Mobile Information Systems / 2016 / Article / Tab 2 / Research Article
Function-Oriented Mobile Malware Analysis as First Aid Table 2 Examples of malicious functionalities and their suspicious API call patterns.
Category Suspicious API call pattern Additional information Hiding SMS notification {getOriginatingAddress() getMessageBody() getDisplayMessageBody()} abortBroadcast() android.provider. Telephony.SMS RECEIVED with high priority Hiding shortcut setComponent EnabledSetting() abortBroadcast() SMS message hijacking {query() parse()} getExternalStorageDirectory() getExternalStorageState() Transmission APIs content://sms {Hiding SMS notification Hiding shortcut} Contacts content hijacking getContentResolver() query() getLine1Number() Transmission APIs {Phone.CONTENT_URI Contacts.CONTENT_URI} {Hiding SMS notification Hiding shortcut} Bookmark hijacking getContentResolver() Transmission APIs BOOKMARKS_URI {Hiding SMS notification Hiding shortcut} Location information content hijacking getLastKnownLocation() Transmission APIs {Hiding SMS notification Hiding shortcut} Hijacking certificate for financial transaction {getExternalStorageDirectory() getExternalStorageState()} FileOutputStream ZipOutputStream.close() Transmission APIs /npki {Hiding SMS notification Hiding shortcut}
The APIs of AQuery.ajax() or HttpClient() or DefaultHttpClient() or URLConnection() or HttpURLConnection() class. A B denotes that malware calls functions A and B successively (other API calls cannot be executed between A and B). A B denotes that malware calls functions A and B, but not necessarily successively (other API calls can be executed between A and B). A B denotes that malware calls function A or B.