply understand the attacks that we will resist. Second, we proposed a dynamic II.OVERVIEW OF ANDROID OS&MALWARE modular fuzz-testing technique for monitoring and detecting the unexpected behavior for the installed applications . Third, A. Android OS Architecture we implemented a set of fuzz operators that are effectively constructed a real environment for finding malicious behavior for the AUT. Finally, we empirically evaluated the effective- ness of our proposed fuzzer against the proposed spy-ware application, and set of free and commercial spy applications.

B. Related Works Researchers have already done a good efforts in malicious application analysis. Felt et al. [28] analyzed a total of 46 Android, iOS and Symbian malware samples in detail to provide us with surveys on mobile malware. Along with the processed information, the authors also provide us with dangerous permissions these apps used. ProfileDroid [29] is a behavior profiling system for Android applications which is also not suitable for analyzing internal behavior logic for the running applications. DroidScope [30] is an analysis platform designed for Android that belongs to static analysis techniques to cover Java semantics. However, the problem of analyzing Android application is not simple as how to capture behaviors Fig. 1. Android Operating System Layers from different language implementations. It is hard to achieve effective analysis without considering the Android security Android operating system comprise of different software architecture. Permission Event Graph [31], represents the re- layers as shown in Figure 1: lationship between Android actions and permission requests, • Linux kernel: Is the Bottom layer of android operating it is proposed to characterize unintended sensitive behaviors. system which provides the basic system functionality However, this technique could not capture the internal logic of such as process management, memory management, permission usage. Zhou et al. [32] proposed DroidRanger to device management and device drivers which make our detect malicious applications by doing pre-filtering step based task easier while interfacing the android with other on authenticated permissions by an application. It then analyze devices. the application code structure, as well as other properties • Libraries and Android Run Time : Libraries are Java of applications. Finally, an heuristics based detection engine libraries build specific for android operating system. It is run with the data gathered about applications. With this provides the different libraries useful for well function- approach, the authors were able to find malware on the official ing of android operating system. Android Run Time Android market, and two zero-day malware. In addition, the placed in second layer from bottom and It provides authors of [33], captured and evaluated 1,260 Android mal- most important part of the Android called Dalvik Virtual ware samples. The main focus was the mechanisms through Machine which is similar to Java Virtual Machine (JVM) which the malware propagate, the activation procedures, the but only difference is that it is designed and optimized permissions required, and the events also known as the broad- for Android. Dalvik Virtual machine uses core func- casted intents that will be listened to by the malware and this tions of Linux such as memory management and multi- is our concern. Results have shown that 21 malware families threading and enables each android application to run of the 49 captured listen for Received SMS messages, also find on its sandbox. • Application Framework : This layer directly interacts C. What is Mobile Malware with the Android applications and also manages the ba- Generally malware is a software designed to damage a sic functions of android device such as location manage- computer system without the owner’s knowledge or consent. ment, voice call management and resource management. Malware is short for malicious software and includes viruses, • Applications : This is the final destination for the de- Trojan horses, spy-ware and or any other unwanted or ma- veloper journey where his application installed and run licious software. Malware is a crime and the most common here. This layer communicate with the underlying layers path criminal’s use is through the Internet. Malware is being through different form of Inter Process Communication produced at an increasingly alarming rate. Unfortunately, it is (IPC) Endpoints. well known that computers already attacked by a malware so we are always looking forward to update our anti-virus appli- B. IPC Endpoints cation, but what about the malwares which attack our mobile • Android Manifest: All Android Application Packages devices? As we will discuss and implement our proposed spy- (APKs) must include the AndroidManifest.xml file ware application in the next section. We will see by practical which contains the core information about the applica- experiment that mobile malicious applications on the rise, and tion, such as: the intercepted information from our cell phones are horrible. ◦ Package and version name For instance, we could accidentally download a malicious ◦ Permissions (restriction limiting access to a part of application that hijacks our