Paper Menu >>

Journal Menu >>

Open Access Library Journal
How to cite this paper: Zainuddin, N.B., Abdollah, M.F.B., Yusof, R.B. and Sahib, S.B. (2014) A Study on Abnormal Behaviour
in Mobile Application. Open Access Library Journal, 1: e1229. http://dx.doi.org/10.4236/oalib.1101229
A Study on Abnormal Behaviour in Mobile
Application
Naqliyah Bt Zainuddin*, Mohd Faizal Bin Abdollah, Robiah Bt Yusof, Shahrin Bin Sahib
Faculty of Information and Communication Technology, University Technical Malaysia Malacca, Karung
Berkunci No. 1752 Pejabat Pos Durian Tunggal, Melaka, Malaysia
Email: *naqliyah@cybersecurity.my
Received 31 Octob er 2014; revised 2 De ce mber 2014; accepted 26 December 2014
Copyright © 2014 by authors and OALib.
This work is licensed under the Creative Commons Attribution International License (CC BY).
http://creativ ecommon s.org/l icens es/by/4.0/
Abstract
Abnormal application behavior in mobile can produce a number of undesirable effects. An incor-
rect or insufficient implementation of application lifecycle, memory related issues and malicious
application might cause an unexpected behavior of the application such as bad usability, not res-
ponding, crashed and even data loss. Current analysis and detection of abnormal applications be-
havior are still not comprehensive enough where behavior under user visible failure category
such as crash, “stopped unexpectedly” and “not responding” received less attention by researchers.
Furthermore, framework of analysis technique has not been developed by researcher to investi-
gate the abnormal behavior in mobile application. Thus, in this paper we will study, analyze and
classify the possible issues in causing abnormal application behavior and the existing techniques
in identifying abnormal application behavior.
Keywords
Abnormal Behavior, Application, Android, Analysis Techniques
Subject Areas: Applications of Communication Systems, Mobile and Portable Communications
Systems
1. Introduction
In today’s world, mobile applications are becoming increasingly important in all aspects of our lives. No longer
are phones reserved just for making calls, they now do more than the PC’s of a few years ago. The open source
Android operating system is a great example of the future of mobile applications. The rapid growth of smart-
phones has lead to a renaissance in mobile application services. Android and iOS, currently the most popular
smartphone platforms, each offer their own public marketplace.
*Corresponding author.
N. B. Zainuddin et al.
OALibJ | DOI:10.4236/oalib.1101229 2 December 2014 | Volume 1 |
e1229
Detection of malwares, resources issues and others factors causing unexpected or abnormal behavior in mo-
bile application has been the main focus by researchers in mobile security. As stated by [1], t he majo r focus o n
Android sec urity research is analyzing application for malicious behaviour.
[2] in his research also highlighted about “AppBrain”, a website which provide a mechanism called “low
quality app licatio n detectio n”. It acts as a fil ter b y auto maticall y perfor m de tection of ap plicatio ns whic h are u n-
likely to be useful or low quality applications”. This resulted Google to remove these applications from the
market roughly once a quarter, in which case the total number of available Android applications goes down. The
removed applications are al most always classified by as “low quality applica tions”.
Even though there is no specific definition on “low quality application”, inevitably, low quality applications
can produce a number of undesirable effects and caused abnormal application behavior in mobile.
Thus, this research will study, analyze and classify the possible issues in causing abnormal application beha-
vior and the existing techniques in identifying abnormal applicatio n b e havior.
2. Abnormal Behavior in Mobile Application
The word “abnormal” means deviating from what is normal or usual, typically in a way that is undesirable, un-
expected or worrying. [3] highlighted that, anomaly detection refers to the problem of finding patterns in data
that do not conform to expected behavior. [4] added that anomaly detection techniques commonly used the fol-
lowing theories such as probability and statistics, artificial neural networks, genetic algorithms, fuzzy recogni-
tion and artificia l immune metho d.
According to [5], crash event is identified as “abnormal behavior” because it is an unpredictable event that
occurs when the system is in an arbitrar y state and can produce a number of undesirable effects. A crash is de-
fined as a fatal condition that occurs when a piece of software stops performing the activities it has been de-
signed for.
