Internati
o
nal
Journal of Ele
c
trical
and Computer
Engineering
(IJE
CE)
V
o
l.
6, N
o
. 1
,
Febr
u
a
r
y
201
6,
pp
. 24
9
~
25
6
I
S
SN
: 208
8-8
7
0
8
,
D
O
I
:
10.115
91
/ij
ece.v6
i
1.9
012
2
49
Jo
urn
a
l
h
o
me
pa
ge
: h
ttp
://iaesjo
u
r
na
l.com/
o
n
lin
e/ind
e
x.ph
p
/
IJECE
Ne
twor
k Activ
i
ty Mo
nito
ring
Against Malware in Android
Operati
n
g Sys
t
em
L
u
i
s
M.
Ac
os
t
a
-
G
uz
mán
*
,
Gual
ber
t
o
Ag
uilar-Torre
s**, Gina
Ga
llego
s-Ga
rci
a
*
* Department of
Research
and
Gr
aduate Studies
,
Electrical and
M
echan
ical Engin
eering
School
Instituto Pol
ité
c
n
ico Na
cion
al,
Mexico
** Comision Nacional de Seguridad. Se
cre
t
ari
a
d
e
Gobern
acion
,
M
e
xico
Article Info
A
B
STRAC
T
Article histo
r
y:
Received Sep 12, 2015
Rev
i
sed
No
v
15
, 20
15
Accepted Nov 30, 2015
Google’s Android is th
e most used Oper
ating Sy
stem in
mobile devices bu
t
as its popularity
has increased hackers hav
e
taken adv
a
ntage of th
e
momentum to
plague G
oogle Play
(Android
’
s Application
Store) with
multipurpose Malware th
at is capable
of stealing private in
for
m
ation and
give the hacker
remote control o
f
sm
artphone’s f
eatur
es in the worst cases
.
This work presents an innovativ
e methodolog
y
that helps in th
e
process of
malware detection for Android Op
erat
ing
S
y
s
t
em
, which
addres
s
e
s
aforemention
e
d problem from a
differen
t
perspective that even po
pular Anti-
M
a
lware s
o
ftwa
re has
l
e
ft
as
ide
.
It
is
bas
e
d
on
the
ana
l
y
s
is
of
a com
m
o
n
characteristic to
all dif
f
eren
t
kinds of malware:
the need
of network
com
m
unications
, s
o
the victim
devic
e
can int
e
r
act with the a
t
t
acker
. It is
im
portant to h
i
g
h
light th
at
in or
der to
improve the security
level in Android;
our methodology
should be con
s
idered in th
e process of malware detectio
n
.
As main characteristic, it does n
o
t need
to install additional kern
el modules
or to root the An
droid device. An
d finall
y
as addit
i
onal ch
ara
c
ter
i
stic
, it is as
s
i
m
p
le as
can b
e
cons
ider
ed for
n
on-experi
enc
e
d
us
ers
.
Keyword:
An
dr
oi
d
Malw
ar
e
M
e
t
h
o
dol
ogy
Netwo
r
k
Activity
Mo
n
ito
r
Security
Copyright ©
201
6 Institut
e
o
f
Ad
vanced
Engin
eer
ing and S
c
i
e
nce.
All rights re
se
rve
d
.
Co
rresp
ond
i
ng
Autho
r
:
Gual
bert
o Ag
u
ilar
To
rres
,
C
o
m
i
si
on Naci
onal
de Seg
u
r
i
d
ad
.
Sec
r
et
ari
a
de G
obe
r
n
aci
o
n
,
Av. Con
s
titu
yen
t
es
#
947
Co
l.
Belén
d
e
las Fl
o
r
es,
D
e
l.
Á
l
v
a
r
o
Ob
r
e
gó
n.
D
i
str
ito
Fed
e
r
a
l CP.
0
111
0, Mex
i
co
Em
a
il: g
u
a
lb
erto
.agu
ilar@cn
s.go
b.m
x
1.
INTRODUCTION
No
wa
day
s
,
pe
rso
n
al
c
o
m
put
i
ng i
s
m
a
ki
ng
a t
u
r
n
i
n
t
o
m
obi
l
e
devi
ces.
Whi
l
e
a fe
w y
ears a
g
o
cel
l
pho
nes we
re i
n
t
e
nd
ed t
o
pro
v
i
d
e
peo
p
l
e
a way
to
make phone calls and comm
unicate regardle
ss the
l
o
cat
i
on;
t
oda
y
,
we t
a
l
k
about
sm
art
pho
n
e
s as a resul
t
of ad
di
n
g
m
o
re an
d m
o
re funct
i
o
ns as wel
l
as
com
put
at
i
onal
po
we
r wi
t
h
t
h
e
passa
ge
o
f
t
i
m
e.
Tha
nks
t
o
t
h
e
sm
art
phone
s
p
e
opl
e
i
s
n
o
w
a
b
l
e
t
o
pe
rf
orm
cal
l
s
, vi
de
o
cal
l
s
, use
m
e
ssagi
ng
ser
v
i
c
e
s
ove
r the Internet, send a
n
d re
ceive em
ails, use ba
nki
ng se
rvices a
nd e
v
e
n
use
social
networks
whe
r
eve
r
the
y
are. Practically, everythi
ng
done
on
a PC
or La
ptop can be accom
p
lis
he
d
now on a
S
m
artphone;
in
m
o
st
cases, tha
n
ks t
o
the a
p
peara
n
ce
of
little pieces of softwa
re with a sp
ec
ific purpose
c
o
mm
only known
as
appl
i
cat
i
o
ns (
A
p
p
s
)
.T
od
ay
’s
Sm
art
pho
nes
can be cl
assi
fi
ed de
pe
ndi
ng
on t
h
e O
p
e
r
at
i
ng
Sy
st
em
runni
n
g
o
n
t
h
e d
e
vi
ce i
n
t
o
G
o
o
g
l
e
’s
An
d
r
oi
d,
A
ppl
e
’
s i
O
S,
R
I
M
’
s B
l
ackbe
rry
OS
,
W
i
n
d
o
w
s
P
h
o
n
e,
an
d
Sy
m
b
ian
[1]
.
Each o
n
e o
f
t
h
em
wi
t
h
i
t
s
own A
ppl
i
cat
i
o
n St
ore
whe
r
e t
h
e user can
do
w
n
l
o
a
d
pai
d
a
n
d
free A
p
p
s
de
v
e
l
ope
d
f
o
r
p
e
op
le an
d
en
terp
r
i
ses arou
nd
t
h
e
g
l
ob
e.
According to
Nielsen, leade
r
Com
p
any in
m
a
rket resea
r
ch, 51
.8
% of s
m
ar
tp
ho
n
e
s
w
e
r
e
u
s
ing
An
dr
oi
d by
t
h
e end
o
f
Ju
ne
20
1
2
[
2
]
.
I
n
ot
her
w
o
r
d
s, i
t
h
a
s bec
o
m
e
t
h
e
m
o
st
used m
o
bi
l
e
ope
rat
i
n
g
sy
st
em
.
C
onsi
d
eri
ng t
h
at
and d
u
e t
o
An
dr
oi
d i
s
t
h
e sim
p
l
e
st
opt
i
o
n f
o
r
devel
ope
rs o
f
A
p
p
s
(si
n
ce i
t
i
s
free l
i
c
ense
d
)
.
In
ad
d
ition
to
its Ap
p
s
can
be d
e
v
e
lop
e
d
usin
g
Jav
a
and
d
e
v
e
l
o
p
e
rs can p
u
b
lish
th
eir
App
s
m
a
k
i
n
g
th
em
Evaluation Warning : The document was created with Spire.PDF for Python.
I
S
SN
:
2
088
-87
08
IJEC
E V
o
l
.
6, No
. 1, Feb
r
uar
y
20
1
6
:
24
9 – 25
6
25
0
av
ailab
l
e immed
i
ately, th
is
work fo
cu
ses strictly
on
Google’s
Androi
d as
an operation
system
for
sm
artphone
s and Ta
blets.An
exam
ple
of Android’s growth is that un
til March
15t
h 2012 there we
re 450,000
Ap
ps a
v
ai
l
a
bl
e
i
n
G
o
o
g
l
e
Pl
a
y
(An
d
r
oi
d’s
Ap
pl
i
cat
i
on St
ore
)
w
h
i
l
e
at
t
h
e m
i
ddl
e of 2
0
1
0
t
h
e
r
e we
r
e
onl
y
10
0,
0
00
[
3
]
.
