Figure shows that the repackaging usage was growing until 2012, but later standalone malware became dominant. The reason could be that there are many effective anti-repackaging solutions made available during the last few years, which give cybercriminals less incentive in using such techniques. On the other hand, the bad guys are putting more effort into designing comprehensive and sophisticated malware apps from scratch, and their malware design skill has matured.
Not surprising to see in figure that listening to system events to activate malware’s functional units is the main trick given the nature of Android system design. Scheduling a task to periodically start its functional unit is an alarmingly growing trend. By scheduling timer task or leveraging the AlarmManager the malware can constantly upload victim’s information or retrieve commands from the C&C server; in the ransomware apps, it is also one of the techniques to lock victim’s device.
We observe that persistence has become a core feature of malware apps. Figure shows that malware apps are evolving to be harder to be noticed by the victim. At the same time, the malware apps are also becoming much harder to be destroyed by the system, anti-virus solutions, or users.
Root exploit is becoming less popular as we have discussed in Section 3.2.5, but obtaining device-admin-privilege seems to have become popular as seen in figure.
The anti-analysis techniques are one of the key weapons of cybercriminals in the battle against security analysts. From figure we can see that renaming and string encryption are the most growing techniques; dynamic loading and evading dynamic analysis are catching up while the practice of hiding things in native payload is staying at the similar level.
Figure shows that banking malware is becoming the main channel for cybercriminals to make money. Ransomware is a new threat that has started an uptick.