Forensic Analysis of Spy Applications in Android Devices

Annual ADFSL Conference on Digital Forensics, Security and Law 2019

May 16th, 2:00 PM

Forensic Analysis of Spy Applications in Android Devices Forensic Analysis of Spy Applications in Android Devices

Shinelle Hutchinson Sam Houston State University, [email protected]

Umit Karabiyik Purdue University, [email protected]

(c)ADFSL

Follow this and additional works at: https://commons.erau.edu/adfsl

Part of the Aviation Safety and Security Commons, Computer Law Commons, Defense and Security

Studies Commons, Forensic Science and Technology Commons, Information Security Commons,

National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, and

the Social Control, Law, Crime, and Deviance Commons

Scholarly Commons Citation Scholarly Commons Citation Hutchinson, Shinelle and Karabiyik, Umit, "Forensic Analysis of Spy Applications in Android Devices" (2019). Annual ADFSL Conference on Digital Forensics, Security and Law. 3. https://commons.erau.edu/adfsl/2019/paper-presentation/3

This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact [email protected].

http://commons.erau.edu/

http://commons.erau.edu/

https://commons.erau.edu/adfsl

https://commons.erau.edu/adfsl/2019

https://commons.erau.edu/adfsl?utm_source=commons.erau.edu%2Fadfsl%2F2019%2Fpaper-presentation%2F3&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/1320?utm_source=commons.erau.edu%2Fadfsl%2F2019%2Fpaper-presentation%2F3&utm_medium=PDF&utm_campaign=PDFCoverPages










https://commons.erau.edu/adfsl/2019/paper-presentation/3?utm_source=commons.erau.edu%2Fadfsl%2F2019%2Fpaper-presentation%2F3&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

/creativecommons.org/licenses/by-nc-nd/4.0/

/creativecommons.org/licenses/by-nc-nd/4.0/

Forensic Analysis of Spy Applications in Android ... CDFSL Proceedings 2019

FORENSIC ANALYSIS OF SPYAPPLICATIONS IN ANDROID DEVICES

*Shinelle Hutchinson **Umit Karabiyik

*Sam Houston State UniversityDepartment of Computer Science

Huntsville, TX, [email protected]

**Purdue UniversityDepartment of Computer and Information Technology

West Lafayette, IN, [email protected]

ABSTRACT

Smartphones with Google’s Android operating system are becoming more and more populareach year, and with this increased user base, comes increased opportunities to collect more ofthese users’ private data. There have been several instances of malware being made availablevia the Google Play Store, which is one of the predominant means for users to downloadapplications. One effective way of collecting users’ private data is by using Android Spyware.In this paper, we conduct a forensic analysis of a malicious Android spyware application andpresent our findings. We also highlight what information the application accesses and whatit does with that information. We then provide our findings on how Google’s Play Protectservice handles this spyware application. Lastly, we offer a simple framework that forensicinvestigators can follow for performing mobile application analysis.

Keywords: Android, Malware, Mobile Forensics, Mobile Security, Spyware Analysis, PlayProtect.

1. INTRODUCTION

The Android Operating System (OS) is themost used mobile OS in the world, account-ing for 76.61% of the global market share (?,?). This makes it an ideal target for cyber-criminals who make their living stealing andselling persons’ Personally Identifiable Infor-mation (PII). Malicious applications (apps)that make it possible for attackers to obtainsuch PII are called Spyware.

Google has put several measures in place

to protect its users from malicious apps, in-cluding their more recent security implemen-tation, the Play Protect service (?, ?). PlayProtect is advertised as an always on fea-ture that provides protection against mali-cious applications on devices through ma-chine learning, provides a means of locatinga misplaced device through Find My Device,and provides secure Internet browsing withSafe Browsing protection in Chrome (?, ?).

Unfortunately, even with being in opera-tion for well over a year, there have been in-

c© 2019 ADFSL Page 1

CDFSL Proceedings 2019 Forensic Analysis of Spy Applications in Android ...

stances where the Play Protect service wasunable to detect and remove rogue apps be-fore they were downloaded and used by mil-lions of unsuspecting users (?, ?)(?, ?) fromthe Play Store.