Furt hermor e , [6] highlighted that an unexpected behavior or crashes in software systems can be similarly
avoided by monitoring the behavior of constituent methods and modules, if we know which methods or modules
are likely to cause a software crash beforehand. Another definition by [7] categorized crash as a “user visible
failure”, when a system aler t displaying the message Force Clo se (in Android 2.2) or Application has stopped
unexpectedly( in Andr oid 4.0). The se failure messa ges mani fest in the log files a s a log entr y stat ing FATAL
EXCEPTI ON: mainand are essentially effects of uncaught exceptions thrown by the Android runtime.
Malicious so ftware will also resulted in une xpecte d beha vior by atte mpting t o leak p erso nal infor matio n, get-
ting root privilege and abuse functions of the mobile [8]. [9] had stressed that even if applications have acquired
explicit user consents, users may be unaware that the applications may execute malicious behaviors. Besides,
[10] also highlighted other sta ndard malicio us attac ks for PCs, like worms and T rojans are also becoming appli-
cable to the mobile platforms. Malicious software such as Geimini and Droid Dream will result in unexpected
behavior by attempting to leak personal information, getting root privilege and abuse functions of the smart-
phone as reported by [8]. [11] also had reported that the beh avior of malicious app lications could var y from an-
noying mes s ages to very unrecove rable damage s .
Definitely, a compromised smartphone can inflict severe damages and caused unexpected behavior in Andro-
id applic ation. Memory leaks are highlighted by [12] as one of the major issues seen on the performance side of
the mobile application which causing a sluggi sh behavi o r. [13] and [14] also emphasized that the memory leak
pheno menon will a ffect the memory usage, affects the application to switch efficiency and cause the increase of
memory usa ge and dimini sh o verall system performa nce.
Despite the capa bilit y of And roid to handle memory allo cati on usin g garbage co llec tio n au to matically, [15] in
his research identified that many applications currently suffer from memor y leak vulnera bilities and causi ng ap-
plications to crash due to out of memory error while runni ng.
Based on literature review, this study has managed to classify the abnormal behavior in mo bile application as
depicted in Figure 1.
Figure 1 summarized the general classification of abnormal behavior in mobile app lication. For “user visib le
failure”, the application behavior under this category are crash, “application not responding” and “application
has stopped unexpectedly”. This type of behavior is sharing similar characteristics where it is an unexpected
type of behavior and visible to users. For “user invisible failure”, data leakage and unauthorized access are ex-
amples of a n unexpected b ehaviors and in visible to user s. This list o f classification i s not an e xhaustive list and
it may include o ther type of applica tion activity with same behavior.
N. B. Zainuddin et al.
OALibJ | DOI:10.4236/oalib.1101229 3 December 2014 | Volume 1 |
e1229
Figure 1 . General classification of abnormal behavior in mobile application.
Above researchers highlighted the possible reasons on unexpected or abnormal behavior in an android appli-
cation. Despite the outbreak of research activity in this area, [16] has highli ghted that ther e is no frame work ye t
that focuses on ana lysis and profiling t he behavior of an Android application. Definitely, abnormal behavior in
mobile application can produce a number of undesirable effects which might cause an unexpected behavior such
as bad usability, not responding, crashed and even data loss. Majority of works done are focusing on detecting of
malicious behavior due to malicious software whereas less work done so far in identifying abnormal application
behavior which causing application to crash, “stopped unexpectedly” and “not responding”. In the next section,
this study will explore related work done on the behavior related detection technique and analysis on mobile ap-
plication.
3. Related Works in Detecting Abnormal Behavior in Mobile Applications
“CrowDroid” is a framework introduced by [17]. The framework is using dynamic analysis on system call
(Strace) which e nable t he dis tinguishing between applications that having the s ame name and version but behave
differently. The focus of the framework is to detect anomalously application in form of Trojan horses. Crow-
Droid used Strace to output the behavior patterns such as sy ste m calls of installed applicat ions o n users’ de vices.
