Mobile Information Systems

Research Article

Function-Oriented Mobile Malware Analysis as First Aid

Table 2

Examples of malicious functionalities and their suspicious API call patterns.


Category	Suspicious API call pattern	Additional information

Hiding SMS notification	{getOriginatingAddress() getMessageBody() getDisplayMessageBody()} abortBroadcast()	android.provider. Telephony.SMS RECEIVED with high priority

Hiding shortcut	setComponent EnabledSetting() abortBroadcast()

SMS message hijacking	{query() parse()} getExternalStorageDirectory() getExternalStorageState() Transmission APIs	content://sms {Hiding SMS notification Hiding shortcut}

Contacts content hijacking	getContentResolver() query() getLine1Number() Transmission APIs	{Phone.CONTENT_URI Contacts.CONTENT_URI} {Hiding SMS notification Hiding shortcut}

Bookmark hijacking	getContentResolver() Transmission APIs	BOOKMARKS_URI {Hiding SMS notification Hiding shortcut}

Location information content hijacking	getLastKnownLocation() Transmission APIs	{Hiding SMS notification Hiding shortcut}

Hijacking certificate for financial transaction	{getExternalStorageDirectory() getExternalStorageState()} FileOutputStream ZipOutputStream.close() Transmission APIs	/npki {Hiding SMS notification Hiding shortcut}

The APIs of AQuery.ajax() or HttpClient() or DefaultHttpClient() or URLConnection() or HttpURLConnection() class.
A B denotes that malware calls functions A and B successively (other API calls cannot be executed between A and B).
A B denotes that malware calls functions A and B, but not necessarily successively (other API calls can be executed between A and B).
A B denotes that malware calls function A or B.