AndroId mAlwAre evolutIon
e evolution of Android malware, while mapping closely to the
desktop trends, is often viewed at an accelerated pace. Malware and
botnets have had time to grow and trial dierent methods of infec-
tions and potential uses, and the authors of the mobile counterparts
are denitely applying these learned lessons. ere are clear indicators
that these are often the same groups working toward extending their
list of infected machines to the Android world.
Android also provides an extra interesting launching point for these
actors. Although broadband connection PCs were often considered
golden, with the always-on connection and almost never being shut
o, the mobile phone provides even more perks: access to telephony
systems, the ability to dial or text numbers, location-aware services,
and access to high-speed segmented systems. Although with some
of these features there are clear monetization methods, such as pre-
mium text messaging, others like the Internet may seem questionable.
One could assume a malicious actor would rather have unchanging
Internet connection from a desktop machine, however this would not
give them the possibility for roaming. A cell phone could drift from
3G to 4G, oering an interesting proxy scenario. Add in the fact that
this device might then connect to a sensitive network at some point,
it could exltrate or gain intimate knowledge that a PC might never
have access to.
e rst Android malware to come into existence in early August
2010 was dubbed FakePlayer. ere was really no magic to this mal-
ware; it purported to be a video player for viewing porn on Android.
Since the code was compiled with debug information left in, we could
estimate how many lines the original Java code would have been. is
trick is actually quite easy. e Dalvik code allows us to see which
opcodes originated from which Java code, so that if an error occurs
the stack trace can give you useful information about which line the