This paper aims to provide an analysisof one such Spyware that was able to by-pass Google’s Play Protect service and alsopresent an answer to two integral questions:

1. What does the Spyware do?

2. How does the Spyware accomplish whatit does?

We believe that this information wouldbe beneficial to other Android security re-searchers as it would highlight some app be-haviors that indicate said app may be mali-cious.

The rest of this paper is organized as fol-lows: Section 2 gives background informa-tion on the topic of Android Spyware de-tection. Section 3 specifies the experimentsetup that was followed. Our findings arepresented in Section 4 while Section 5 offersa simple framework for performing applica-tion analysis. Section 6 concludes our paper.

2. RELATED WORKWithin recent years, there have been severalspyware attacks plaguing Android devices.Some of these attacks occurred in the wild(?, ?) and (?, ?), while others were developedspecifically to shed light on the need for im-proved security within the Android platform(?, ?).

Abualola et al. (?, ?) developed a TrojanSpyware that leveraged the capabilities ofAndroid’s NotificationListener service. Themalicious app was advertised as an SMSBackup app. However, the app came witha backdoor which allowed it to forward noti-fication content from WhatsApp, FacebookMessenger, BBM and SMS to the attacker’s

email. The app was able to accomplish thiswith the use of two permissions: “Notifica-tion Access” and “Internet”.

In addition to researcher-made spyware,there have been real-world spyware attacksperpetrated via the Google Play Store. In2017, there were two such attacks. A roguedeveloper, who seemingly bore the samename as the legitimate company, WhatsAppInc., was able to successfully upload a fakeWhatsApp app, titled “Update WhatsAppMessenger” (?, ?). This fake app was down-loaded over one million times despite onlybeing an ad-loaded wrapper with Internetaccess permission. Once installed, the appwould download another apk, called what-sapp.apk. Interestingly, this app was notfirst detected by Google’s Play Protect ser-vice.

However, Play Protect did discover the de-ceptive Tizi spyware (?, ?). Tizi is describedas a full-featured Android backdoor that cangain root access on affected devices in orderto steal users’ PII. This PII may include datafrom popular social media apps like What-sApp, Facebook, Twitter, etc., as well asSMS messages. In the event Tizi is unableto root the affected device, it still attemptsto obtain sensitive data through the use ofhigh level permissions the user would havegranted.

There have been several malware detec-tion techniques put forth; below we highlightfive (5):

2.1 Behavior Based

Multi-Level Anomaly Detection for AndroidMalware (MADAM) (?, ?) was designed as amulti-level and behavior-based malware de-tection tool for Android. MADAM’s detec-tion ability relies on analyzing five groupsof features from four levels of abstraction:kernel-level, application-level, user-level andpackage-level. These features pass througha Signature-based detector and a Behavior-

Page 2 c© 2019 ADFSL


based detector before a decision is made onwhether the app is malicious and should beremoved. MADAM prides itself on beingable to detect several classes of malware, in-cluding spyware. It also boasts a high de-tection rate of 96.9% and negligible perfor-mance overhead. However, this tool requiresa rooted device to perform.

2.2 Taint Analysis

Rathi and Jindal (?, ?) define taint analysisas the analysis of an application and the pre-sentation of potentially malicious data flows.With this in mind, these authors developedthe DroidMark tool which is capable of de-tecting Android malware with 96.88% accu-racy. DroidMark made use of taint analysisthrough the use of FlowDroid. This first stepis able to detect sensitive data flows withinAndroid applications by reverse engineeringthe app’s APK file. DroidMark’s second stepidentifies sources and sinks through the useof the SuSI framework. The third step usesdeep learning to classify apps as maliciousor safe through the use of Bayesian Net-works. DroidMark is capable of performingreal-time analysis on Android systems.

2.3 Network Traffic Analysis

Malik and Kaushal (?, ?) proposed an alter-native method of detection, focused on ana-lyzing apps’ network traffic, specifically theirDomain Name Server (DNS) queries and thetype of information being transmitted to aremote server. Their approach, titled CRE-DROID, was able to successfully detect ma-licious apps and determine what PII wasbeing transmitted to questionable remoteservers. CREDROID was tested manuallyand was unable to identify malicious appswhich did not generate network traffic.