T
oday
,
we a
r
e t
a
l
k
i
ng a
b
out
m
o
re t
h
an
7
0
0
,
0
00
A
pps a
cco
r
d
i
n
g t
o
B
l
o
o
m
b
er
g’
s B
u
si
nes
s
W
ee
k
[4, 5]
.
Un
fo
rt
u
n
at
el
y
,
not
eve
r
y
t
hi
n
g
i
s
go
o
d
f
o
r
Go
o
g
l
e
’s A
n
dr
oi
d.
As a res
u
l
t
of i
t
s
po
pul
a
r
i
t
y
and t
h
e
l
ack of c
o
de v
a
l
i
d
at
i
on an
d t
e
st
i
ng o
f
t
h
e
u
p
l
o
a
d
ed
A
pps
,
An
dr
oi
d
has
becom
e
t
h
e weapo
n
of c
hoi
ce fo
r
hacke
r
s
t
o
i
n
t
r
od
uce
m
a
li
ci
ous c
o
de i
n
t
o
S
m
art
p
h
ones
.
M
a
l
i
c
i
ous c
ode
,
al
so c
o
m
m
only
kn
o
w
n
as m
a
l
w
are,
coul
d allow a
rem
o
te attac
k
er
(hac
ker) t
o
accom
p
lis
h diffe
rent thi
n
gs from
stealing
personal private
i
n
f
o
rm
at
i
on t
o
t
a
ki
ng
ful
l
co
nt
r
o
l
of t
h
e
de
vi
ce e.g
.
sen
d
t
e
xt
m
e
ssages or
per
f
o
r
m
phone cal
l
s
[
6
]
.
I
n
fact
,
th
is is th
e m
o
st i
m
p
o
r
tan
t
reaso
n
th
is
wo
rk
focu
ses
on
Andro
i
d
.
Al
t
h
o
u
g
h
,
G
o
ogl
e
has ad
de
d m
a
ny
securi
t
y
feat
ures t
o
i
t
s
operat
i
n
g s
y
st
em
such as appl
i
cat
i
o
n
isolation, the
perm
issions
m
odel, rea
d
-only access to th
e Androi
d’s
kernel, no root
pe
rm
issions by default,
am
ong
ot
he
rs,
t
h
ere i
s
pl
ent
y
of m
a
l
w
are di
s
gui
se
d as g
o
o
d
Ap
ps avai
l
a
bl
e fo
r t
h
e use
r
t
o
be
do
w
n
l
o
a
d
ed i
n
G
oog
le Play.
Th
e prin
ci
p
a
l effo
rt fro
m
Go
og
le to
avo
i
d
th
e
prese
n
c
e
of m
a
lware in
Goog
le Play is called
“Bouncer”
and it was pre
s
ent
e
d in Fe
brua
ry
2
nd
20
12
.
At i
t
s p
r
esen
tatio
n, Go
og
le claimed
th
at it h
a
d
b
een
alread
y runn
ing
for a wh
ile with
th
e pu
rp
ose o
f
filtering
malicio
u
s
Apps ev
en
b
e
fo
re
th
ey sh
owed
up
in
to
Go
o
g
l
e
Pl
ay
. At
t
h
i
s
poi
nt
, Go
o
g
l
e
sai
d
t
h
at
bet
w
een t
h
e
fi
rst
and sec
o
nd
have
s of
20
11 t
h
ey
sa
w a decreas
e
fr
om
about
4
0
%
i
n
t
h
e
num
ber
of
p
o
t
e
nt
i
a
l
l
y
m
a
l
i
c
i
ous d
o
w
nl
oad
s
f
r
o
m
Go
o
g
l
e
Pl
ay
(
o
r A
n
dr
oi
d
M
a
r
k
et
as
i
t
was cal
l
e
d t
h
en
)
[6]
.
E
v
e
n
t
h
o
u
g
h
,
t
h
i
s
w
a
s su
p
pose
d
t
o
be t
h
e
sol
u
t
i
on t
o
m
a
ke An
dr
oi
d safe
r,
som
e
failu
res an
d
weak
po
in
ts
were fou
n
d
in
B
o
un
cer. John
Ob
erh
e
i
d
e and
Charlie Miller,
two
wh
ite h
a
t h
a
ck
ers,
prese
n
ted thei
r analysis about
Bouncer at the Sum
m
e
rCon 2012
with a work title
d “Dissecting the Android
Bo
un
cer
” [7
].
Ob
erh
e
id
e an
d Miller fo
und
o
u
t
th
at B
o
uncer is no
th
ing
m
o
re th
an
an And
r
o
i
d
Virt
u
a
l Mach
ine
ru
n
n
i
n
g i
n
G
o
o
g
l
e
’s
I
n
f
r
ast
r
uct
u
re a
n
al
y
z
i
ng eac
h
Ap
p
bef
o
re i
t
i
s
pu
bl
i
s
he
d.
Ne
vert
hel
e
ss, t
h
e
m
o
st
im
port
a
nt
t
h
i
n
g t
h
ey
we
re a
b
l
e
t
o
fi
n
d
out
a
n
d
dem
onst
r
at
e
i
s
a way
t
o
by
p
a
ss G
o
ogl
e B
o
unce
r
’
s
val
i
d
at
i
on.
Sim
i
l
a
rl
y
,
t
h
e
m
a
l
w
are pr
obl
em
has opene
d a wi
nd
o
w
f
o
r A
n
t
i
v
i
r
us s
o
ft
ware t
o
bec
o
m
e
m
obi
l
e
.
No
wa
day
s
t
h
e
r
e i
s
a
wi
de
v
a
ri
et
y
of
A
p
ps
i
n
t
e
nde
d
t
o
gi
ve
pr
ot
ect
i
o
n
agai
nst
m
a
l
w
are a
n
d
ot
her
k
i
nds
o
f
Inform
atio
n
Secu
rity risks availab
l
e in
Go
og
le Play, in
which
is i
m
p
o
r
tant to
con
s
id
er that wh
atev
er
purpo
se
malwareis, it
will always
need a
net
w
ork connection to accom
p
lish its
goal, t
h
is c
o
nnection is re
qui
red
main
ly so
th
e v
i
cti
m
sen
d
s
back
to
th
e attacker
what in
general term
s c
a
n
be refe
rre
d as
st
ol
en
dat
a
and
al
s
o
the victim
can receive i
n
stru
ctions
from
the a
ttacker.
AV-TEST In
st
itu
te, an
ind
e
pen
d
e
n
t
labo
rat
o
ry fo
r
Info
rmatio
n
Security an
d
An
tiv
iru
s
research
,
pu
bl
i
s
he
d a t
e
st
repo
rt
i
n
M
a
rch 1
5
t
h
2
0
1
2
cal
l
e
d “Ant
i
-
M
a
l
w
are Sol
u
t
i
ons f
o
r
An
dr
o
i
d” whe
r
e t
h
ey
put
t
o
test 41 differe
n
t Anti-Mal
w
a
r
e soluti
ons
. As a result, they
groupe
d the s
o
lu
tions in fi
ve sets accordi
n
g to its
avera
g
e ca
paci
ty of
detection
[8].
As a
part
o
f
t
h
e resea
r
c
h
pe
rf
orm
e
d i
n
t
h
e
devel
opm
ent
of t
h
i
s
w
o
r
k
, t
h
ree s
o
l
u
t
i
o
ns
were t
e
st
e
d
fro
m
th
e set with
an
av
erag
e d
e
tectio
n rate o
f
m
o
re th
an
9
0
% (Av
a
st,
Mo
b
ile Secu
rit
y
, Kasp
ersk
y
Mo
b
ile
Security an
d Lo
oko
u
t
Secu
rity &
An
tiv
i
r
u
s
). Th
at
was
done i
n
order to
see if t
h
ey cou
l
d id
en
tify a
th
reat
b
a
sed
on
t
h
e
pr
esen
ce of
ab
no
r
m
al n
e
tw
or
k activ
ity. Th
e t
h
ree
sol
u
tions
were e
v
al
uated with a
sim
p
le
App
code
d t
o
gene
rate
m
u
ltiple connections
in a
loop to a re
m
o
te serve
r
a
n
d a
l
so to
op
en m
u
ltiple ports in a
loop
receiving connections from
a
re
m
o
te
client. Unfortunately, none of the
solutions were able
to identify the
cust
om
App as
a
m
a
l
i
c
i
ous or
suspi
c
i
o
us o
n
e
. M
o
re
ove
r, n
one
of t
h
em
was even abl
e
t
o
repo
rt
t
h
e ab
n
o
rm
al
net
w
or
k act
i
v
i
t
y
gene
rat
e
d
by
t
h
e cu
st
om
Ap
p.
