Android malware is widespread despite the effort provided by Google in order to prevent it from the official application market, Play Store. Two techniques namely static and dynamic analysis are commonly used to detect malicious applications in Android ecosystem. Both of these techniques have their own advantages and disadvantages. In this paper, we propose a novel hybrid Android malware analysis approach namely mad4a which uses the advantages of both static and dynamic analysis techniques. The aim of this study is revealing some unknown characteristics of Android malware through the used various analysis techniques. As the result of static and dynamic analysis on the widely used Android application datasets, digital investigators are informed about some underestimated characteristics of Android malware.

Introduction

Smartphones have changed the life of people dramatically in the last decade thanks to the provided functionalities and mobility. Android leads the mobile operating system market by being used on over 2 billion monthly active devices (Burke, 2017; Popper, 2017). According to a recent report by IDC1 , Android dominates the global smartphone market with being used on 85% of smartphones in all around the world (IDC Smartphone OS Market Share, 2017). It is expected that Android’s global market share is expected to rise to 90% in 2017 (Bosnjak, 2017). As a result of this popularity, the official application market, Play Store, is used to install 82 billion applications in 2016 (Burke, 2017). It is reported that Play Store is growing at three times the rate of Apple’s App Store which is the official application market of iOS and the biggest official mobile application market after Play Store (Lookout, 2011). As a result of this popularity, Play Store attracts the attention of malware developers (Delac et al., 2011; Portokalidis et al., 2010; Wu et al., 2012; Zhou et al., 2012). Android malware has grown by 580% between September 2011 and September 2012 (Protalinski, 2012). According to a recent report by Check Point2 , the Android malware app “Judy” may have reached as many as 36.5 million users (The Judy Malware Possibly the largest malware campaign found on Google Play, 2017). McAfee Labs report that there are around 2.5 million new Android malware samples exposed yearly (McAfee Labs Threats Predictions Report, 2016). Also, they report that total mobile malware grew 79% in the past four quarters to 16.7 million samples (McAfee Labs Threats Report June 2017, 2017). Despite that these reports demonstrate how serious the threat is, the lack of security awareness of Android digital investigators is reported by many researches (Enck et al., 2009; Kelley et al., 2012; King et al., 2011; Mylonas et al., 2013). According to a recent report, while only 17% of participants are interested in permissions while installing the applications, 42% of participants are even unaware of the permissions (Felt et al., 2012). Google uses Bouncer which is a service supposed to detect malicious applications which are available on Play Store by scanning every available application using dynamic analysis (Alzaylaee et al., 2017; Lockheimer, 2012). Alongside to the Bouncer, Google has announced Google Play Protect during the event Google I/O 2017 (Android e Google Play Protect, 2017; Cunningham, 2017). Google Play Protect is an always-on service which is bundled with the Play Store app. Google Play Protect scans the applications automatically even after the installation to ensure the applications remain safe in terms of security. According to the official website of Google Play Protect, it is reported that 50 billion applications are scanned by Google Play Protect daily (Android e Google Play Protect, 2017). An advantage of Google Play Protect over Bouncer is that Google Play Protect is able to scan applications which are not installed from Play Store. To the best of our knowledge, this paper is the first academic paper which introduces the Google Play Protect. Android malware detection systems are generally categorized into two: (1) Static analysis, and (2) dynamic analysis.