Ren et al. (?, ?) also focused on apps’ net-work traffic to determine potential PII leaks.They developed a cross-platform system, ti-tled ReCon, which uses machine learning, to

offer its users a means of controlling thosePII leaks. ReCon used a C4.5 DecisionTree to handle classification of network traf-fic that produce PII leaks. ReCon’s accuracywas most desirable at 99%. From their ex-periments, it was found that the top three(3) most leaked PIIs were DeviceID, Loca-tion and Credentials. The authors also notedthat these credentials were being transmit-ted in plaintext.

2.4 Hybrid

Kaur and Sharma (?, ?) utilized a hybrid ap-proach to detect spyware and improve users’privacy. Their detection frameworks anal-yses apps based on the app’s Description,Interface Layout and Source Code. Whenan app is installed or updated, the .apkfile for that app is reverse engineered andits permissions are extracted from its An-droidManifest.xml file. These permissionsare checked against the app’s description andsource code, to ensure only required permis-sions are being requested. This approachwas able to achieve better detection ratesthan popular antiviruses like McAfee, Avastand AVG

2.5 Machine Learning

Wang et al. (?, ?) re-purposed the XGBoostmodel to detect Android malware. Their de-tection system consisted of static analysis ofboth benign and malicious app .apk files toextract permission and API call features andthe use of a Random-Forest Feature Selec-tion model to reduce the feature set. Theyalso based their classification accuracies onusing select features, higher weighted fea-tures and various combinations of both per-mission features and API call features. Thisdetection system was able to outperform ormatch the Support Vector Machine model asit was able to obtain high accuracy and re-duced training time.

Mahindru and Singh (?, ?) also utilized



machine learning in order to successfully de-tect Android malware. However, instead ofusing one classifier, they tested with five.Their method consisted of three phases. Inthe first phase, they would collect the .apk’sfor several Android apps. The second phaseincluded a dynamic analysis of the .apks andthe extraction of the permissions being re-quested by each app. The last phase sawthe execution of five machine learning algo-rithms, as they classify each app as mal-ware or benign depending on the permis-sions extracted. They achieved highest ac-curacy of 99.7%, using the Simple Logisticalgorithm when it was trained using 70% oftheir dataset.

3. EXPERIMENTAL

SETUP

For our malware analysis experi-ment, we opted to investigate the An-droid.Spy.277.origin malware family. Weobtained a sample of the malware fromGitHub (?, ?). It was downloaded as a Filetype and had to be extracted to obtain theAndroidManifest.xml and classes.dex files.The classes.dex file was then converted toits corresponding classes.jar file, using thedex2jar tool. Analysis of the .jar file wasdone using the JD-GUI application.

All experiments were done on a Windows10 system. We chose to use Android Studioversion 3.1.3 to conduct our experiment onan Android Virtual Device. This device tookthe form of a Nexus S phone running An-droid 5.0 Lollipop (API 21). After the mal-ware app was installed on the emulator, weused Wireshark version v2.6.1-0-g860a78b3,to capture the network traffic of the devicewhile the app was active and while we per-formed some manipulations.

Figure 1. A snippet of the AndroidMani-fest.xml file

4. SPYWARE

ANALYSISIn this section, we present our observationsand findings having analyzed the applica-tion’s Manifest file, source code, installationand execution on an Android device.

4.1 A look at theAndroidManifest.xml file

After performing an analysis of the manifestfile (see Figure 1), several interesting pointswere found.

1. Package name was identified ascom.inoty.os with displayed version1.3.0.1. The minSdkVersion for the appis 5.0 while the targetSdkVersion is 21.The package being used isnet.suckga.inoty2.

2. Permissions : the app requests sev-eral seemingly benign permissions, ifconsidered on their own, such asReceive, System Alert Window, Ac-cess Fine Location,Access Network State, etc. However,when these permissions are considered



together, they can be used for nefariousreasons. For example, these permissionscan allow a malicious app to captureincoming messages and transmit them,along with the device’s location at thetime, over a network. These and someother possibly harmful permissions areidentified and briefly explained in Table1.

3. Activities, Services, Receivers andContent-Filters : Some of the moreimportant ones will be examined inSection 4.5 below.