This infor mation is sent to a r emote server where the system calls are clustered using a K-means algorithm into
benign and malicious categories. CrowDroid concluded that open (), read (), access (), chmod () and chown ()
are the most used system calls by malware. Moreover, [18] introduced “Andromaly” another behavioral mal-
ware detection framework for android devices. Andromaly is a lightweight malware detection system using
Machine Learning classification techniques to classify collected observations (system performance, user activity,
memory, CPU consumption, battery exhaustion etc.) as either normal or abnormal.
Anothe r wor k is b y [19] proposed “AASandbox” (Android Application Sandbox). AASandbox is using static
and dynamic approach to automatically detect suspicious application. For static approach, AASandbox scans the
software for malicio us pattern s without installi ng it. While fo r d ynamic appro ach, the analysis o n the applica tion
is co nduct ed i n full y iso late d envir on ment whic h in terve nes and logs l o w-level interactio ns. [20] had intro duc ed
a comprehensive software inspection framework. The framework allows identification of software reliability
flaws and to trigger malware without require source-code. The framework is using dynamic approach by col-
lecting run-time behavior analysis and also the I/O system calls generated by the applications.
[21] had introduced “ModelZ” for monitoring, detection, and analysis of energy-greedy anomalies in mobile
handsets. Using light weight approach, ModelZ will monitor, detect and analyze new or unknown threats and
energy-greedy anomalies on small mobile devices, with high accuracy and efficiency. [22] introduced “Droid-
Box” a dynamic anal ysis tool to cla ssify Android ap plications by monitor ing API calls o f interest invoked by an
application. The analysis includes generating two graphs (behavior graphs and treemap graphs) for sample in
order to provide the basis in identifying benign or malicious categories.
[23] also had used system call, logs and timestamp information in his research to detect the “misbehaving”
applications, alert the users, and log the evidence of malicious activities with. From the discussion on analysis
technique in detecting malicious application, Strace is identified as a common tool in Android research and it
has been used in works on malware detection by most of the researchers. Strace used the view of Linux-kernel
such as network traffic, system calls, and file system logs to detect anomalies in the Android system. Further-
more , [17] also emphasized that monitoring systems calls (Strace) is one of the most accurate techniques to de-
User visible failureUse r inv isible f ailure
ANR Appli cation Sto pped
Unexpectedly
Crash Data Le akageUnauthorized
access
Abno rm al Mobil e
Appl ication Behavio r
N. B. Zainuddin et al.
OALibJ | DOI:10.4236/oalib.1101229 4 December 2014 | Volume 1 |
e1229
termine the behavior of an Android application since they provide detailed low level information. In the next
section, we will discuss on other analysis technique used by researchers in analyzing other type of abnormal be-
havior due to resources leaks and application life-cycle.
The detection of resources problems in mobile application has been studied by [24], [25] and [14]. [24] intro-
duced an approach using static analysis tools called Relda, which can automatically analyze an application’s re-
source operations and locate resource leaks. The method is based on a modified Function Call Graph, which
handle s the feat ures o f event -driven mobile programming by analyzing the callbacks defined in Android frame-
work.
[25] proposed a novel and comprehensive approach for systematic testing for resource leaks in Android ap-
plication. The approach is based on a GUI model, but is focused specifically on coverage criteria aimed at re-
source leak defects. These criteria are based on neutral cycles: sequences of GUI events that should have a
“neutral” effect and should not lead to increases in resource usage.
The work on memory leakage detection is by [14] using a PCB hooking technique. The technique is using
dyna mic ana lysis b y gat heri ng memo ry exe cutio n info rmat ion (i.e. ; pr ocess ID, priority, shared library list, spe-
cific process-resource list) in run-time to detect memory leakage. In the experiment, Memory Analysis Tool
(MAT) was used as a comparison with their invented tool.
The only work on monitoring software crashes is by [6] who presented a framework which monitors and re-
produces software crashes. This approach involves learning patterns from features of methods that previously
crashed to classify new methods as crash-prone or crash-resist ant. I nvesti ga tio n s ha d shown that 30 % of crashed
methods in ECLIPSE and 44% from ASPECTJ threw exceptions. The remaining 70% of crashed methods are
not throwable a nd it is less common to se e developers throw runtime excep tions in their pro gr ams.