By analyzing
the chose
n
Anti-Ma
lware so
l
u
tio
ns was i
d
en
tified
a
Firewall featu
r
e, th
is fu
n
c
tion
basically allows the user to choos
e whic
h Apps can acce
ss t
h
e Internet ove
r
3G
or
a
W
i
re
less connection and
whi
c
h can
not
;
i
t
does not
w
o
r
k
st
ri
ct
l
y
as a Fi
rewal
l
si
nce i
t
does n
o
t
gi
v
e
an o
p
t
i
on t
o
bl
ock
or pe
rm
i
t
cert
ai
n
po
rt
s. Fi
rewal
l
feat
ur
e co
ul
d
hel
p
but
i
t
bec
o
m
e
s co
m
p
l
i
c
at
ed t
o
use si
nc
e t
h
i
s
pa
rt
i
c
ul
ar com
p
o
n
ent
re
qui
re
s
roo
t
p
e
rm
issio
n
s
on
th
e d
e
v
i
ce as well as
t
h
e sup
port o
f
n
e
tfilter/ip
tab
l
es (p
ack
e
t filtering
fram
e
wo
rk
) in
th
e
Ker
n
el.
It
i
s
im
port
a
nt
t
o
rem
e
m
b
er that
A
n
d
r
oi
d’s
ker
n
el
has
ro
ot
perm
i
ssi
ons d
i
sabl
ed by
def
a
ul
t
but
t
h
e
user ca
n gain t
h
is kind of pe
rmission
by running a special crafted
piece of co
de directly to the shell. From
the
st
and
p
o
i
n
t
of
I
n
f
o
rm
at
i
on Se
curi
t
y
, e
n
abl
i
n
g r
o
ot
pe
rm
i
ssion
o
n
a
n
A
n
d
r
oi
d
de
vi
ce i
s
n
o
t
rec
o
m
m
endabl
e f
o
r
t
w
o i
m
port
a
nt
reaso
n
s:
t
h
e
us
er can
n
o
t
be s
u
re i
f
t
h
e
ro
ot
i
n
g s
o
ft
wa
re c
o
n
t
ai
ns any
ki
nd
of m
a
l
w
are suc
h
as
a
backdoor and a rooted
device becom
e
s
m
o
re vulnera
bl
e if it gets c
o
m
p
rom
i
sed because any installed
malware will get roo
t
p
e
rm
iss
i
o
n
s
as
well [9
].
The p
r
ese
n
t
w
o
r
k
s
h
o
w
s t
h
e
devel
opm
ent
and i
m
pl
em
ent
a
t
i
on of a m
e
t
h
o
dol
ogy
t
o
anal
y
ze t
h
e
net
w
or
k act
i
v
i
t
y
generat
e
d b
y
an An
d
r
oi
d
devi
ce i
n
a
w
a
y
t
h
at
a “com
p
l
e
t
e” securi
t
y
sol
u
t
i
on
or
“Ant
i
-
Evaluation Warning : The document was created with Spire.PDF for Python.
IJECE
ISS
N
:
2088-8708
N
e
t
w
ork Act
i
v
i
t
y
Mo
ni
t
o
ri
n
g
Ag
ai
nst
M
a
l
w
a
r
e i
n
A
n
dr
oi
d
Oper
at
i
n
g
Syst
em (
G
ual
bert
o
Ag
ui
l
a
r T
o
rre
s
)
25
1
Malware” solution can take adva
ntage
of
such analysis. That is because th
e analysis of the network a
c
tivity
by
i
t
s
el
f can all
o
w t
h
e det
ect
i
on
of a sus
p
i
c
i
ous
beha
vi
o
r
i
n
a devi
ce b
u
t
i
t
wi
l
l
never be
abl
e
t
o
i
ndi
cat
e wi
t
h
a hu
nd
red
perc
ent
cert
a
i
n
t
y
of
m
a
l
w
ar
e pres
ence. In othe
r
words, tracki
n
g
th
e n
e
two
r
k
activ
ity can
h
e
lp
to
i
d
ent
i
f
y
su
spi
c
i
ous
be
havi
or.
As i
n
e
x
am
pl
e, whe
n
a
n
A
p
p
i
n
t
e
nde
d t
o
be
use
d
as a cal
cu
l
a
t
o
r st
art
s
t
o
o
p
e
n
co
mm
u
n
i
catio
n
ports in
th
e
dev
i
ce allo
wi
n
g
an
y rem
o
te cli
e
n
t
to
co
nn
ect
in
. In
ad
d
ition
to
th
at, it will h
e
lp
t
o
keep a dy
nam
i
c cont
i
n
u
o
u
s
m
oni
t
o
ri
ng
of
t
h
e devi
ce se
archi
ng for malware
wh
ile actu
a
l An
ti-M
a
lware
so
lu
tion
s
p
r
i
n
cip
a
lly fo
cu
s
on th
e d
e
tection
o
f
si
g
n
a
t
u
res at th
e
m
o
m
e
n
t
a n
e
w
Ap
p
is installed
.
All o
f
t
h
is is
d
o
n
e
b
y
con
s
idering
m
a
lware will always n
eed
a n
e
t
w
or
k
co
nn
ection
to
acco
m
p
lish
its g
o
a
l, wh
ich
stat
es th
e
b
a
sis to
th
is wo
rk
b
y
th
e thou
gh
t of con
s
idering
th
e
net
w
or
k act
i
v
i
t
y
anal
y
s
i
s
out
put as extrem
ely valuabl
e
i
n
f
o
rm
at
i
on t
o
be
use
d
i
n
t
h
e
pr
ocess
t
o
det
e
rm
i
n
e whet
he
r
an
Ap
p i
s
m
a
lici
ous
o
r
not
.
2.
RELATED WORK
Actu
ally, th
ere are no
work
s
d
e
sc
ri
bi
n
g
a m
e
t
h
o
dol
ogy
t
o
gat
h
e
r
t
h
e
net
w
o
r
k act
i
v
i
t
y
in A
n
dr
oi
d
,
h
o
w to
tak
e
adv
a
n
t
ag
e of th
is in
fo
rm
atio
n
an
d
its im
p
o
r
ta
nce to
d
e
term
in
e th
e m
a
l
i
g
n
ity o
f
an
App
.
Similarly,
t
h
ere a
r
e n
o
Ap
ps i
n
G
o
og
l
e
pl
ay
t
h
at
coul
d ac
hi
eve
ou
r
goal
.
H
o
w
e
ver
,
ap
pl
i
cat
i
on
cal
l
e
d “C
o
nnect
i
o
n
Tracke
r
Pr
o” [
10]
i
s
t
h
e wo
r
k
t
h
at
coul
d b
e
consi
d
ere
d
as related
with
th
e fo
cu
s of this p
r
esen
t work
. Su
ch
Ap
p i
s
desi
g
n
e
d
t
o
di
s
p
l
a
y
t
h
e net
w
or
k act
i
v
i
t
y
of eac
h
A
p
p in
an
instant. After we ran so
m
e
tests, we foun
d
t
h
at
suc
h
Ap
p i
s
act
ual
l
y
a gr
a
phi
c
rep
r
ese
n
t
a
t
i
on
of
running a “netstat” command in
a l
o
op
f
r
om
t
h
e de
vi
ce’s
sh
ell.
Thi
s
A
pp c
oul
d be ve
ry
hel
p
f
u
l
fr
om
t
h
e
net
w
or
ki
n
g
pe
rspect
i
v
e
poi
nt
of vi
e
w
, b
u
t
fo
r pe
opl
e
expe
ri
ence
d i
n
i
n
fo
rm
at
i
on securi
t
y
t
opi
cs i
t
m
a
y
be c
o
n
s
id
ered
as su
sp
icio
u
s
o
n
ce, it is d
u
e
t
o
in
stallation
requires t
h
e “PHONE C
A
LL
PERMISSION”, as ca
n be
se
en
i
n
Fi
g
u
re 1.
Suc
h
perm
i
ssion
i
s
n
o
t
nece
s
s
ary
an
d will allow
th
e App
t
o
o
b
t
ain
IMEI and
IMSI
n
u
m
b
e
rs,
wh
ich
in fact
can
rev
eal t
h
e
dev
i
ce’s lo
cation
.
It is
also
noticeable
that the
App
de
m
a
nds
a
lot
of CPU
whe
n
runni
ng m
a
king t
h
e
device
reall
y
slow.
As e
x
a
m
ple
we can m
e
nt
i
on a Sony
Ta
bl
et
S (where
w
e
m
a
de t
e
st
)
wi
t
h
a si
ngl
e C
P
U N
V
I
D
I
A
Tegra
2
an
d 1
GB
i
n
R
A
M
,
whi
c
h t
o
o
k
fr
om
5% t
o
60
% a
v
era
g
e
o
f
i
t
s
C
P
U ca
p
aci
t
y
just
by
r
u
nni
ng
t
h
e
A
p
p
.
