Research Article

Detection and Visualization of Android Malware Behavior

Table 1

Malware family, detection rules, and suspicious functions.

Malware family Detection rules Suspicious functions

FakePlayer IF (SEND_SMS) && (CALL_sendTextMessage() with preset numbers) THEN Malware sendTextMessage(7132, null, 846976, null, null)
SMSReplicator IF (SEND_SMS) && (CALL_sendTextMessage() with preset numbers) THEN Malware sendTextMessage(1245, null, {From: 123456789 Hi how are you}, null, null)
iMatch IF Not (ACCESS_FINE_LOCATION) && IF (SEND_SMS) THEN Malware requestLocationUpdates(); sendTextMessage()
DroidKungFu1 IF (INTERNET) && IF Not (ACCESS_FINE_LOCATION)IF (READ_PHONE_STATE) && IF (INTERNET) THEN Malware getLatitude(); getLongitude(); getDeviceid(); getLIne1Number(); getImei()
DroidKungFu4 IF (INTERNET) && IF (READ_PHONE_STATE) THEN Malware getDeviceid(); getLIne1Number(); getSimSerial(); getImei();
GoldDream (Purman) IF (READ_PHONE_STATE) && IF Not (SEND_SMS)IF Not (READ_PHONE_STATE) && IF (INTERNET) THEN Malware getDeviceId(); getLIne1Number(); getSimSerial(); sendTextMessage(); getImei()
GoldDream (Dizz) IF (READ_PHONE_STATE) && IF Not (SEND_SMS)IF Not (ACCESS_FINE_LOCATION) && IF (INTERNET) THEN Malware getDeviceId(); getLIne1Number(); getSimSerial(); sendTextMessage(); requestLocationUpdates(); getImei()
GGTracker IF (READ_PHONE_STATE) && Not (SEND_SMS)IF Not (ACCESS_FINE_LOCATION) && IF (INTERNET) THEN Malware getDeviceId(); getLIne1Number(); getSimSerial(); sendTextMessage(); requestLocationUpdates(); getImei()