Futhe rmore , [26] presented a tool called AndroLIFTwhich helps the developer to monitor the life cycle,
assists in implementing it and testing life cycle-related properties. AndroLIFT is written as an extension to the
ADT, the common way of developing Android applications with the Eclipse IDE. The life cycle view of this
tool allows the developer to observe and analyze the life cycle of the Android application. Besides, it allow de-
veloper to easily learn about the behavior of the application life cycle to certain triggers, like an incoming call,
and with which callback methods one can react appropriately. The summary of analysis techniques used in the
detecting malicious and abnor mality in mobile app lic a tion is depicted in Table 1.
All in all, t he afore mentio ned fra mewor ks and s ystems as st ated in Tab l e 1 proved valuable in protecting mo-
bile devices in general. Most of the works are focusing on malware detection in mobile application using both
dynamic and static analysis techniques. Detection technique on malicious software received a lot of attention by
researchers. However, there is a gap in identifying the abnormal behavior which may lead to behavior of crash,
“stopped unexpectedly” and “not responding”.
From the discussion on analysis technique in detecting malicious application, Strace is identified as a com-
mon tool in Android research and it has been used in works on malware detection by most of the researchers.
Strace used the vi e w of Li nu x -kernel such as network traffic, system calls, and file system logs to detect anoma-
lies in the Android system. Furthermore, [17] also emphasized that monitoring systems calls (Strace) is one of
the most accurate techniques to determine the behavior of an Android application since they provide detailed
low level information.
Moreove r , [26] ha s highli ghte d that logcat is ident ified as the main logging mecha nism in mobile app lication.
Logcat allows us to capture the system debug output and log messages from the application. Wei [16] used a
combi na tion of t he logcat and getevent tools of ADB to gat her the data of t he user la yer f or multi-layer p ro filing
of Android application.
A specific tool for memory analysis is Memory Analyzer Tool (MAT). The MAT tooling is a set of plug-ins
which visualizes the references to objects based on Java heap dumps and provides tools to identify potential
memor y leaks i n Andr oid a pplicati ons. The MAT detects leakage by analyzing heap memory of one application.
MAT analyzes heap me mory situation when extracting log, and sho ws infor mation whic h turns into a cause of
memory leakage defect [14].
4. Proposed Framework and Summary
The framework of analysis techniques for abnormal application behavior is proposed as a way to identify the
reasons of abnormal activity in mobile application. In this stud y, analysis techniq ue s are described and applied
N. B. Zainuddin et al.
OALibJ | DOI:10.4236/oalib.1101229 5 December 2014 | Volume 1 |
e1229
Table 1. Analysis techniques in detecting abnormal behavior in mobile application.
Works related Category Criteria of detecting abnormal behavior
Mod el Z
Kim (2011) Energy-greedy anomalies Monitor and record us age of software and hardware resources
Crow Droid
Burguera et a l. (2011) Malicious software Using Strace to output the behavior patterns such as system calls
Andromaly
Shabtai et al. (2011) Malicious software Using Machine Learning Classification to classify collected
obse r v ation info r mation
AAS and box
Bl et a l. (2010) Malicious software Intervenes and logs low-level intera ction of an apps
Karami et al. (2013) Malicious software Collecting run-time behavior analysis and also I/O system calls
generated by an app s
Isohara et al. (2011b) Malicious software Using log collector to record activity on kernel layer
Guo et al. (2013) Reso urce leaks Us ing Functi on Call Graph
Yan (2013) Resou rce leaks Using GUI mod el to detect resource leaks defect
Park et al. (2012) Memory leakag e Usin g P CB hooking techn ique to gather memor y execution
infor ma tion
Kim et al. (2010) Crash method Learning patterns from features of the method that previously
crashed
AndroLIFT
Franke et al. (2012) Monitor apps life-cycle Usi ng an extension to ADT
DroidBox
Alazab et al. (20 12 ) Malicious software Monitoring API ca lls of interest invoked by an apps
Thing et al. (2011) Malicious software Using st r ac e to log the system call, logs and timesta mps information
invoked by an apps
Wei (2013) Profiling of android applicat ion Measure and profile the apps at four layers
to Android applications to identify causes of abnormal behavior. The proposed framework of analysis tech-
niques will utilize a combination of Linux trace (Strace) and Android debug facilities techniques (logcat and
MAT) to profile the abnormal behavior in mobile application for user visible failure category which are crash,
“stopped unexpectedly” and “not responding”.