4.2 An Initial Look at theApp’s Behavior

Installing the .apk file was as simple as drag-ging and dropping it onto the emulator’sscreen. After the app was installed it waspresented as an app named “Notify Ios” asshown in Figure 2a. When the app islaunched, the first screen, depicted in Figure2b offers several personalization options aswell as a means of enabling the app. Whenthe “Enable Notify Ios” option is selected,the user is presented with two services thatcould be turned on: Accessibility and No-tifications. This is shown in Figure 2c.When the user chooses the Accessibility op-tion, they are taken to the Accessibility Set-tings where they will be able to turn on “No-tify Ios”. Once enabled, the user is told whatprivilege the app requires and asked for con-firmation, as shown in Figure 2d. When theuser chooses the Notifications option and en-ables the service, they are presented with aconfirmation screen informing them of whataccess privileges the service will now have,as shown in Figure 3a. When the user en-ables both the accessibility and notificationservices, the app takes over the status bar(becomes the status bar) as shown in Figure3b.

4.3 Manipulations made whilethe app was active

(sending texts, etc.)

In order to test the functionality of the No-tify Ios app, we enabled both the Acces-sibility and Notification services and thenperformed some activities to create notifica-tions on the device. We sent text messagesusing the default Messages app and emailsusing the Gmail service. Figure 3c showspreviously received notifications while Fig-ure 3d shows an incoming notification fromthe Messages app.

4.4 Network Analysis Process

For us to determine whether the app was do-ing anything nefarious, we decided to cap-ture the phone’s network traffic while theapp was active. We discovered that everytime the app was opened, it sent a GET re-quest with some of the user’s private datato an IP address (204.11.56.48). We deter-mined that this IP address was maliciousand was based in the British Virgin Islands.Some information this app transmitted in-cluded the device’s model, the OperatingSystem version, the phone’s IMEI number,the email address connected to the Googleaccount on the device, the device’s MAC ad-dress, the current carrier, whether the deviceis rooted or not, the country location, etc.,as shown in Figure 4. When both serviceswere enabled, the app sent another GET re-quest with the same information to the sameIP address. However, this time it included alist of all the currently installed packages onthe device, as shown in Figure 5.

4.5 A look at the classes.jarfile

When the classes.jar file was opened withJD-GUI, we were presented with seven pack-ages, each with several sub-packages whichin turn contained several class files. The



Table 1. Permissions the Notify Ios Application Requests

Permission Details

android.permission.SYSTEM ALERT WINDOW Allows an application to create windows that are shown on top ofall other apps.

android.permission.ACCESS WIFI STATE Allows applications to access information about Wi-Fi networks.

android.permission.ACCESS NETWORK STATE Allows applications to access information about networks.

android.permission.READ CALENDAR Allows an application to read the user’s calendar data.

android.permission.ACCESS FINE LOCATION Allows an app to access the device’s precise location.

android.permission.BLUETOOTH Allows applications to connect to paired Bluetooth devices.

android.permission.WAKE LOCK Allows using PowerManager WakeLocks to keep processor fromsleeping or screen from dimming.

android.permission.EXPAND STATUS BAR Allows an application to expand or collapse the status bar.

android.permission.READ PHONE STATE Allows read only access to the features of the phone, including thephone number of the device, current cellular network information,the status of any ongoing calls, and a list of any Phone Accountsregistered on the device.

android.permission.INTERNET Allows applications to open network sockets.

android.permission.GET ACCOUNTS Allows access to the list of accounts in the Accounts Service.

com.android.launcher.permission.INSTALL SHORTCUT Allows an application to install a shortcut in Launcher.

android.permission.WRITE EXTERNAL STORAGE Allows an application to write to external storage.

com.inoty.os.permission.C2D MESSAGE Only this application can receive the messages and registrationresult.

com.google.android.c2dm.permission.RECEIVE This app has permission to register and receive messages.

(a) (b) (c) (d)

Figure 2. Screenshots of the Notify Ios app



(a) (b) (c) (d)

Figure 3. Screenshots of the Notify Ios app

Figure 4. Screenshot of PII data

most interesting packages were found to benet.suckga.inoty2 and com.sweet.rangermob.

The important classes and methods thatwere responsible for collecting and transmit-ting identifiable information about the de-vice and user are highlighted below:

1. net.suckga.inoty2.preferences.PreferencesActivity :It is the first class that runs when theapp is launched by pressing its icon.

2. com.sweet.rangermob.helper.e.a(this.b):This method determines if there is anactive internet connection. In suchcase, the com.sweet.rangermob.a()method is started.