identity, personal photos, contacts, the code or to data on the device) SMS,emails and our private information and sends them to a ◦ Application info (such as launcher icon , title and remote server. Or, we could download a dangerous application the start point of the application) that sends SMSs or dialing services numbers from our phone, ◦ Activities, Services and Broadcast Receivers defi- charging us with an expensive money on our mobile bill. Other nitions malicious programs can potentially malfunction our cell phone basic functionality. • Activity: Is the UI component built on the base Activity class which takes care of creating a window for the developer in which he can place his UI. While activities D. Types of Android Malware are often presented to the user as full-screen windows, The majority of Android malware can be classified in two they can also be used in other ways as floating windows types: or embedded inside of another activity. Lower level man- • Trojans and Viruses: Trojans and Viruses infect Android agements of activities handled by the Activity Manager devices by attaching themselves to seemingly harmless service which placed on application framework. or legitimate programs, which are installed as third • Content Provider: Act as a programming interface to parties with the application and then carry out malicious common shared data stores. Contacts provider for ex- actions. Such malicious actions hijack the browser, cause ample manage centralized repositories of contact entries the device to capture user login information from other which can be accessed by other applications with a applications such as social media and mobile banking specific permissions. Applications may also design their and disastrously Android viruses can root the device and own content providers and may optionally exposed them gain access to files and flash memory like DroidKungFu to other interested applications. [37]. Trojans and viruses can become installed on the • Service: Is an application component without a UI device any number of ways and cause effects that that perform long running operation in the background. range from simply annoying to highly destructive and Another application component can start a service like irreparable. activities or broadcast receivers and it will continue • Spyware and Botnet: Another observed type of Android to run in the background even if the user switches malware is classified as spyware and has capabilities to to another application. For example, a service might forward private data to a remote server. On the other handle network transactions, play music, or interact with hand, the spy-ware could also receive orders from the a content provider, all from the background. • Broadcast Receivers : These are commonly found where server to intercept specific privacy in which case it is applications want to register for system or application part of a botnet. spy-ware is likely to use some of events or actions. All registered receivers for an event the IPC endpoints described in Section II-B. Broadcast are notified by the Android runtime once this event receivers are of particular interest as they can be used to happens. For example, applications can register for the secretly intercept and forward incoming SMS, and Call PROCESS OUTGOING CALL system event which is information to a remote server or to wait for BOOT fired once the Android user try to dial a number. The COMPLETED intent to start a background service as registration for the broadcast receiver has two types, first soon as the device is started. is static and mostly used when you want to listen to an event all the time, second is dynamic and may be used III.PROPOSEDMODELFOR SPY-WARE ”DISEASE” when one of the screen of your application is open and Before examining the attacks and the proposed countermea- unregister that receiver once application is closed. sures in more detail, we outline the threat model that our work is based on. So in this section we will demonstrate our spy- 4) Finally we create a background AsyncTask to send ware application which we called it Chameleon, this name this SMS information to our cloud DB. coming from the invisibility of the application icon on the • Incoming Call Registered Receiver : launcher window like most of real detected spy-wares, now • This class is also a sub class of an- let’s start with the Chameleon Application structure as shown droid.content.BroadcastReceiver. It is responsible in Figure 2. for intercepting the incoming calls information through the next implementation scenario: 1) Overriding the onReceive method which will be called automatically when the intent filter action android.intent.action.PHONE STATE fired by Android system instantaneously when any in- coming calls received to the victim mobile. 2) The receiving intent will have an extra string vari- able TelephonyManager.EXTRA STATE which describes the phone state. If this state is Tele- phonyManager.EXTRA STATE RINGING then there will be another extra string variable Tele- phonyManager.EXTRA INCOMING NUMBER. This variable contains the incoming phone number. 