Fi
gu
re
1.
Desc
ri
pt
i
o
n a
n
d
pe
r
m
i
ssi
ons
of "C
on
nect
i
o
n T
r
ac
ker"
sh
o
w
n
i
n
Go
o
g
l
e
Pl
ay
It is also
im
p
o
r
tan
t
to
m
e
n
tio
n th
at “Con
n
ecti
o
n
Track
e
r” was no
t ab
le to id
en
tify a
po
rt
o
p
e
n
e
d
b
y
a
cust
om
App
(l
i
s
t
e
ni
n
g
o
n
t
h
e
devi
ce
). F
u
rt
he
rm
ore, t
h
i
s
A
p
p d
o
es n
o
t
ha
v
e
any
doc
um
ent
a
t
i
on or e
v
e
n
a web
si
t
e
where i
n
f
o
rm
at
i
on abo
u
t
t
h
e devel
o
p
m
ent
coul
d
be
fo
un
d, e
v
e
n
t
o
u
g
h
, acc
or
di
n
g
t
o
G
o
ogl
e P
l
ay
i
t
s
websi
t
e
s
h
oul
d
be
w
w
w
.
b
o
r
gs
hel
l
.
com
whi
c
h l
ead
s t
o
a
no
n-e
x
i
s
t
i
n
g
we
b
p
age
.
E
v
e
n
t
h
o
u
g
h
t
h
e
goal
,
u
s
e an
d
cont
e
x
t
of “C
o
nnect
i
o
n Tr
ack
er” i
s
di
ffe
rent
and away
f
r
o
m
t
h
e one of t
h
e p
r
esent
w
o
r
k
, i
t
i
s
m
e
nt
i
o
ned a
s
related
work because i
n
the
description
of t
h
e App showed
by Google
Play, it can
be rea
d
that t
h
is appl
ication
will h
e
lp
t
h
e
u
s
er to k
e
ep
t
h
e
d
e
v
i
ce
secured b
y
m
o
n
ito
ri
n
g
th
e co
nn
ections.
Evaluation Warning : The document was created with Spire.PDF for Python.
I
S
SN
:
2
088
-87
08
IJEC
E V
o
l
.
6, No
. 1, Feb
r
uar
y
20
1
6
:
24
9 – 25
6
25
2
3.
C
O
N
S
ID
ERATI
O
N
S
I
N
OU
R P
R
O
P
OSED
M
ETH
OD
O
L
OG
Y
It is i
m
p
o
r
tan
t
to
e
m
p
h
a
size th
at th
e ap
pro
a
ch
of th
is
m
e
t
h
odo
log
y
co
nsists in
th
e d
e
velo
p
m
en
t o
f
th
e m
ech
an
ism to
k
eep
t
r
ack
of th
e n
e
t
w
ork activ
ity
not t
h
e m
echanism
s
to evaluate and dete
ct any
su
sp
icio
us b
e
hav
i
or and
no
r to
id
en
tify m
a
l
w
are. In
o
t
h
e
r words, ou
r m
e
t
h
odo
log
y
shows th
e im
p
l
e
m
en
tatio
n
o
f
a
N
e
two
r
k
A
c
tiv
ity Mo
n
ito
r
(
N
A
M
)
f
o
r
A
n
d
r
o
i
d
th
at is cap
ab
le
o
f
r
u
n
n
i
n
g
all th
e time as a b
ack
gr
ound
serv
ice in
order to
id
en
tify n
e
w estab
lish
e
d
con
n
ection
s
an
d
attem
p
ts o
f
con
n
ection
.
It is also
cap
ab
le o
f
listen
i
n
g
op
en
p
o
rts,
waitin
g
for a
rem
o
te co
nn
ection
o
n
a d
e
v
i
ce and
i
d
en
tifyin
g
,
wh
i
c
h
installed
Ap
p, is
responsible for
each ne
w
c
o
nnection.
C
onsi
d
eri
ng t
h
e af
o
r
em
ent
i
one
d
o
u
r m
e
tho
d
o
l
o
gy
im
p
r
ov
es t
h
e In
fo
rm
atio
n
Security lev
e
l i
n
And
r
o
i
d
OS alo
n
g
with
its th
ree m
a
in
attri
b
u
t
es: co
n
f
i
d
en
tiality,
in
teg
r
i
t
y an
d
n
o
n
-
repu
d
i
ation
.
Th
e NAM
Ap
p
w
o
r
k
s
wi
t
h
o
u
t
t
h
e
nee
d
of
r
oot
perm
i
ssi
ons
(
r
o
o
t
e
d
d
e
vi
ce) a
n
d o
n
l
y
req
u
i
r
es a
fe
w
perm
i
ssi
ons
fr
om
the user at t
h
e
m
o
ment of inst
allation.
As it h
a
s b
een
clarified
prev
i
o
u
s
ly, th
e n
e
t
w
ork
activ
ity m
o
n
ito
r b
y
itse
l
f can
no
t b
e
u
s
ed
to
id
en
tify
malware but it coul
d be used
as a standalone
App work
ing in a blacklisting schem
e
where a user receives an
alert if a
selected
App (bl
ackl
i
st
ed)
ge
nerat
e
s net
w
o
r
k act
i
v
i
t
y
. As a
co
nse
que
nce,
t
h
e
u
s
er
ru
n
n
i
n
g t
h
i
s
NAM
o
n
its d
e
v
i
ce
may h
a
v
e
an
op
por
tun
ity to
k
ill th
e p
r
o
cess
o
r
A
p
p
th
at is
g
e
n
e
rating
dubio
u
s
n
e
two
r
k
activ
ity.
Al
ert
i
n
g t
h
e
us
er i
s
t
h
e
o
n
l
y
r
eact
i
v
e m
easure t
h
e
NAM
A
p
p ca
n t
a
ke
wi
t
h
out
re
qui
ri
ng
r
oot
pe
rm
i
ssi
ons.
Fi
gu
re
2.
O
u
r
pr
o
posal
uses
a
cal
l
t
o
t
h
e
sy
st
em
from
t
h
e
ke
rnel
Tests were m
a
d
e
tryin
g
to
pro
v
i
d
e
th
e NAM with
th
e cap
acity o
f
k
illin
g
a b
l
ack
listed ap
p
licatio
n
au
to
m
a
tical
ly
as an actio
n tri
g
g
e
red
b
y
th
e
d
e
tectio
n of
n
e
twork activ
ity. It
was
foun
d th
at in
a roo
t
ed
d
e
v
i
ce
it wou
l
d
b
e
as
si
m
p
le as ru
n
t
h
e co
mman
d
“k
ill [pro
cess id]” d
i
rectly to
the sh
ell (as in
a
regu
lar
Linu
x)
b
u
t
i
n
a no
n-roo
t
ed
dev
i
ce th
e
u
s
er
d
o
e
s no
t
h
a
v
e
p
e
rm
issio
n
to
u
s
e th
e “k
ill” co
mman
d
an
d
t
h
e m
ean
s p
r
ovid
e
d
b
y
the Android’s
SDK in the
classes
android and Activit
yManager
with
its
m
e
thods
“killProcess
(
)” and
“k
illBack
groun
dPro
cess()” on
ly wo
rk
t
o
end
th
e
pro
cess it
self and
no
t ex
t
e
rn
al
p
r
o
cesses.
4.
PROP
OSE
D
METHO
D
OL
OGY
This section
will describe
our e
n
tire m
e
thodol
ogy
a
n
d t
h
e
im
plem
entation
of
the Network Activity
Mo
n
itor
for
An
dro
i
d
as if it
was m
ean
t to
be a stand
a
lon
e
ap
p
lication
.
The first step i
s
to get the Android de
vice’s curr
en
t n
e
t
w
o
r
k
activ
ity. It can
b
e
easily ach
iev
e
d
in
m
obi
l
e
devi
ce
s r
u
n
n
i
n
g
A
n
d
r
oi
d t
h
a
n
ks t
o
i
t
s
Li
nu
x
Ke
r
n
el
u
s
i
n
g t
h
e
com
m
a
nd “
n
et
st
at
” just
l
i
k
e
i
n
an
or
di
na
ry
C
o
m
put
er.