3. com.sweet.rangermob.a(): This methodcollects identifying information aboutthe device and user which is subse-quently transmitted to the rogue IP ad-dress. This information is stored in avariable called localArrayList.

4. RootUtil.a(): It looks for superuser ac-cess (determines if phone is rooted).If the device is rooted, collects sev-eral other pieces of information, includ-ing whether the device has Google Play



Figure 5. List of all installed applications

Store installed, whether there is an ac-tive device admin, etc., and adds thisinformation to the localArrayList vari-able.

5. paramAnonymousVarArgs = URLEn-codedUtils.format(localArrayList, “utf-8”): converts thelocalArrayList to a URL.

6. j.a() + paramAnonymousVarArgs :This builds the website’s URL andconcatenates it with the Encoded URLfrom localArrayList with help from thecom.sweet.rangermob.helper.c class.

7. com.sweet.rangermob.helper.c: Thisclass contains variables used to buildthe HTTP GET request and thedomain website.

8. paramAnonymousVarArgs=com.sweet.rangermob.helper.b.b(j.a() + paramAnonymous-VarArgs): This passes the completedURL string to be created in the HTTPGET request.

9. Within thecom.sweet.rangermob.xser.RangerSer

class, there is a method that handlescollecting and sending the device anduser information, in addition to a list ofall the installed packages on the device,to the rogue IP address. This methodclosely resembles the one that runsevery time the app is opened.

4.6 Interesting Findings

In an attempt to determine whether ornot this app would be flagged by Google’sPlay Protect service, we attempted to installthe Notify Ios app on a physical SamsungGalaxy S5 device running Android 6.0. Thedevice was set to allow installation of appsfrom third parties. We performed this instal-lation on three separate occasions becausethe Play Protect service detects malware us-ing machine learning techniques. This willshow us whether those techniques are effi-cient against such malware as Notify Ios.

4.6.1 July 28th, 2018

We copied the .apk file onto the deviceand was able to successfully install the app.When Play Protect scanned all the apps onthe device, none were flagged as suspicious.



Figure 6. Screenshot of Play Protect serviceblocking the installation of Noty Ios

4.6.2 Oct 12th, 2018

We again copied the .apk file onto the deviceand attempted to install the app. However,the Play Protect service immediately flaggedthe app as suspicious, as shown in Figure 6.

4.6.3 Oct 14th, 2018

We tried one last time to install the app onthe device, however this time there was noPlay Protect warning and the app simply didnot install, as shown in Figure 7.

From these occurrences, we believe thatthe Play Protect service learned from ourfirst installation of the Notify Ios app andnow is able to block any installation of theapp on devices.

5. GUIDELINES FOR

MOBILE APPLICATION

ANALYSIS

Application analysis is a multi-part processif we are to obtain as much information aspossible about an app’s workings. In thissection, we provide a brief guideline that in-vestigators can follow should they need to doapplication analysis.

Figure 7. Screenshot of Noty Ios app refus-ing to be installed.

1. Static Analysis: Be sure to investi-gate the source code and app manifestfiles, looking for suspicious implemen-tations and unnecessary permission re-quests that do not fit the described useof the app. This step can be extremelycumbersome should the app developerobfuscate the source code, specificallyclass, method and variable names.

2. Dynamic Analysis: Static analysis alonetends to be insufficient for determiningexactly what an app is doing. Once youhave an idea of what the app is doingfrom the static analysis, be sure to in-stall the app on a clean device and runit. This way, you can interact with theapp, manipulate various features andnote its effects on the device.

3. Network Analysis: Many apps, espe-cially spyware apps, use network fea-tures and chances are if you suspect theapp is doing something nefarious afterdoing static and dynamic analysis, theapp may be communicating with a ma-licious, remote server. You should makenetwork analysis a step during your dy-namic analysis. Using a network sniffer



like Wireshark could allow you to as-certain what communications the appis doing while it’s running on a device.This includes determining what infor-mation the app is transmitting and towhom that data is going to.

After performing each of these, you shouldhave a fairly comprehensive understandingof what the app does and how its featuresare implemented.

6. CONCLUSIONAndroid smartphones are widely used, andtheir users require protection from nefariousindividuals set on obtaining these users’ PII.Unfortunately, it is possible for some appsto covertly collect user’s PII and transmittedthat data to unauthorized persons.