3) Finally we create a background AsyncTask to send this incoming call information to the cloud DB. • Outgoing Call Registered Receiver : This class is a sub class of android.content.BroadcastReceiver. It is re- sponsible for intercepting the outgoing calls information Fig. 2. Chameleon Application Structure through the next implementation scenario: 1) Overriding the onReceive method which will be called automatically when the intent filter action A. Chameleon Design android.intent.action.NEW OUTGOING CALL fired by Android system instantaneously when • Main Activity : This is the main class which will achieve the victim mobile receiving any outgoing calls. the following functionalities: 2) The receiving intent will have an extra string 1) Get the victim cell phone name and IMSI of his variable Intent.EXTRA PHONE NUMBER.This installed SIM card. variable contains the outgoing phone number. 2) Run a background AsyncTask to insert the victim 3) Finally we create a background AsyncTask to send intercepted data in the cloud DB. these outgoing call information to the cloud DB. 3) Hide the application launcher icon by using the • Connect To MySql : This is the JDBC helper class which application framework layer component Package- encapsulates the attributes and methods needed for the Manager as seen in Figure 3. This component cloud DB connection and Data Manipulation Language has the methods ability to hide application icon (DML) commands. without killing our application process. • MySQL DB: We design a very simple relational cloud 4) Hide the Main Activity view. DB consists of four tables. cell phone information, SMS, • Received SMS Registered Receiver : This class is a outgoing call logs and incoming call logs using Google sub class of android.content.BroadcastReceiver. It is SQL cloud service to host our DB, and created it using responsible for intercepting all received SMS through razorSQL tool. It should be noted that AndroidMan- the next implementation scenario: ifest.xml already registered a static receivers for the 1) Overriding the onReceive method which will be incoming SMS, outgoing calls, and incoming calls which called automatically when the intent filter action will listen to these events all the time as explained android.provider.Telephony.SMS RECEIVED in Section II-B. This will give us the opportunity to fired by Android system instantaneously if any intercept our preferred data even if the victim reboot SMS received. his cell phone. Also inside the AndroidManifest we 2) Inside the onReceive method we intercept the granted a permissions to access Internet, receive SMS, SMS information by getting the PDU (protocol read phone state and process outgoing calls. description unit) extra data loaded with the intent. 3) Converting this PDU format to a Unicode format B. Conclusion of the proposed spy-ware model and then get out the sender number, the message The proposed Chameleon application has already inter- body and the time stamp of this message. cepted and sent out received SMS messages, Outgoing • Crashes • Endless loops • Resource leaks or shortages • Unexpected behavior These failure modes vary based on type of the system or soft- ware being tested, the underlying operating system, and more. Our DroidSmartFuzzer has been designed and implemented according to the last failure mode category ”Unexpected be- havior”. The consequences depend on the purpose and function of the software, where and when it is operated, and so on. In general, The key to catch the spy is to put it in an ideal environment and give it the information that it waits and then watching it’s behavior. The job of the DroidSmartFuzzer is to detect Internet usage Unexpected behavior for the doubtful applications which authorized to access the next permissions: Fig. 3. Chameleon Application • RECEIVE SMS • PROCESS OUTGOING CALLS and Incoming calls information from victim’s Android • READ PHONE STATE mobile to our cloud database. We have registered a And for sure these doubtful applications will be authorized to Broadcast Receivers which respond to broadcast mes- access INTERNET permission. DroidSmartFuzzer test cases sages (Received SMS, Incoming Call, Outgoing Call) scenario will be as follows: from the system itself. These messages are sometimes • Preparing of SMS, Incoming Calls and Outgoing Calls called events or intents. Now whenever the Android fuzzing models that will be injected to the application device received SMS, started an out-call or received layer. incoming call event, it will be intercepted by Broad- • Reading all installed applications and their permissions. cast Receiver classes. This system events will fire the • Filtering these applications by any or all of the autho- implemented logic inside onReceive() method that will rized permissions that we listed previously. be executed to send these information via the device In- • Fuzzing the filtered applications with our prepared in- ternet capability out to our cloud database. This concept jectors according to their authorized permissions. of Broadcast Receiver working mechanism will lead us • Monitoring the Internet usage for AUT during the injec- to the medication process. Also will give us the idea to tion life cycle. uncover the behavior mask of any application intended • Reporting a Pass/Fail criteria for the applications under to eavesdrop our privacy. fuzzing test according to its Internet usage behavior.