The
An
d
r
oi
d
Ap
p t
h
i
s
w
o
r
k
has
de
vel
o
ped
uses a
cal
l
t
o
t
h
e sy
st
em
i
nvoki
ng
t
h
e c
o
m
m
a
nd
net
s
t
a
t
di
rect
l
y
fr
om
t
h
e
ke
rnel
t
h
r
o
ug
h t
h
e
”Pr
o
cess”
a
n
d “Runtim
e
”
Java
Class
e
s and t
h
e
method
“getRuntim
e().exec()”, a
s
ca
n be a
p
pr
eciate
d
in Figure
2.
As ca
n
be see
n
in Figure
2,
the netstat c
o
mmand
Evaluation Warning : The document was created with Spire.PDF for Python.
IJECE
ISS
N
:
2088-8708
N
e
t
w
ork Act
i
v
i
t
y
Mo
ni
t
o
ri
n
g
Ag
ai
nst
M
a
l
w
a
r
e i
n
A
n
dr
oi
d
Oper
at
i
n
g
Syst
em (
G
ual
bert
o
Ag
ui
l
a
r T
o
rre
s
)
25
3
pr
o
v
i
d
es a
n
o
u
t
put
s
h
owi
n
g
a
l
l
act
i
v
e soc
k
e
t
s i
n
a t
a
bl
e c
ont
ai
ni
ng
i
m
port
a
nt
i
n
f
o
rm
ati
on s
u
c
h
as
p
r
ot
oc
o
l
(TCP,
UDP, T
C
P6 or UDP
6
),
the local address (source IP
address
)
, forei
gn a
d
dress (de
s
tination IP address
)
and also the sta
t
e of the s
o
c
k
et
.
The state para
m
e
ter provides a way to diffe
re
n
tiate co
nn
ection
s
th
at
are already establishe
d
(“ESTABLISHED”) fro
m co
nn
ection
s
th
at are
in
itiatin
g
(“SYN_
SENT”), co
nn
ection
s
en
d
i
n
g
(“CLO
S
E_
WA
IT”, “TIM
E
_
WA
IT”, “F
IN
_
W
A
I
T” an
d m
a
ny
m
o
re) and
listen
i
n
g
po
rts
th
at are waitin
g
for a
con
n
ect
i
o
n
fr
o
m
a di
ffere
nt
h
o
st
i
n
t
h
e
net
w
or
k
(“LI
STE
N
”) [
1
1]
.
Once the active sockets are
obtaine
d it is
necessa
ry
to determine the state
for each el
e
m
ent of the
o
u
t
p
u
t
j
u
st
b
e
tween
t
h
ree typ
e
s: activ
e con
n
ection
s
, atte
m
p
ts o
f
co
nn
ectio
n
s
, an
d
listen
i
ng
po
rts; this will
d
e
term
in
e th
e
treat
m
e
n
t
required
on
th
e nex
t
step.
On th
e o
t
h
e
r
h
a
n
d
, it
is im
p
o
r
tan
t
t
o
clari
f
y th
at
du
e th
e
pu
r
pose
of t
h
i
s
wo
rk t
h
e
rest
of
the s
o
ckets can be
discarded (e.g. c
o
nn
ec
tio
n
s
w
ith
a
“T
I
M
E
_
W
A
I
T
” s
t
a
t
e
)
since
detecting a closi
n
g connections
woul
d
not m
a
ke
a
big
differe
n
ce
because it would be
too late for t
h
e
user t
o
take act
ions if alerte
d; m
o
reover, eve
r
y active
co
nn
ectio
n
s
is orig
inated
w
ith a state “SYN_SENT” or
“LISTE
N” a
nd bec
o
m
e
active (begi
n
s the
dat
a
trans
f
er)
with a state “EST
ABLISHED”
.
Besid
e
s th
e “State” it
is essen
tial to
id
en
tify th
e v
a
lu
e
o
n
th
e p
a
ram
e
ter “Pro
t
o
” of the o
u
t
p
u
t
for
each elem
ent.
This pa
ram
e
ter
can only take one
of th
e
followi
ng values: “TCP”,
“TCP6”, “UDP” or “UDP6”
.
We
will g
e
t t
o
th
e im
p
o
r
tan
c
e of th
is at th
e
m
o
men
t
o
f
p
r
ocess-co
nn
ection
iden
tification.Th
e fo
llowing is to
identify the de
stination IP a
d
dress as
well as the source and destination po
rts for each el
e
m
ent of the netsta
t
out
put
with a
state “ESTABLISHED”
of “SYN_SE
N
T
;
in othe
r
words,
for acti
v
e c
o
nnections and
connection atte
m
p
ts. From
the elem
ents
with
a “LISTEN” st
ate it is on
ly po
ssib
l
e to
ob
tain
t
h
e
n
u
m
b
e
r
of the
listen
i
n
g
po
rt.
Ide
n
tification
can be accom
p
lished by parsing the outp
ut just using the “String” Java Class and its
m
e
thods
such
as: “trim
()”, “s
plit()”,
“cha
r
At()”,
“re
p
lace()” and “i
nde
xOf()”
.
Still, it is not as
sim
p
le as it
looks beca
use the
cha
r
acter s
t
ructure
of eac
h s
o
cket i
n
the
output de
pe
nd
s o
n
t
w
o
fact
o
r
s:
t
h
e
val
u
e
o
f
t
h
e
p
a
ram
e
ter “Pro
to
” and
th
e valu
e o
f
th
e
p
a
ra
m
e
ter “State”
.
As a result, e
ach case m
u
st
be conside
r
ed, that is
wh
y it is im
p
o
r
tan
t
to
d
i
fferentiate th
e con
n
e
ctio
n
s
b
y
its st
ate, as is sho
w
n
in Figure
3
.
Fi
gu
re
3.
It
i
s
i
m
port
a
nt
t
o
di
f
f
ere
n
tiate th
e co
nn
ection
s
ov
er
n
e
tstat o
u
t
pu
t
The s
o
urce
p
o
rt
of t
h
e c
o
nnect
i
o
ns
bec
o
m
e
s real
l
y
im
port
a
nt
i
n
o
r
de
r t
o
o
b
t
a
i
n
al
l
possi
bl
e
co
nn
ection
s
b
e
cau
se th
ere can
b
e
m
u
ltip
le
co
nn
ection
s
to th
e sa
m
e
d
e
stin
atio
n
ad
dress an
d
p
o
rt b
u
t
th
ere
cannot be two with the sam
e
source port. To sum
up, each
active or initiating connec
tion requires a di
ffere
n
t
n
on-
u
s
ed
sou
r
ce po
r
t
, as seen
in
Figur
e
4
.
Fi
gu
re
4.
S
o
u
r
ce p
o
rt
,
dest
i
n
a
t
i
on
IP,
dest
i
n
a
t
i
on
po
rt
a
n
d
st
at
e of
t
h
e c
o
nn
ect
i
ons
Id
en
tifyin
g
add
r
ess an
d
p
o
rt
s is fu
nd
am
en
tal n
o
t
o
n
l
y b
e
cau
se it is th
e
co
nn
ectio
n’s
d
e
tailed
and
i
m
p
o
r
tan
t
i
n
form
at
io
n
b
y
itself bu
t also
b
e
cau
se it
will lead
to th
e id
en
tificatio
n
o
f
th
e Ap
p respo
n
sib
l
e for
each socket.
In a regular Li
nux
Kernel
or a
W
i
ndows OS (where t
h
e
nets
tat comm
and can al
so be found)
the
resp
o
n
si
bl
e pr
ocess o
r
fi
l
e
fo
r
a
c
o
nnect
i
o
n can be fo
u
n
d
b
y
t
h
e
com
m
and
i
t
s
el
f but
n
o
t
i
n
An
dr
oi
d’s
ker
n
el
.
Gettin
g
th
e l
o
cal p
o
r
t an
d
t
h
e rem
o
te ad
d
r
ess an
d
po
rt n
e
ed
s to
b
e
co
m
p
le
m
e
n
t
ed
with
t
h
e id
en
tificatio
n
of
whic
h process
(App) is res
ponsible
for each connection (c
onsi
d
eri
ng t
h
at
one
App c
o
uld be
res
p
onsi
ble for
m
u
lt
i
p
l
e
conne
ct
i
ons);
t
h
i
s
ca
n be d
o
n
e by
t
a
ki
ng a l
o
o
k
i
n
t
o
cert
a
i
n
fi
l
e
s st
ore
d
i
n
t
h
e
Li
nu
x fi
l
e
sy
st
em
co
n
t
ain
i
n
g
d
yna
m
i
c in
f
o
r
m
at
i
o
n abou
t th
e netw
or
k activ
ity
.
