Mobile computing devices (hereinafter, mobile devices) have become an indispensable part of life in modern society. Examples of such devices are mobile telephones, smartphones, personal communicators, tablet computers and notebooks. The majority of mobile devices generally contain various user data needed for everyday routines. Such data might be private (such as photographs and video), personal (such as full name, year of birth, telephone numbers), and confidential (such as the login and password to a bank site, credit card number).
One of the most popular mobile platforms used on mobile devices is the operating system Google Android (Android OS). First and foremost, the Android OS has won its popularity due to its open and free nature, resulting in its widespread use on various hardware platforms and, as a consequence, a tremendous number of different applications has been developed by those wanting to work under the Android OS. At present, several million applications have already been created for the Android OS and have been installed on more than one billion mobile devices around the world. At the same time, increasingly many malicious programs were created for mobile devices using the Android OS. The term “malicious programs for mobile devices” generally includes any software designed to gain unauthorized access to the computing, resources of mobile devices or to the information being stored thereon for the purpose of unauthorized use of the resources or inflicting harm on (causing loss to) the owners of the mobile devices by copying, distorting, removing or replacing information. The term “information” generally includes information about user contacts or credit cards and access to various applications and websites. The term “unauthorized use” generally includes actions performed without authorization and/or knowledge of mobile device owner, such as making of unwanted electronic payments, sending of electronic messages containing spam, and making of telephone calls. Therefore, since the applications installed on mobile devices more or less have access to “important” data of the users, it has become important to protect mobile devices and their applications against malicious programs.
The majority of existing solutions for the protection of mobile devices are essentially adapted antivirus programs from personal computers using the Windows operating system. Such antivirus programs encounter a number of difficulties when employed on mobile devices. First of all, the malicious actions are different on a mobile device than on a PC, which requires a corresponding adaptation of the technologies of the antivirus programs. Secondly, on a mobile device the actions being carried out by malicious programs are generally realized through API functions, and since each mobile platform (such as the OS on the Linux kernel, the Android OS, the Apple OS (IOS) or the Bada OS) has its own API functions, an optimization is also correspondingly required for each platform, which may result in complicating the working of the antivirus program. Consequently, this must also be taken into account when searching for malicious files and performing an antivirus check. Thirdly, the antivirus programs intended for mobile devices have limitations in the use of the system resources of the mobile devices, such as the battery, the central processing unit (CPU), and the memory (e.g., the OS itself limits access to the resources). In order to resolve these difficulties, specialized antivirus programs needed that would take account of the special features of mobile platforms.
Moreover, malicious programs also do not stay still. At present, there are more and more programs for mobile platforms, particularly Trojan horse programs, which use technologies of polymorphism (adding/changing instructions in a file without altering the actual functionality), metamorphism (complete alteration of the virus body without altering its functionality, a much more complicated form of polymorphism), and obfuscation of program code. Obfuscation means a change in the original text or the executable code of a program to a form which retains its functionality, but resists an analysis, an understanding of the working algorithms, and a modification during decompilation. These technologies make it possible to hide the executable code of the malware and change it to a form retaining the functionality of the code, but resisting antivirus analysis and hiding working of its algorithm.
Also, one of the main techniques of execution of mobile applications in the Android OS is the Dalvik virtual machine. One peculiarity of executable files of the Dalvik executable format (hereinafter, DEX file) is that part of the code in the file can change place without loss of the execution logic. It should be noted that another technique of executing mobile applications is the Android Runtime environment, which also has the aforementioned features. Thus, technologies which use the classical malware detection methods of search for code similarities (e.g., line patterns or analysis of behavior of applications) have little effect against such malicious files, and the above-presented antivirus methods are not able to reveal such malicious programs (files). Therefore, a more effective method is needed for determining similarity of files.
Thus, a new principle of analysis and identification of malicious programs is needed, which could be adapted to mobile platforms, especially to the Android mobile platform, and at the same time is resistant to the technologies of polymorphism and program code obfuscation.