IV. PROPOSED MODEL FOR DROIDSMARTFUZZER B. DroidSmartFuzzer Design ”MEDICATION” Based on the methodology presented above, we imple- In this section we will take into consideration our deep mented a new tool named DroidSmartFuzzer. The overview understanding of the Chameleon behavior and technique for of DroidSmartFuzzer design is shown in Figure 4. intercepting the user’s privacy, so we will think like a white DroidSmartFuzzer can test any running application on An- hat vulnerability testers. The main target is to develop a full droid real device dynamically once it was authorized to one automated fuzz testing solution, write a good test scenario, of the interested permissions and report its Internet usage design this scenario to be a real fuzz testing environment for behavior instantaneously. To correctly capture the behaviors the AUT, analyze the AUT behavior as a response to our of using permissions inside our proposed spy-ware application fuzzing system, then create our pass fail report. or its similar spy-ware applications, we analyze the execution flow of the DroidSmartFuzzer fuzzing scenario into two related A. DroidSmartFuzzer Methodology stages, the first stage is the manifest explorer and applications DroidSmartFuzzer methodology is based on Fuzz testing or packages information engine that will read all Androidmani- fuzzing which is an effective technique for finding security fest.xml attached to the installed applications of the victim’s vulnerabilities in software or computer systems. Traditionally, cell phone and then filter them according to the interested fuzz testing is a software testing technique, often automated or permissions: INTERNET, PROCESS OUTGOING CALLS, semi-automated, that involves providing invalid, unexpected, or READ PHONE STATE, and RECEIVE SMS. These selected random data to the inputs of a computer program. The program permissions gave us a vulnerability warning of spying issue on is then monitored for exceptions such as crashes, or failing our privacy like our proposed Chameleon application. Second built-in code assertions or for finding unexpected behavior. stage will be achieved by fuzzing these filtered applications one Applications under fuzzing test fail when they behave in a way by one by our prepared injectors for Received SMS, Outgoing their developers did not intend or anticipate. In traditionally Calls and Incoming Calls. For the Received SMS injector we applied fuzzing, failure modes come in four categories: implement a real SMS in PDU format. plication model that contains permission name attribute ”Internet” and one or all of (”Received SMS”,”Incoming Calls”,”Outgoing Calls”) will go through our filter and be ready to the next stage. • Fuzz Test Cases : Now we have a list of the doubtful applications, So we implement a Fuzz Test Cases class that will act as an abstract parent class for Fuzz Received SMS, Fuzz Incoming Calls, and Fuzz Outgoing Calls child classes. This class will encapsulate the intent attributes and the abstract methods needed for the child classes to perform their fuzzing functionalities. • Fuzz Received SMS : The main functions of this child class is to prepare a real PDU SMS ”Wake Up” and its meta data, creating an intent which its action is ”android.provider.Telephony.SMS RECEIVED”, adding the extra bundle data needed to this intent to perform as a real Received SMS injector, and then broadcast this injection to the android application layer. All doubtful applications will receive this SMS as a real one coming from the provider. • Fuzz Incoming Calls : This child class implements Fig. 4. DroidSmartFuzzer Application Structure its Incoming Call injector with the help of Cognalys. Cognalys provides a multi platform service which help application developers in verifying the mobile number in This PDU contains the message ”Wake Up”, and this SMS their applications. We integrate and implement Cognalys contains some meta-data about itself [34]. API in this child class, creating an intent to initialize For the Incoming call injector we used a Cognalys Android Cognalys activity, adding the extra bundle data needed Library [35] which used commercially in mobile number veri- to this intent, adding the verified mobile phone number fication. Integrating Congalys library in our DroidSmartFuzzer which is our target cell phone number, and then running project gave us a good opportunity to inject the AUT with this