Whi
c
h fi
l
e
t
o
chec
k
de
pen
d
s
o
n
t
h
e
val
u
e
of
t
h
e
p
a
ram
e
ter “Proto
” (earlier it was en
tren
ch
ed
th
at th
is
v
a
lue
m
u
st b
e
id
entified
)
, t
h
ere is o
n
e
file p
e
r po
ssib
l
e
value (“TC
P”, “UDP”
,
“TCP6” or “UDP6”) and all the
f
iles are lo
cated
in
th
e p
a
th
“/p
r
o
c
/n
et/” e.g
.
in
a
co
nn
ection
with
a
v
a
lu
e
“TC
P
” th
e
file th
at n
e
ed
s to b
e
rev
i
ewed
is “/pro
c
/n
et/tcp
”
.
This can
b
e
easil
y d
o
n
e
with t
h
e c
o
mmand “cat”.
He
nce, the
NAM
m
u
st run the
c
o
mmand “cat
/proc/
net/tcp”
(for e
x
am
ple) a
n
d store
th
e ou
tpu
t
i
n
a
b
u
ffer so
it ca
n be a
n
alyzed, s
ee Figure
5.
Evaluation Warning : The document was created with Spire.PDF for Python.
I
S
SN
:
2
088
-87
08
IJEC
E V
o
l
.
6, No
. 1, Feb
r
uar
y
20
1
6
:
24
9 – 25
6
25
4
Fi
gu
re
5.
Exi
s
t
i
ng
fi
l
e
s i
n
t
h
e
pat
h
"/
pr
oc/
n
et
/
"
have
o
n
e
p
o
ssi
bl
e val
u
e
Every file cont
ains the information
of curre
nt connections a
ssociated to
t
h
at
part
i
c
ul
ar P
r
ot
oc
ol
, t
h
i
s
inform
ation includes t
h
e s
o
urce address a
n
d port as well
as th
e d
e
stin
atio
n
ad
dress an
d
po
rt
p
r
ov
ided
in
hexa
deci
m
a
l
;
m
o
reover
,
i
t
co
nt
ai
ns t
h
e i
n
f
o
r
m
at
i
on of t
h
e UI
D res
p
on
si
bl
e per c
o
n
n
ect
i
o
n. T
h
i
s
U
I
D
ne
eds t
o
be
obt
ai
ne
d a
n
d ca
n
be d
o
n
e
by
co
n
v
ert
i
n
g
t
h
e ad
d
r
esses a
n
d
p
o
rt
s
t
o
hex
an
d sea
r
chi
n
g
fo
r t
h
em
i
n
si
de t
h
e
cor
r
es
po
n
d
i
n
g
fi
l
e
, as s
h
ow
n i
n
Fi
gu
re
6.
Fig
u
r
e
6
.
Con
t
en
t of
t
h
e f
ile "/p
r
o
c
/n
et/tcp
"
sh
ow
s con
n
ectio
n
s
to po
r
t
80
(0
050
in HEX)
w
ith
th
e UID
10
003
UID is an
in
teg
e
r
v
a
lu
e
provid
e
d
i
n
UNIX
syste
m
s
fo
r
u
s
er id
en
tificatio
n
with
i
n
th
e
kern
el.
On
a
reg
u
l
a
r Li
nu
x
al
l
t
h
e Ap
ps
ra
n
by
t
h
e
user
wo
ul
d
ha
ve t
h
e sam
e
UID;
o
n
t
h
e
ot
he
r
ha
nd
, A
n
dr
oi
d
’
s
ker
n
e
l
provide
a diffe
r
ent UID
to ea
ch
runni
ng App due t
o
the c
o
ncept
of Virt
ua
l Machine (Dal
vik
Virtual Ma
chine
i
n
A
n
d
r
oi
d)
, t
h
i
s
i
s
kn
ow as “
A
p
p
l
i
cat
i
on Sa
nd
b
ox”
. E
v
ery
Ap
p r
u
nni
n
g
i
n
An
dr
oi
d
ge
ner
a
t
e
s a new i
n
st
anc
e
of
Dal
v
i
k
, as a
resul
t
,
eve
r
y
Ap
p
has a di
f
f
e
rent
U
I
D. Al
t
h
o
u
gh i
t
i
s
po
ssi
bl
e t
o
sha
r
e
a UI
D bet
w
ee
n t
w
o
diffe
re
nt App’s, it can only be accom
p
lished by signin
g
the App s
by the sam
e
De
velope
r [11]. He
nce; the
id
en
tificatio
n of th
e UID can lead
to th
e i
d
en
tifi
cation
of the
Process
Nam
e
and to t
h
e
App Nam
e
.
Once t
h
e UID
has bee
n
obtai
n
ed t
h
e acquisition of
the Process Nam
e
can be accom
p
lished through
t
h
e A
n
dr
oi
d
’
s
SD
K
by
u
s
i
n
g
t
h
e C
l
ass “
A
ct
i
v
i
t
y
M
a
nage
r”
with
its m
e
th
od
“g
etRun
n
i
n
g
App
P
ro
cess()”. Th
is
meth
o
d
will brin
g
an Obj
ect’s List wh
ere each
elem
en
t is
a ru
nn
ing
pro
c
ess with attr
ibu
t
es su
ch as
UID, PID
(proce
ss id) a
n
d Process
Na
me; therefor
e,
a sim
p
le search for the
UID
in
the List doe
s
the job. Because to
reg
u
l
a
r
user
s
wo
ul
d
n
o
t
m
a
k
e
m
u
ch se
nse t
o
see a P
r
oce
s
s Nam
e
, t
h
e A
pp
Nam
e
(cal
led La
bel
)
ca
n
al
so be
id
en
tified using
th
e SDK
At the e
n
d,
by using a l
o
op
to apply the
presen
te
d m
echanism
to every el
e
m
ent of t
h
e “
n
etstat”
o
u
t
p
u
t
th
ere
wou
l
d
h
a
ve been
id
en
tified th
ree sets
o
f
co
nn
ection
s
(estab
lish
e
d
co
nn
ection
s
, atte
m
p
ted
co
nn
ection
s
and
listen
i
ng
po
rts), each
element of t
h
ese se
ts with a
prot
ocol, a s
o
urce
address
and
port,
a
d
e
stin
ation
ad
dr
ess an
d po
r
t
an
d a Pr
o
cess (A
pp
) r
e
spo
n
s
i
b
le fo
r t
h
at p
a
rticu
l
ar so
c
k
et.
The three sets
shoul
d
be st
ore
d
i
n
t
h
e devi
ce as dat
a
st
ruct
u
r
es us
i
ng n
o
n
pl
ai
n t
e
xt
fi
l
e
s i
n
or
d
e
r t
o
kee
p
a recor
d
o
n
a pre
v
i
ous
st
at
e of net
w
o
r
k act
i
v
i
t
y
so t
h
e us
er i
s
n
o
t
al
ert
e
d i
f
t
h
e
NAM
det
ect
s t
h
e sam
e
conne
ct
i
on m
a
ny
t
i
m
e
s as
lo
ng
as
it is n
o
t
clo
s
ed. Th
at is, th
e d
e
v
e
lop
e
d
NAM Ap
p requ
ires
"android.perm
i
ssion.W
R
I
TE
_EXTER
NAL_STOR
AGE"
being
t
h
is p
e
rmissio
n
t
h
e on
ly requ
ired
so
the
App
doe
s its assignm
ent.
T
h
e
av
er
a
g
e CP
U
u
s
ag
e
of
the
N
e
tw
or
k A
c
tiv
ity Mo
n
itor i
s
th
e
resu
lt of
a d
e
si
g
n
e
d test in
wh
ich
a
devi
ce i
s
o
p
er
at
ed n
o
r
m
a
ll
y
usi
n
g
fo
ur
di
ff
erent
Ap
ps
(
Y
ou
Tu
be,
Wh
at
sAp
p
,
G
o
ogl
e
C
h
r
o
m
e
and
G
m
ai
l
)
each
one
during
one
m
i
nute. During
t
h
is four-m
inute ope
ration the
Net
w
ork Activity
Monitor kee
p
s runni
ng
p
e
rform
i
n
g
all o
f
its task
s while CPU
u
s
age
in
fo
rm
atio
n
is
g
a
th
er
ed thr
oug
h th
e ex
ecu
tio
n of
t
h
e “Top” to
o
l
di
rect
l
y
i
n
t
h
e An
dr
oi
d shel
l
.
Thi
s
t
e
st
was appl
i
e
d t
o
f
o
ur di
ffe
rent
de
vi
ces of
di
ffe
r
e
nt
m
a
rket
seg
m
ent
s
(from
low capacity
to high capacity
devi
ce
s) gi
vi
ng as
p
a
rt
i
c
ul
ar res
u
lts the avera
g
e
commented va
lue of
CPU u
s
ag
e.
