Mobile Malware Analysis Subtaxonomy

Version 2.0 March 2016. Part of Mobile Security Taxonomy

Gürol Canbek, Seref Sagiroglu, and Nazife Baykal, 2016. New Comprehensive Taxonomies on Mobile Security and Malware Analysis.
Designed by Gürol Canbek, All Rights Reserved. Contact:
Click the node to scroll to its text representation

Imagemap

Mobile Malware AnalysisDynamic Analysis a.k.a Behavioral-Based ...Behavior PatternsNetwork SignatureCodeCall Graph (Dynamic)System CallsDependency Graph (Dynamic)Anomaly DetectionMetricsNetwork Activity a.k.a Internet TrafficBattery ConsumptionCPU Usage Memory UsageRunning ProcessesOS OperationsFile AccessUser Device UsageGUI InteractionsKeyboardTouchscreenCommunication FrequencyCallsSMSsE-mailsSensor UsageScopeOn deviceCollaborativeMethodsSmoothing FunctionLeaky BucketMoving AverageNoise FilteringData CompressionTime Series AnalysisTemporal Logic of Causal Knowledge (TLCK ...Knowledge-Based Tempral Abstraction (KBT ...Finite State Machine (FSM)Pushdown Automata (PDA)Dynamic Threshold Calculation (DTC)ClassificationApproachesExpert SystemReview TriagingMethodologiesWhitelistingBlacklistingSignature-BasedHeuristic-BasedRule-BasedManualEvent CorrelationStatisticalDatasetsAndroidAndroid Malware Genome ProjectContagio MobileThe Drebin DatasetAndroTrackerAndroMalShareMalware.luMalwares.comVirusShareVirusTotalMalware Author ToolsAnti-DebugAnti-DecompileAnti-Runtime InjectionAnti-TamperEncryptorObfuscatorPackerTamper DetectionToolkitsUnpackerVM DetectionAnti-Analysis (Counter Measures)ObfuscationName (class, method, variable, etc)Code Insertion/DeletionCode ReorderingEquivalent Code SubstitutionMethod InliningOutline to MethodMethod CloningUnrolling LoopBranch Inversion/FlippingSensitive API hidingFlowNoiseGarbage (Redundant, Junk) instructions a ...(Semantic) NOP/NOOPUnused functionsagainst Dynamic AnalysisEmulator/Sandbox DetectionFabricated content recognitionLaying DormantAntimalware DetectionData Encryption in Communicationagainst Malware AnalysisAnti Reverse EngineeringAnti DecompileAnti DebugPacking (compression or encryption)StringBinary (Dynamic/Runtime Packer)ClassAssetCodeNative libraryStatic AnalysisBinaryByte N-gramCode (+Bytecode)Data Flow Analysis (DFA) a.k.a Taint Pro ...Control Flow Analysis (CFA)Type AnalysisSymbolic ExecutionPoints-To AnalysisStructural AnalysisAPI CallsCall Graph (Static)Semantic AnalysisDependency Graph (Static)Class Dependency GraphFunction call graphEntry/Exit Point AnalysisProgram SlicingAnalysis OperationsTracking Malware AuthorsDeobfuscating StringsSelf-decodingManual programmingSignatures a.k.a FingerprintingHashingBinary PatternChallengesCommon Code on Malicious and Benign Appl ...Computation Cost (on Device or on Cloud)See machine learning problemsAnalysts Tools(Analyse) SandboxData FlowApp PentestDebuggingAssemblerDecompilerAutomated Runtime AnalyzerDevice EmulatorBinary AnalyzerDissassemblerBinary EditorDynamic AnalysisControl FlowFirmware FlasherCall GraphForensics AnalyzerIDEMalware AnalysisMalware ScannerMalware Scanner AggregatorsMalware Scanner VisualizerMonkey or AutomationNetwork packet analyzerParserVirus Scanners (57)Performance AnalyzerTools (Android, Java, iOS, Windows) Tota ...Reverse EngineeringStatic AnalysisStatic Code AnalysisToolkitsSystem monitorUnpackerVulnerability AnalysisAnti-Anti-Analysis (Counter Counter Meas ...Anti Emulator DetectionObfuscation DetectionEntropy Analysis