intent. Our target cell phone will receive a real a real Incoming call environment. The last injector was for incoming call from Cognalys provider within maximum Outgoing Call and we simply use ACTION CALL action to 30 Seconds to verify its number. trigger built-in phone call functionality available in Android • Fuzz Outgoing Calls : The main function of this child device. class is to implement an Outgoing Call injector. The According to the filtered applications of stage 1. We will easiest way to accomplish this call is to create an intent fuzzy them by the previous injectors, then monitoring and which its action is ”Intent.ACTION CALL”, adding the recording the Internet usage behavior according to this fuzz extra bundle data needed to this action to perform as a test scenario. The application that will pass stage one and gives real Outgoing call injector, and then start the activity of a positive impact in consuming Internet usage from any of the this intent. We put the dialed phone number the same fuzzy test cases will be reported to the user as a spy-ware as the target mobile phone number to process a call and application to take a decision of uninstall it or not. then stop it automatically after few seconds because it According to Figure 4 the proposed model for DroidSmart- will respond with busy number. So DroidSmartFuzzer Fuzzer will consist of : will start and stop a real outgoing call within maximum • Main Activity : This activity is the starting point and 6 seconds. main view for DroidSmartFuzzer. Main Activity acts as • Internet Usage Analysis : Now coming to the Internet a sensor to collect all Manifest permissions information usage behavior analysis as a response to the fuzzing from all installed applications. The main task for this injectors. This module is responsible for measuring the module is to convert all installed applications to a list of Internet usage before and during the fuzzing process. modeled Java objects. Each object will encapsulate all We keep track of Internet consuming for the AUT by needed information about this application and a modeled the help of android.net.TrafficStats built-in class. This list of its authenticated permissions. For example the class provides network traffic statistics. These statistics application model will have application name, package include bytes transmitted and received and network name, list of assigned permissions, aliases, and required packets transmitted and received, over all interfaces, over fuzz actions. the mobile interface, and on a per-UID basis. • Permissions Analysis : This module acts as a filter layer • Pass Fail Report : The DroidSmartFuzzer testing results before the starting of fuzzing test cases. Simply it col- accomplished via this module. After reading all installed lects all modeled application objects from the previous applications, filtering them to a list of doubtful appli- list according to authenticated permissions filter. The ap- cations, fuzzing this list, monitoring the Internet usage during the fuzzing life cycle. Now this module will take • Evaluation 3 : As shown in Figure 6, the number of a decision regarding to the AUT and notify the user if transmitted bytes during the fuzzing process are differ this AUT is PASS which means that no Internet usage from application to application, this evaluation gave us a behavior changes during the whole fuzzing process life moral incentive to analyze the AUT transmitted packets cycle, or FAIL which means that the AUT Internet usage in our future work. behavior has changed during the fuzzing life cycle. In • Evaluation 4 : As shown in Table II and behavior chart the case of FAIL, this module will report in details which shown in Figure 6, there is another future study on a sys- privacy or fuzz test case has consumed the Internet as tem application called ”NetworkLocation baidu.apk”, shown in Figure 5. From this report the user can take and its package name is ”com.baidu.map.location”. This action to uninstall this application or not. application interested in Phone state permission which tested by our DroidSmartFuzzer with the Incoming call injector. The application Internet usage behave unex- pectedly during the incoming call fuzzing test, and it transmits 267 Bytes with every incoming call fuzz life cycle, so it has been reported as a spy-ware application, which means that this system application is spying on our Incoming call information.