Evaluation Warning : The document was created with Spire.PDF for Python.
I
J
ECE
I
S
SN
:
208
8-8
7
0
8
N
e
t
w
ork Act
i
v
i
t
y
Mo
ni
t
o
ri
n
g
Ag
ai
nst
M
a
l
w
a
r
e i
n
A
n
dr
oi
d
Oper
at
i
n
g
Syst
em (
G
ual
bert
o
Ag
ui
l
a
r T
o
rre
s
)
25
5
“Top
” is a to
ol co
n
t
ain
e
d
in
m
o
st o
f
th
e Lin
u
x
d
i
stribu
tion
s
th
at allo
w
g
a
th
ering
th
e in
fo
rm
atio
n
abo
u
t
w
h
i
c
h
p
r
ocesses a
r
e co
nsum
i
ng m
o
st
of t
h
e res
o
ur
ce
s and gi
ving the exact val
u
e of CPU
usa
g
e.
For
our
t
e
st
t
h
e “t
ool
”
com
m
and wa
s set
u
p
wi
t
h
part
i
c
ul
a
r
val
u
es t
o
onl
y
ca
p
t
ure t
h
e
t
o
p t
e
n
pr
ocesses
,
c
h
ecki
ng
ev
ery t
w
o secon
d
s
un
til reach
1
2
0
m
easu
r
es
writin
g
th
e co
ll
ected
inform
ati
o
n in
a tex
t
file.
5.
RESULTS
A
N
D
DI
SC
US
S
I
ON
The
res
u
l
t
i
ng
Ap
p ca
n
ru
n i
n
defi
ni
t
e
l
y
as a back
g
r
o
u
n
d
se
rvi
ce
wi
t
h
out
d
ecreasi
n
g t
h
e
p
e
rf
orm
a
nce
of t
h
e
de
vi
ce
gi
vi
n
g
a
g
o
o
d
user
ex
pe
ri
enc
e
. T
h
i
s
t
e
st
wa
s d
o
n
e
u
n
d
er
a
So
ny
Ta
bl
et
S wi
t
h
a si
ngl
e C
P
U
NVIDIA Teg
r
a2
with
1GB
in
m
e
m
o
ry an
d
th
e
Ap
p ru
ns p
e
rfectly in
th
e b
a
ckg
r
o
und
with
ou
t m
a
k
i
n
g
a
si
gni
fi
ca
nt
di
f
f
e
rence t
o
t
h
e
user e
x
peri
e
n
c
e
. Test
s we
re
m
a
de rep
o
rt
i
n
g o
n
l
y
an i
n
c
r
ease of
2
-
5%
of C
P
U
usa
g
e whe
n
t
h
e det
ect
i
on i
s
ru
n
n
i
n
g. It
’s i
m
port
a
nt
t
o
recall that
the user can ch
an
g
e
th
e ti
m
e
b
e
tween
th
e
per
f
o
r
m
a
nces of eac
h det
ect
i
on
pr
ocess
.
C
e
rt
ai
nl
y
,
i
f
we
decrease t
h
e time, we
can
iden
tify
m
o
re dub
iou
s
n
e
two
r
k
activ
it
ies.
The fi
rewall feature
prese
n
t
e
d as a feat
ure or as
a
de
di
cat
ed A
pp
re
q
u
i
r
es
ro
ot
pe
r
m
i
ssi
ons an
d
netfilter/iptabl
es on t
h
e
de
vice. As a
result, it is
not
easil
y accom
p
lishable for a
re
gul
ar
user;
furthe
rm
ore,
ro
ot
i
n
g a
de
vi
ce co
ul
d
dec
r
ease t
h
e sec
u
r
i
t
y
l
e
vel
on a
de
vi
ce.
In
t
h
i
s
sense
,
ou
r
p
r
o
p
o
sal
us
es s
t
ora
g
e
perm
issions in order to gi
ve agility to the user. Ne
t
w
ork activity-process identif
ication
can be accom
p
lished
wi
t
h
o
u
t
ro
ot
i
n
g t
h
e
de
vi
ce
or
aski
ng
f
o
r
pe
r
m
i
ssi
ons.
There
is no
wa
y to kill a
proc
ess
that
has
be
en spotte
d as a
suspic
ious App because
of
it
s
network
beha
vi
o
r
wi
t
h
out
r
o
ot
perm
i
ssi
ons
. T
h
e be
st
chance i
s
t
o
al
ert
t
h
e user
based
o
n
a bl
ackl
i
s
t
of A
p
p
s
t
h
at
sh
ou
l
d
n’
t r
e
qu
ir
e
n
e
two
r
k
access. Th
e
u
s
er
m
u
st set th
is b
l
ack
list.
Tabl
e
1. R
e
s
u
l
t
s
fr
om
t
h
e desi
gne
d t
e
st
t
o
m
e
asure
t
h
e
N
A
M
reso
u
r
ce
usa
g
e
Device
M
odel
Average CPU
usage
by
App pr
ocess
Average CPU
usage
by
the sy
st
e
m
Average total
CPU usage
Average CPU
usage by
Network Activit
y
Monitor
L
G
Opti
m
u
s
L
7
L
G
P700
52%
36%
87%
6%
L
G
Opti
m
u
s
L
7x
L
G
P714
44%
34%
79%
6%
Sony
Xper
ia
Tab
l
et
SGPT
12 23%
18%
40%
5%
Google Nexus 4
L
G
E
960
9%
7%
16%
3%
Average CP
U
usage
5%
It is im
p
o
r
tan
t
to
m
e
n
tio
n a similar App
was
f
oun
d
in G
oog
le
Play w
ith
ou
t
an
y do
cu
m
e
n
t
atio
n
avai
l
a
bl
e;
t
e
st
s
m
a
de t
o
t
h
i
s
Ap
p re
fl
ect
t
h
at
i
t
present
s
s
u
spi
c
i
ous
beha
vi
o
r
;
fo
r exam
pl
e, i
t
requi
res
ph
on
e
call p
e
rm
issio
n
s
, it in
creases th
e CPU to aro
und
th
e 60
%
o
f
its cap
acity an
d also
it
was no
t ab
le t
o
d
e
tect a
Li
st
eni
ng
Po
rt
ope
ne
d by
a c
u
st
om
App
.
M
o
re
o
v
er
best
ra
t
e
d A
n
t
i
-
M
a
l
w
are A
p
p
s
we
re
not
abl
e
t
o
i
d
ent
i
f
y
su
sp
icio
us n
e
tw
or
k
beh
a
v
i
or
.
As i
t
i
s
p
o
ssi
b
l
e t
o
see i
n
Ta
bl
e 1
,
re
sul
t
s
we
obt
ai
ne
d
re
po
rt
o
n
l
y
an
a
v
era
g
e
5%
of
C
P
U
usa
g
e
cau
sed
b
y
th
e
Netwo
r
k
Activity Mo
n
ito
r and
ev
en
wh
en
t
h
ere is a hi
gh
us
age of CPU in
a device
only a sm
a
l
l
part
of t
h
i
s
c
o
nsum
pt
i
on i
s
c
a
use
d
by
t
h
e
Net
w
or
k act
i
v
i
t
y
m
oni
t
o
r. T
h
i
s
l
a
st
poi
nt
i
s
real
l
y
im
port
a
nt
si
nce
t
h
e Net
w
o
r
k A
c
t
i
v
i
t
y
M
oni
t
o
r
w
oul
d
not
be
usef
ul
i
f
t
h
e
de
vi
ce’s
pe
rf
orm
a
nce
was
deg
r
aded
dec
r
easi
n
g t
h
e
user expe
rienc
e
.
6.
CO
NCL
USI
O
NS A
N
D
FUT
URE WO
RK
Goog
le’s efforts to
tak
e
d
o
wn
Malware still req
u
i
re to
b
e
i
m
p
r
o
v
e
d
du
e to
Goo
g
l
e sh
ou
ld
pro
v
i
d
e
th
e An
dro
i
d
OS with
t
h
e Firewall feature b
y
d
e
fau
lt as pa
rt
of t
h
e system
so the
use
r
ca
n choose
which
Apps
can access
the
network a
n
d
which
ones ca
nnot.
R
oot
i
n
g a
d
e
vi
ce t
o
t
a
ke a
d
va
nt
age
o
f
a
Fi
re
wal
l
feat
u
r
e ca
nn
ot
be a
g
o
o
d
o
p
t
i
o
n f
r
o
m
Inf
o
rm
at
i
o
n
Security p
e
rspectiv
e b
ecau
s
e
th
e b
e
n
e
fit is less th
an
th
e risk tak
e
n.