The analysis t echniq ues are used in id enti fyin g abnor mal behavior patte rns: 1) To understand the app lication
level activity sequences for abnormal activity via logcat; 2) T o identify the objects and classes consuming mem-
ory in t he java heap; 3) To identify system calls or signals made to the OS using Strace. W e will discuss in de-
tailed on our framework of analysis techniques in following paper.
By having this framework, it should allow the application developer to conduct investigation and improve-
ment on abnormal behavior application, and hence able to determine the possible caused of “abnormal” applica-
tion activit y in t he Android’s app lic a tion.
References
[1] Sasn au skas, R. and Regehr, J. (2014) Intent Fuzzer : Crafting Intents of Death. 12th Int. Work. Dyn. Anal. + Work.
Softw. Syst . Perform. Testing, Debugging, Anal . , California, 22 July 2014, 1-5.
[2] Cost a-Montene gr o, E., Barragáns-Mar tí n ez, A.B. and R ey-López, M. (2012 ) Which App? A Recommender S ystem of
Applications in Markets: Implementation of the Service for Monitoring Users’ Interactio n . Expert Systems with Ap pli-
cations, 39, 9367-9375. http://dx.doi.org/10.1016/j.eswa.2012.02.131
[3] Chandola, V. (2009) Anomaly Detection : A Survey. ACM Com puting Surv e y s, 41, 1-72.
http://dx.doi.org/10.1145/1541880.1541882
[4] Zh ao , M. , Ge, F., Zhang, T. and Yuan, Z. (2011) AntiMalDroid : An Efficient SVM-Based M alware. Communications
in Computer and Information Science, 243, 158-16 6.
[5] Giuffrida, C., Cavallaro, L. and Tanenbaum, A.S. (2010) We Crashed, Now What ? Proceedings of HotDep’10 Pro-
ceedings of the 6th International Conference on Hot Topics in System Dependability, 1-6.
N. B. Zainuddin et al.
OALibJ | DOI:10.4236/oalib.1101229 6 December 2014 | Volume 1 |
e1229
[6] Ki m, S., Bettenburg, N. and Zi mmermann , T. (2013) Predicting Method Crashes. Proceedings of 6th India Softw ar e Engi -
neering Conference, New Delhi, 21-23 Februa r y 2013, 1-5.
[7] Maj i, A.K., Ars h ad , F.A., Bagchi , S. and Rellermeyer, J.S. (2012) An Empirical Study of the Robustness of In-
ter-Component Communication in Android. 2012 42nd Annual IEEE/IFIP International Conference on Dependable
Systems and Networks (DSN), Boston, 25-28 June 2012, 1-12.
[8] Isohara, T. , Takemori, K. and Kubota, A. (2011) Kernel -Based Behavior Analysis for Android Malware Detectio n. 2011
7th International Conference on Computational Intelligence and Security (CIS), Hainan, 3-4 December 2011, 1011-
1015. http://dx.doi.org/10.1109/CIS.2011.226
[9] Luo, H., He, G., Lin, X. and (Sherman) Shen, X. (2012) Towards Hierarchical Security Framework for Smartphones.
2012 1st IEEE International Conference on Communications in China (ICCC), Beijing, 15-17 August 2012, 214-219 .
[10] Del ac, G., Silic, M. and Krolo, J. (2011) Emerging Security Threats for Mobile Platforms. MIPRO 2011 Proceedings
of the 34th International Convention, Opatija, 23-27 May 2011, 1468-1473.
[11] Pocatilu, P. (2011) Android Applications Security. Information Economics, 15, 163-172.
[12] Joshi, M. (2012) Analysis and Debugging of OEM’s.