TABLE I. SAMPLEOFTHE 20 TESTEDSPY-WARE APPLICATIONS

DroidSmartFuzzer App Name Installed Package Store/ Provider Rx In. Out. SMS Calls Calls Truth Spy com.systemservice thetruthspy.com    Ino Spy com.inospy inospy.com    Hello Spy com.hellospy.system hellospy.com    Ti Spy com.sce.display Amazon.com    SMS com.gizmoquip.smstracker Google Play    Fig. 5. DroidSmartFuzzer Application Tracker Chameleon com.google.sync Propsed Ap-    plication

V. EXPERIMENTAL EVALUATION

We run the DroidSmartFuzzer on Samsung Galaxy A3. TABLE II. SAMPLE OF INSTALLED ANDROIDSYSTEMAPPLICATIONS DroidSmartFuzzer installed on Android 4.4 ”Kitkat” because DroidSmartFuzzer App Name Installed Package Store/ Provider of its large distribution among the Android users [36]. The Rx In. Out. results of DroidSmartFuzzer against all the 20 spyware sam- SMS Calls Calls ples including the proposed spy-ware ”Chameleon” is sum- Sys. App. com.baidu.map. location Samsung I  I Sys. App. com.android.browser Samsung I  I marized in Table I, and the already installed applications are Sys. App. com.android.email Samsung   I summarized in Tables II. These tables show the Internet usage Sys. App. com.android.exchange Samsung   I behavior results of AUTs. Behavior chart which represents Sys. App. com.android.mms Samsung   I sample of AUTs Vs Transmitted bytes during the fuzzing process shown in Figure 6. • Evaluation 1 : All the studied commercial spy-ware products Internet usage behaviors and also the free ones VI.CONCLUSIONAND FUTURE WORK on Google play or Amazon store are changing during our In this paper, we studied the Android spy-ware attacks fuzzing life cycle. They all are transmitting data packets that led to user’s privacy leakage. We have proposed a spy- using the available mobile Internet media (WiFi Or ware application to understand the attacker’s strategy and Mobile Data). All these spy-ware applications have been techniques with the help of the Android system permissions, reported by DroidSmartFuzzer as spying on (Received broadcast receivers and intents mechanism to intercept our SMS, Incoming Calls, and Outgoing Calls information). Received SMS, Incoming and Outgoing calls information. Table I, shows a sample of these results. According to this study, we propose a medication solution • Evaluation 2 : Most of the commercial spy-ware which we called DroidSmartFuzzer, it based on the fuzz providers gave their customers the ability to try their spy testing concept to analyze the AUT behavior against the products from 2 to 7 days, as a full functioning demo Internet usage during the fuzzing life cycle. DroidSmartFuzzer versions, But DroidSmartFuzzer detects that these demo achieved the full automation fuzz testing techniques by driving versions still transmitting out the victim’s privacy after test on those spy-ware applications, cataloging the results and the trial period is running out. This gave us a big ques- warning the user immediately to take a decision against this tion. Why these providers still spying on and sending AUT. DroidSmartFuzzer has the ability to do fuzz testing on out the privacy information although their applications all installed applications after filtering them relative to their are only demo versions? permissions. DroidSmartFuzzer efficiently detect 4 free and Fig. 6. Internet Usage of AUTs During Fuzzing top 15 commercial spy-ware applications sold in the market, [13] Spyera, Commercial Spy, http://spyera.com, 30-10-2015 also DroidSmartFuzzer can actually give us an indication of [14] Snoop, Commercial Spy, http://www.snoopvip.com, 30-10-2015 the Zero Day Attack like our Chameleon spy-ware detection. [15] Mobikids, Commercial Spy, http://mobikids.net, 30-10-2015 By the end of 2015 Google announced that a new Android [16] MobileSpy, Commercial Spy, http://immobilespy.com, 30-10-2015 