The
NAM
i
s
t
r
ul
y
an
o
p
p
o
rt
uni
t
y
f
o
r t
h
e
user t
o
i
d
e
n
t
i
f
y
M
a
l
w
are di
s
gui
se
d as s
o
m
e
cool
Ap
p
do
w
n
l
o
a
d
ed
fr
om
Goo
g
l
e
Pl
ay
and p
r
ovi
de
s a basi
s w
o
r
k
t
h
at
can be
ve
ry
usef
ul
i
n
t
h
e fut
u
re as m
a
ny
t
h
e
t
e
nde
ncy
p
o
i
n
t
s
t
o
m
ove t
o
cl
ou
d s
e
r
v
i
ces.
Consi
d
eri
n
g that the re
searc
h
and fundam
e
ntal pieces
of
code a
r
e fi
nishe
d
in th
is
work, i
n
the
future
w
e
leav
e as op
en
r
e
sear
ch
to
tak
e
th
is cod
e
in
to
a good
u
s
er
in
ter
f
ace, to
p
u
b
lish
t
h
e Ap
p
in
o
r
der
to
it
b
eco
m
e
s av
ailab
l
e fo
r th
e
An
dro
i
d
users alo
n
g
with
all th
e do
cu
m
e
n
t
at
io
n
,
i
n
add
ition
to
th
e
d
e
sign
and
im
pl
em
ent
a
t
i
o
n
of
a m
echani
s
m
t
o
det
e
rm
i
n
e sus
p
i
c
i
o
us
ne
t
w
o
r
k
be
ha
vi
or
.
Evaluation Warning : The document was created with Spire.PDF for Python.
I
S
SN
:
2
088
-87
08
IJEC
E V
o
l
.
6, No
. 1, Feb
r
uar
y
20
1
6
:
24
9 – 25
6
25
6
AC
KN
OWLE
DG
MENTS
Th
e au
thors t
h
ank th
e
In
stitu
to
Po
litecn
ico
Nacion
al and
t
h
e C
o
n
s
ejo Naci
o
n
a
l
d
e
Cien
cia y
Tecnologia. T
h
e
researc
h
for this
pape
r was
fina
n
c
ially su
pp
or
ted b
y
Pro
j
ect
G
r
an
t
N
o
. SIP-
201
4-
RE/1
23
/CONA
CyT 216
533
.
REFERE
NC
ES
[1]
Jiang Chun-m
a
o, Qu Ming-Cheng, Wu Xiang-
hu Hu. Op
tim
ization Design of
a Realtim
e
Em
bedded Oper
ati
n
g
S
y
stem Based on ISO17356
. TELKOMNIKA Indonesian Journal
of Electrica
l
Engineering
.
Vol 11 No 10, 2013
pages 5763-577
3.
[2]
Patrick
Mutchler, Adam Doupe, John Mitch
e
ll,
Christopher Kru
e
gel and
Giovan
n
i Vigna.
A Large-Scale Stud
y
of
Mobile
Web
App
Securi
ty
.In Proc. of
the Mobile S
ecurity
Techno
lo
gies. Pp: 1 –
6. 2
015
[3]
Sheng-Wen Chen, Chung-Huang
Yang, Ch
ien-
Tsung Liu
.
Design
and Implemen
tation of
Live SD
Adquisition Too
l
in Android
Smart Phon
e
.
In Proc. of
the Intern
ational Conf
eren
ce on
Genetic and
Evolution
a
r
y
Co
mputing. Pp: 15
7
– 162. 2011.
[4]
Muhammad Zuhair Qad
i
r, Atif N
i
sar Ji
lani, Hassam Ullah Sheikh
.Autom
atic
Feat
ure Ex
trac
tion
Categor
iza
tion
an
d
Detection of Malicious Code
in Android Applications.
In
ternational Journal of
Info
rmation and Network Security
(I
J
I
N
S
).
Vol 3 No 1.Pp: 12-17
. 2
014.
[5]
Steffen
Lortz, H
e
iko Man
t
el, Ar
te
m St
a
r
ost
i
n
, T
imo Bä
hr,
Da
vi
d
S
c
hneider
, Al
ex
andra W
e
b
e
r.
Ca
ssandra: Towa
rds
a Certify
ing App
Store for Andro
i
d
. In Proc. of th
e 4th ACM Workshop on Security
and
Privacy
in
Smartphones &
Mobile Dev
i
ces. Pp: 93-104. 201
4.
[6]
Yajin Zhou, Xu
xian Jiang,
Dissecting Android Malware: C
haracterization and
Evolution
.
In Proc
.
of t
h
e
IEEE
S
y
mposium onSecurity
and
Priv
acy
(SP). Pp: 95
– 109. 2012.
[7]
Joshua J. Drake, Zach
Lani
er,
Collin Mullin
er,
Pau
Oliva Fora, Stephen A.
Ridle
y
, Georg
W
i
cherski.
Andr
oid
Hacker’s Hanbook
. Published b
y
John
Wiley
& S
ons, Inc. Pp: 129
– 174
. 2014
.
[8]
Hendrik. Pi
lz
,
M
obile Security Apps
. AV-TEST
the Indep
e
nden
t
I
T
Secur
i
ty
Institute. Test Repor
t. 2012
[9]
As
s
e
m
Nazar,
M
a
rk M
.
S
e
eger
, Har
a
ld B
a
ie
r.
Rooting
Android
- Extending
the ADB b
y
an
Auto-Connecting W
i
Fi-
Ac
ce
ssible
Se
rvic
e
. In Proc. of
16th Nordic Co
nference on Inf
o
rma
tion Security
Techno
log
y
f
o
r Applications.Pp:
189 – 204
. 2011
.
[10]
Borgshell Dev
e
loper Team,
Con
n
ection Tracker
Pro
.Google Play.London, UK 20
14.
[11]
IMS; Diagnosis
Guide and
Ref
e
r
e
nce, IBM.
International
Busines
s
Machines Cor
poration
. Ver
3.
6th Ed
ition
.
200
5.
BIOGRAP
HI
ES OF
AUTH
ORS
M. Eng. Luis Miguel Acosta Gu
zmán received
the BS Computer Science
and Technolog
y
from
The Monterrey
I
n
stitute of Techn
o
log
y
and Highe
r Education
,
Mexico Cit
y
C
a
m
pus in 2011. He
holds two certificat
ions: the
Ethical Hacking fro
m the EC
Council and CCNA from Cisco. He is
current
l
y
s
t
ud
yi
ng a M
a
s
t
ers
i
n
Inform
ation
S
ecurit
y
.
His
a
r
eas
of in
teres
t
are:
Hacking
,
Computer Foren
s
ics and
the Android Operating
Sy
stem.
Dr. Gualberto
Aguilar Torr
es
rece
ived th
e B
S
degree on Electron
i
c and C
o
mmunications
Engineer in 200
2, the MS degree on Microelectr
onic Engin
eer
in
g, in 2004 and a
Ph. D. degree
in
Electronic and
Communications in 2008, from th
e Nation
a
l Poly
technic Institute. In 2005 he
rece
ived
the B
e
st Thesis
award f
r
om
the Nation
a
l
Pol
y
te
chnic
Institut
e
of Mex
i
co
for his Master
research
work. I
n
2009 he
joints
the Gr
aduate
and Department
of the
Mechan
ical Eng
i
neering
School of the N
a
tion
a
l Poly
tech
nic Institute of
Mexico and no
waday
s
h
e
work
s at the N
a
tion
a
l
Sa
fe
ty
Commi
ssi
on i
n
Me
xi
c
o
City
.
Dra. Gina Gal
l
e
gos
-Garcia re
ce
i
v
ed a M
S
Degree and P
h
. D from
the Nationa
l P
o
l
y
t
echn
i
c
Institute of Mexico in 2005 and 2011 respecti
v
el
y
.
She is cur
r
entl
y
Professor of Graduated
Section of Mech
anical and
Electr
ical Engin
eerin
g
School and belo
ngs to the Natio
nal S
y
stem of
Research
ers. D
u
ring th
e summer of 2011 s
h
e pe
rformed
a postdoctor
a
l r
e
search
at Yale
Univers
i
t
y
in the
United S
t
ates
o
f
Am
erica. Her
areas
of int
e
res
t
includ
e The E
l
e
c
troni
c Voting,
the Secur
e
Cr
y
p
tographic Applic
ation Design
, Inf
o
rmation S
y
stem
s and Cr
y
p
togr
aph
y
, Softwar
e
Engineering.
Evaluation Warning : The document was created with Spire.PDF for Python.