[13] Pen g, L. , P eir, J.K. , Prakash, T.K., Staelin, C., Chen, Y.K. and Koppelman, D. (2008) Memory Hierar ch y Perfo rmance
Measurement of Commercial Dual-Core Desk top Pr oc e s s or s . Journal of Syst em s Architecture, 54, 816-828.
http://dx.doi.org/10.1016/j.sysarc.2008.02.004
[14] Park, J. and Cho i, B. (2012) Automated Memor y Leakage Detection in Android Based Syste ms. International Journal
of C ontrol Automat ion and S ystems, 5, 35-42.
[15] S hahri ar, H., Nor th , S . and Mawangi , E. (2014) Testing of Memory Leak in Android Applications. IEEE 15th Interna-
tional Symposium on High Assurance Systems Engineering, Miami Beach, 9-11 January 2014, 176-183.
[16] Wei, X. (2013) ProfileDroid : Multi-Layer Profiling of Android Applications Categories and Subject Descriptors. Pro-
cee dings of the 18th A nn ual Int e r n ati onal M obi le C om puting and N e twor k ing, Istanbul, 22-26 August 2012, 1-12.
[17] Burguera, I. and Zurutuza, U. (2011) Crowdroid : Beh avi o r-Based Malware Detection System for Android. Proceed-
ings of the 18th ACM Computer and Communications Securi ty, Illnois, 17 Oct ober 2011, 15-25.
[18] S habtai, A., Kanonov, U., Elovici, Y., Glezer, C. and Weiss, Y. (2011) “Andromaly: A Behavioral Malware Detection
Framewor k for Androi d Devi ces . Journal of Intelligent Information Systems, 38, 161-190.
http://dx.doi.org/10.1007/s10844-010-0148 -x
[19] Bl, T., B atyuk, L., Schmidt, A., Camtepe, S.A. , Albayrak, S. and Universit, T. (2010) An Android Application Sand-
box System for Suspicious Software Detection. 5th International Conference on Malicious and Unwanted Software,
France, 19-20 Oct obe r 2010, 55-62.
[20] Karami, M., Elsabagh, M., Najafiborazj ani, P. and Stavrou, A. (2013) Behavioral Analysis of Android Applications
Using Automated Instrumentation. IEEE 7th International Conference on Software Security and Reliability Compa-
nion, Washington DC, 18-20 June 2013, 182-187.
[21] Kim, H. (2011) MODELZ: Monitoring, Detection, and Analysis of Energy-Greedy Anomalies in Mobile Handsets.
IEEE Transactions on Mobile Computing, 10, 968-981. http://dx.doi.org/10.1109/TMC.2010.245
[22] Ala zab, M. , Monsamy, V., Batten, L., Lantz, P. and Tian, R. (2012) Analysis of Malicious and Benign Android Appli-
cation s. 32nd International Conference on Distributed Computing Systems Workshops, Macau, 1 8-21 June 2013, 608-
616.
[23] Thing, V.L.L., Subramaniam, P.P., Tsai, F.S. and Chua, T. (2011) Mobile Phone Anomalous Behaviour Detection for
Real-Time Information Theft Tracking. CYBERLAWS 2nd International Conference on Technical and Legal Aspects of
the e-Society, Guadel o upe , 23-28 Fe br ua r y 2011, 7-11.
[24] Guo, C., Zhang, J., Yan, J., Zh ang, Z. and Zhang, Y. (2013) Characterizing and Detecting Resource Leaks in Android Ap-
plications. 28 th IEEE/ACM International Conference on Automated Software Engineering, Silicon Valley, 11-15 No-
vember 2013, 389-398.
[25] Yan, D. (2013) Systematic Testing for Resource Leaks in Android Applications. IEEE 24 th International Symposium
on Software Reliability Engineering, Pasadena, 4-7 November 2013, 411-420.
[26] F r a nke, D. and Roy, T. (2012) AndroLIFT : A Tool for Android Application Life Cycles. VALID 2012 4th Internation-
al Confer e nc e on A dvances in System Testing and Validation Lifecycle, Lisbon, 8 November 2012, 28-33.
[27] Is ohara, T., Take mo r i, K . and Kubota, A. (2011) Kern el -Based Beh avior Anal ysis for Andro id Malware Detect ion . 7th
International Conference on Computational Intelligence Security, Hainan , 3-4 December 2011, 1011-1015.
http://dx.doi.org/10.1109/CIS.2011.226