hide
Mobile Malware Analysis
hide
hide
Dynamic Analysis a.k.a Behavioral-Based Analysis
hide
Behavior Patterns
leaf
Network Signature
hide
Code
hide
Call Graph (Dynamic)
leaf
System Calls
leaf
Dependency Graph (Dynamic)
hide
Anomaly Detection
hide
Metrics
leaf
Network Activity a.k.a Internet Traffic
leaf
Battery Consumption
leaf
CPU Usage
leaf
Memory Usage
leaf
Running Processes
leaf
OS Operations
leaf
File Access
hide
User Device Usage
hide
GUI Interactions
leaf
Keyboard
leaf
Touchscreen
hide
Communication Frequency
leaf
Calls
leaf
SMSs
leaf
E-mails
leaf
Sensor Usage
hide
Scope
leaf
On device
leaf
Collaborative
hide
Methods
hide
Smoothing Function
leaf
Leaky Bucket
leaf
Moving Average
leaf
Noise Filtering
leaf
Data Compression
leaf
Time Series Analysis
leaf
Temporal Logic of Causal Knowledge (TLCK)
leaf
Knowledge-Based Tempral Abstraction (KBTA)
leaf
Finite State Machine (FSM)
leaf
Pushdown Automata (PDA)
leaf
Dynamic Threshold Calculation (DTC)
hide
Classification
hide
Approaches
leaf
Expert System
leaf
Review Triaging
hide
Methodologies
leaf
Whitelisting
leaf
Blacklisting
leaf
Signature-Based
leaf
Heuristic-Based
leaf
Rule-Based
leaf
Manual
leaf
Event Correlation
leaf
Statistical
hide
Datasets
hide
Android
leaf
Android Malware Genome Project
leaf
Contagio Mobile
leaf
The Drebin Dataset
leaf
AndroTracker
leaf
AndroMalShare
leaf
Malware.lu
leaf
Malwares.com
leaf
VirusShare
leaf
VirusTotal
hide
Malware Author Tools
leaf
Anti-Debug
leaf
Anti-Decompile
leaf
Anti-Runtime Injection
leaf
Anti-Tamper
leaf
Encryptor
leaf
Obfuscator
leaf
Packer
leaf
Tamper Detection
leaf
Toolkits
leaf
Unpacker
leaf
VM Detection
hide
Anti-Analysis (Counter Measures)
hide
Obfuscation
leaf
Name (class, method, variable, etc)
leaf
Code Insertion/Deletion
leaf
Code Reordering
hide
Equivalent Code Substitution
leaf
Method Inlining
leaf
Outline to Method
leaf
Method Cloning
leaf
Unrolling Loop
leaf
Branch Inversion/Flipping
leaf
Sensitive API hiding
leaf
Flow
hide
Noise
leaf
Garbage (Redundant, Junk) instructions a.k.a Dead Code
leaf
(Semantic) NOP/NOOP
leaf
Unused functions
hide
against Dynamic Analysis
hide
Emulator/Sandbox Detection
leaf
Fabricated content recognition
leaf
Laying Dormant
leaf
Antimalware Detection
leaf
Data Encryption in Communication
hide
against Malware Analysis
leaf
Anti Reverse Engineering
leaf
Anti Decompile
leaf
Anti Debug
hide
Packing (compression or encryption)
leaf
String
leaf
Binary (Dynamic/Runtime Packer)
leaf
Class
leaf
Asset
leaf
Code
leaf
Native library
hide
Static Analysis
hide
Binary
leaf
Byte N-gram
hide
Code (+Bytecode)
leaf
Data Flow Analysis (DFA) a.k.a Taint Propagation
leaf
Control Flow Analysis (CFA)
leaf
Type Analysis
leaf
Symbolic Execution
leaf
Points-To Analysis
leaf
Structural Analysis
leaf
API Calls
leaf
Call Graph (Static)
hide
Semantic Analysis
hide
Dependency Graph (Static)
leaf
Class Dependency Graph
leaf
Function call graph
leaf
Entry/Exit Point Analysis
leaf
Program Slicing
hide
Analysis Operations
leaf
Tracking Malware Authors
hide
Deobfuscating Strings
leaf
Self-decoding
leaf
Manual programming
hide
Signatures a.k.a Fingerprinting
leaf
Hashing
leaf
Binary Pattern
hide
Challenges
leaf
Common Code on Malicious and Benign Applications
leaf
Computation Cost (on Device or on Cloud)
leaf
See machine learning problems
hide
Analysts Tools
leaf
(Analyse) Sandbox
leaf
Data Flow
leaf
App Pentest
leaf
Debugging
leaf
Assembler
leaf
Decompiler
leaf
Automated Runtime Analyzer
leaf
Device Emulator
leaf
Binary Analyzer
leaf
Dissassembler
leaf
Binary Editor
leaf
Dynamic Analysis
leaf
Control Flow
leaf
Firmware Flasher
leaf
Call Graph
leaf
Forensics Analyzer
leaf
IDE
leaf
Malware Analysis
leaf
Malware Scanner
leaf
Malware Scanner Aggregators
leaf
Malware Scanner Visualizer
leaf
Monkey or Automation
leaf
Network packet analyzer
leaf
Parser
leaf
Virus Scanners (57)
leaf
Performance Analyzer
leaf
Tools (Android, Java, iOS, Windows) Total 82
leaf
Reverse Engineering
leaf
Static Analysis
leaf
Static Code Analysis
leaf
Toolkits
leaf
System monitor
leaf
Unpacker
leaf
Vulnerability Analysis
hide
Anti-Anti-Analysis (Counter Counter Measures)
leaf
Anti Emulator Detection
hide
Obfuscation Detection
leaf
Entropy Analysis