University of Technology Sydney. Faculty of Engineering and Information Technology.With the rapid advancements of electronics, the mobile operating system can accommodate various applications, which greatly facilitates people's everyday life. With a user group of more than 2 billion, the Android platform provides a diverse ecosystem for developing and publishing all sorts of applications. Although Google's official application store, Google Play, contains over 2 million apps, such a huge market also attracts hackers to make profits through distributing malware.
Mobile malware has rocketed since 2009. As reported by Broadcom Inc., an industry-leading security company, 2017 witnessed an increase of new mobile malware strains, compared with the year of 2016. Additionally, more profit-driven malware emerged with the growth of underground markets. Due to the fragmentation problem of the Android platform, Android has long been the most targeted operating system suffering from attacks. To keep pace with the cutting-edge anti-malware countermeasures adopted by cyber-security businesses, malware developers have abused high-level obfuscation, virtual environment recognition, conditional execution (logic bomb), run-time payload dropping, etc., to fool their opponents (i.e., security defending products and reverse engineering tools). These techniques are usually more obvious to trace during the evolution and diversification of a malware family. In this thesis, we take a close look into both recent Android trojans and one specific family of Android banking trojan, that infiltrates banking applications to steal credentials or trick victims to type in their usernames and passwords through displaying fake login interfaces. This thesis focuses on both statically reverse engineering the samples and dissecting the programs to understand their internal logic and find the similar features that could be used to assist security analysts, and dynamically monitor their behaviors in emulators. From public and private sources, 2380 samples of trojans from 20 (sub)families have been collected. As a result of the analysis, a lucid overview and improved apprehension of Android trojans are provided. The results indicate that Android trojans evolves towards possessing more malicious capabilities and more diverse permutations without losing their core design, which would cause more limitations and ineffectiveness for modern security solutions