After our analysis of the Notify Ios mali-cious app, we determined that various piecesof users’ PII were being transmitted to anunauthorized location. We also combedthrough the source code to identify exactlyhow this was being accomplished and quicklyfound that the app developer relied heavilyon obfuscation of their code to mask theirill intent. We also tested the capacity ofGoogle’s Play Protect service to detect thismalicious app and was able to prove thatthe service initially failed to detect the app.However, it was able to learn and flag theapp on subsequent installations.

For future work, we intend to develop ourown malicious spyware app in an attempt tosuccessfully avoid detection by the Play Pro-tect service. In doing so, we aim to identifycertain malicious characteristics the serviceis still incapable of detecting as well as spe-cific vulnerabilities the service is still suscep-tible to.

REFERENCESAbualola, H., Alhawai, H., Kadadha, M.,

Otrok, H., & Mourad, A. (2016). An

android-based trojan spyware tostudy the notificationlistener servicevulnerability. Procedia ComputerScience, 83 , 465 - 471. Retrieved fromhttp://www.sciencedirect.com/

science/article/pii/

S1877050916302435 (The 7thInternational Conference on AmbientSystems, Networks and Technologies(ANT 2016) / The 6th InternationalConference on Sustainable EnergyInformation Technology (SEIT-2016)/ Affiliated Workshops) doi: https://doi.org/10.1016/j.procs.2016.04.210

Ashishb. (2018). ashishb/android-malware.Retrieved fromhttps://github.com/ashishb/

android-malware/tree/master/

Android.Spy.277.origin

Google detects android spyware that spieson whatsapp, skype calls. (2017, Nov).The Hacker News. Retrieved fromhttps://thehackernews.com/2017/

11/android-spying-app.html?utm

source=feedburner&utm medium=

feed&utm campaign=ewlineFeed:

TheHackersNews(TheHackersNews

-SecurityBlog)& m=3n.009a.1629

.pv0ao08grr.zf0

Google play protect. (2018). Android.Retrieved from https://

www.android.com/play-protect/

Kaur, P., & Sharma, S. (2015). Spywaredetection in android usinghybridization of description analysis,permission mapping and interfaceanalysis. Procedia Computer Science,46 , 794–803.

Khandelwal, S. (2017, Nov). Fake whatsappon google play store downloaded byover 1 million android users. TheHacker News. Retrieved fromhttps://thehackernews.com/2017/

11/

fake-whatsapp-android.html?utm



source=feedburner&utm medium=

feed&utm campaign=ewlineFeed:

TheHackersNews(TheHackersNews

-SecurityBlog)& m=3n.009a.1616

.pv0ao08grr.z3r

Mahindru, A., & Singh, P. (2017). Dynamicpermissions based android malwaredetection using machine learningtechniques. In Proceedings of the 10thinnovations in software engineeringconference (pp. 202–210).

Malik, J., & Kaushal, R. (2016). Credroid:Android malware detection bynetwork traffic analysis. InProceedings of the 1st acm workshopon privacy-aware mobile computing(pp. 28–36).

Mobile operating system market shareworldwide. (2018, Oct). Retrievedfromhttp://gs.statcounter.com/os

-market-share/mobile/worldwide#

monthly-201708-201709-bar

Rathi, D., & Jindal, R. (2018). Droidmark:A tool for android malware detectionusing taint analysis and bayesiannetwork. arXiv preprintarXiv:1805.06620 .

Ren, J., Rao, A., Lindorfer, M., Legout, A.,& Choffnes, D. (2016). Recon:Revealing and controlling pii leaks inmobile network traffic. In Proceedingsof the 14th annual internationalconference on mobile systems,applications, and services (pp.361–374).

Saracino, A., Sgandurra, D., Dini, G., &Martinelli, F. (2018). Madam:Effective and efficient behavior-basedandroid malware detection andprevention. IEEE Transactions onDependable and Secure Computing ,15 (1), 83–97.

Wang, J., Li, B., & Zeng, Y. (2017).Xgboost-based android malware

detection. In Computationalintelligence and security (cis), 201713th international conference on (pp.268–272).


Forensic Analysis of Spy Applications in Android Devices

Documents

Transcript of Forensic Analysis of Spy Applications in Android Devices