Table of ContentsMalware EvolutionAndroid MalwareTypes of Android MalwareRoot ExploitExisting ApproachesGoals and ObjectivesThe Android operating system began its journey with the public release of the Android beta in November 2007. But its first commercial version Android 1.0 was introduced in September 2008. Android is a mobile operating system developed by Google, based on the Linux kernel and designed primarily for touchscreen mobile devices such as smartphones and tablets. It is continuously developed by Google and Open Handset Alliance. Say no to plagiarism. Get a tailor-made essay on “Why violent video games should not be banned”? Get the original essay Since 2008, many versions of Android operating systems have been introduced. The most common ones are gingerbread, honeycomb, ice cream sandwich, jelly beans, kitkat, lollipop and marshmallow. At the time of writing, only 32.3% of Android devices on the market are powered by Marshmallow, which was introduced two years ago. Evolution of MalwareInitially, when computer systems were primarily understood by a few experts, malware development was a test of skill. technical skills and knowledge. For example, the PC Internet worm known as Creeper displayed provocative messages, but the threat risk (e.g., stolen data, damaged systems) was considerably low. However, as time progressed from the 1980s onwards, the drive to create malware became less recreational and more profit-driven, with hackers actively seeking sensitive, personal and business information. In 2015, a report showed that attackers can earn up to $12,000 per month from mobile malware. driven malware [106].Android MalwareMalware is called malicious software that is specifically designed to target a mobile device gadget, such as a tablet or smartphone, to harm or disrupt the tool. Maximum cellular malware is designed to disable a cellular device, allow a malicious user to control the device remotely, or borrow non-public information stored on the device. As Android operating system has become the most attractive operating system for mobile companies, it is more exposed to malware attacks than other operating systems. The number of malicious Android apps has been steadily increasing over the past four years. In 2013, just over half a million were malicious. By 2015, this figure had risen to just under 2.5 million. For 2017, that number rises to almost 3.5 million. user privileges. Once attackers gain root privileges, they can install other types of malware, such as botnets, worms, or Trojans. Once gaining root privilege, an attacker/malware can bypass the Android sandbox, perform many types of malicious activities, and even erase evidence of compromise. For this reason, malware incorporating root exploits is on the rise. Indeed, as recent news has shown, it has become increasingly common for malware found on third-party Android marketplaces or even the official Google Play store to contain root exploits. In recent years, rooting malware has posed the biggest threat to Android users.These Trojans are difficult to detect, have many capabilities and are very popular among cybercriminals. Their main goal is to show victims as many advertisements as possible and silently install and launch the advertised applications. In some cases, aggressive display of pop-up advertisements and delays in executing user commands can render a device unusable. Rooting malware typically attempts to gain superuser rights by exploiting system vulnerabilities that allow it to do almost anything. It installs modules in system folders, protecting them from deletion. In some cases – Ztorg, for example – even resetting the device to factory settings will not remove the malware. It should be noted that this Trojan was also distributed through the Google Play Store: there we found almost 100 applications infected with various Ztorg modifications. One of them has even been installed more than a million times. Existing Approaches In dynamic malware analysis, the behavior of malware running on the system is checked. Mostly a virtual machine/device or is used for this method. It simply checks the malware's behavior and network logs after running the malicious application on the machine. Droidbox, Android SDK and Android Audit are the tools that can be used for dynamic analysis. During static analysis, reverse engineering tools and techniques are used to decompile the malicious application. The non-runtime environment is used for static analysis. At the same time, the application is analyzed to detect all possible behaviors at runtime and look for coding flaws, backdoors and malicious code. In static analysis, Androguard, dex2jar and apk inspect are the tools that can be used. In both approaches, machine learning algorithms were used to create classification models by training the classifiers with malware and feature datasets collected from static or dynamic analysis. The learned classification models are then used to detect malicious Android apps and classify them into their families. Problem StatementCurrently, the majority of malware detection systems focus on mobile malware in general. Similarly, no detection solutions are available in the literature targeting mobile applications involved in root exploitation activities. What are the most important structural features that an intruder can use to engineer root exploits in Android-based mobile applications? · How to classify root exploits from a malicious corpus using machine learning techniques? Aims and Objectives Mobile devices such as smartphones have become one of the most important devices of the current century. Similarly, Android operating system is recognized as the most popular operating system used by smartphones. As a result, Android has become one of the most attractive targets for malware authors. Different types of Android malware are Botnet, Root Exploit, Texting, GPS Location, and Banking Trojan. A proper Android malware detection system is often helpful in avoiding such malware. This study will focus on detecting a special malware called root exploit usingmachine learning. It has been observed that current Android malware detection techniques may not be applicable to specific root malware. Root exploit malware is considered to be the most dangerous Android malware that gains root privileges. Several techniques have been introduced by researchers. We will use a machine learning classifier to separate the root exploit from harmless apps based on features extracted by static analysis from the Android APK. Thesis Breakdown: The structure of this thesis is organized as follows. Chapter 2 presents related work on static exploitation. and dynamic malware detection in the Android environment. Chapter 3 shows the implementation of this study which covers the framework, tools used, datasets, feature extraction and selection, and training of machine learning classifiers. Chapter 4 presents the results and performance evaluation of the classifiers. Chapter 5 concludes the study work, highlights our results and suggests other potential future work for the approaches proposed in this thesis. CHAPTER NO 22. Literature Review Generally, there are two methods of malware detection called static analysis and dynamic analysis [2]. . In a dynamic study, applications are executed in a secure sandbox environment and collect execution traces of each application in case of malicious intent. In static analysis focuses on the techniques of reverse engineering the application by recreating the algorithm and program code. Mobile application analysis system which used both static analysis and dynamic analysis to detect hidden malware [3]. Static analysis introduced two additional features for malware analysis, native permissions and intent override, including the common features of permissions and function calls. Sandbox is used to search for malicious action that may be present in the application downloaded by the user. The system traces the sending of short messages initiated via an application instead of the user, the Android emulator is modified. The Python programming language uses to implement a technique named UnipDroid, which uses a good discriminative feature to distinguish between harmless and malicious applications. [4]. Machine learning classification algorithms are used after statically analyzing a large data set from an Android app to find the best performing algorithm in terms of accuracy and speed. The result shows that Unipdroid is effective and efficient. Dynamic scanning cannot manage storage space, it only detects and prevents mobile malware[5]. The cloud service can detect malware and predict the behavior of mobile malware, but cannot prevent mobile malware. A new model integrating the capabilities of cloud service and dynamic analysis provides a better solution for detecting and preventing mobile malware. It is discussed in [6] understanding current state-of-the-art static analysis research techniques used in malware analysis. Static analysis techniques can be used to answer many software questions that arise during different stages of the software life cycle. There are four high-level archetypal motivations for using specific static analysis techniques.