6 Marshmallow, will be applicable with a pair of Nexues [17] HelloSpy, Commercial Spy, http://hellospy.com, 30-10-2015 phones. Marshmallow users will be able to agree to application [18] InoSpy, Commercial Spy, http://inospy.com, 30-10-2015 permissions as they are needed rather than as a long list [19] MobileSpy, Commercial Spy, http://mobile-spy.com, 30-10-2015 when software is installed. The catch is that as we illustrated [20] SMS Tracker, Commercial Spy, https://smstracker.com, 30-10-2015 before the commercial spy-ware and our chameleon spy-ware [21] MaxxSpy, Commercial Spy, http://maxxspy.com, 30-10-2015 are hidden applications, also most of commercial spy-ware [22] TheTruthSpy, Commercial Spy, http://thetruthspy.com, 30-10-2015 applications installed physically to the target victim’s mobile. [23] SMS Tracker, Google Play, http://play.google.com, 30-10-2015 DroidSmartFuzzer also will help Marshmallow users to take [24] SMS Tracker Plus, Google Play, http://play.google.com, 30-10-2015 a decisions of stopping one or more of the permissions after fuzzing these Marshmallow’s applications. Our future work [25] Monitor Call SMS, Amazon Store, http://amazon.com, 30-10-2015 will be designing a cloud database that will be connected [26] Mobile Monitor, Amazon Store, http://amazon.com/, 30-10-2015 to our DroidSmartFuzzer for storing all spy-ware detected [27] PDU Format, Smart Position applications and their attached information to be an applicable [28] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner,”A survey of mobile malware in the wild,” in SPSM 11. ACM, 2011, pp. 314. reference to all researchers in this field. [29] X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Profiledroid: Implementing a new injectors for fuzzing more important multi-layer profiling of android applications. In Proc. of Mobicom12, privacies like location, send SMS, call recording ... etc. 2012. [30] L. K. Yan and H. Yin. Droidscope: seamlessly reconstructing the os REFERENCES and dalvik semantic views for dynamic android malware analysis. In Proc. of USENIX Security12, 2012. [1] Google, ”Android Security 2014 Year in Review Report” Oct. 2014. [31] K. Z. Chen, N. Johnson, V. DSilva, S. Dai, K. MacNamara, T. [2] Lacoon Mobile Security & Check Point, ”targeted attacks on enterprise Magrino, E. X. Wu, M. Rinard, and D. Song. Contextual policy mobile Threat Research” Feb. 2015. enforcement in android applications with permission event graphs. In Proc. of NDSS13, February 2013. [3] Alcatel.lucent, ”Kindsight Security Labs Malware Report H1 2015” Sep. 2015. [32] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, Hey, you, get off of my market: Detecting malicious apps in official and alternative android [4] Alcatel.lucent, ”Kindsight Security Labs Malware Report H2 2014” markets, in NDSS12, 2012. Feb. 2015. [33] Y. Zhou, X. Jiang, Dissecting Android Malware: Characterization and [5] Alcatel.lucent, ”Kindsight Security Labs Malware Report H1 2014” Evolution, in IEEE Symposium on Security and Privacy, 2012. Sep. 2014. [34] SMS and PDU format, [6] Alcatel.lucent, ”Kindsight Security Labs Malware Report Q4 2013” http://www.smartposition.nl/resources/sms pdu.html. Jan. 2014. [35] Cognalys, Inc., https://www.cognalys.com. [7] J. Dalman, V. Hantke ”Commercial Spyware-Detecting the Undetectable,” Black Hat USA 2015, July. 2015. [36] Android Developers, Dashboards, https://developer.android.com/about/dashboards/ , Oct 2015. [8] iKeyMonitor, Commercial Spy, http://ikeymonitor.com, 30-10-2015 [37] F-Secure Lab, Threat Description, DROIDKUNGFU.C , Nov 2012. [9] spy1dollar, Commercial Spy, http://spy1dollar.com, 30-10-2015 [10] spy-phone, Commercial Spy, http://spy-phone-app.com, 30-10-2015 [11] MxSpy, Commercial Spy, http://mxspy.com, 30-10-2015 [12] ExactSpy, Commercial Spy, http://exactspy.com, 30-10-2015