DETERMINATION OF THE PERFORMANCE OF ANDROID ANTI-MALWARE SCANNERS

AV-TEST GmbH Klewitzstr. 7 39112 Magdeburg Germany www.av-test.org

1

CONTENT Abstract ..................................................................................................................................................................................2 Determination of the Malware Detection Rate ......................................................................................................3 Prevalent Malware & Real-Time Testing ........................................................................................................3 On-Demand Test .......................................................................................................................................................3 On-Access Test...........................................................................................................................................................3 Test Execution ...........................................................................................................................................................3 False Positive Test....................................................................................................................................................3 Measuring the Performance Impact ...........................................................................................................................4 Concept .........................................................................................................................................................................4 Implementation of Test Cases .............................................................................................................................4 Certification ..........................................................................................................................................................................5 Protection Score ........................................................................................................................................................5 Usability Score ...........................................................................................................................................................5 Additional Feature Point .......................................................................................................................................5 Frequently Asked Questions (FAQ) ............................................................................................................................5 Appendix A............................................................................................................................................................................6 Performance Test Proof of Concept ..................................................................................................................6 Implementation.........................................................................................................................................................7

ABSTRACT Today's mobile devices are small computers whose functionality is similar to desktop computers. With the high number of different sensors they can even be used for tasks, that a desktop computer is not capable to achieve. But due to their mobility without a permanent power line their resources are rather limited to save battery power and to gain longer battery life. With the rise of malware for Android based mobile devices there is also the need for an AntiMalware scanner on a device to protect the device itself and the personal data on it. There are many products on the market, but do they all have proper malware detection and do they use the limited resources economically? This paper shows a way, how the malware detection rate and resource usage of Anti-Malware products can be measured. With the data achieved by our method we are able to determine which Anti-Malware product provides good protection and whether it may lead to a shorter battery life.

2

DETERMINATION OF THE MALWARE DETECTION RATE PREVALENT MALWARE & REAL-TIME TESTING For a malware detection test, it's very important, how the sample set is composed. The malware detection rate is determined in two categories. In the prevalent malware category we use only recent malware, which is not older than 4 weeks. The samples cover several relevant malware families. Families with less than 10 samples are classified as 'Other'. The total sample set consists of several thousand samples. In the real-time test category each sample is tested on the day of its discovery.

ON-DEMAND TEST The first approach to determine the malware detection rate is an on-demand scan, which is provided by most Anti-Malware products. To test a high number of malicious samples, we copy them to the SD card. If the tested Anti-Malware product provides several scan options, we choose the most comprehensive one (e.g. Full System Scan), which usually includes a scan of the SD card. All detected samples will be removed afterwards. All undetected samples will be tested on-access.

ON-ACCESS TEST An on-access test uses the real-time protection feature of the Anti-Malware product to scan the malware samples. This is used to determine the complete malware detection rate in case a product doesn’t handle all samples with the on-demand scan or doesn’t even offer this feature. In the end only the combined score of on-demand and on-access is provided by AV-TEST. The samples are installed over the Android Debug Bridge. The Anti-Malware product has to provide a visible feedback to the user, when a sample was detected.

TEST EXECUTION The prevalent malware samples are tested in two parts. The first part is an on-demand test and the second part is an on-access test. In the second part we only test the missed samples from the first part. The real-time samples are tested on-access only.

FALSE POSITIVE TEST A malware detection rate is not meaningful without an associated false positive rate. For false positive tests we use the on-access test methodology described above. The samples are known clean apps obtained from Google Play and 3rd party app stores.

3

MEASURING THE PERFORMANCE IMPACT CONCEPT Usually an Anti-Malware testing lab is an ordinary office with desks, PCs, network hardware and mobile devices. The environment doesn't meet laboratory conditions required to reliably test the influence on the battery life for different products in a comparable manner. Such laboratory conditions are e.g. a constant room temperature, an equal number of load cycles of the battery of the test device for each product and an equal age of the battery in case of several test devices. Today's batteries are very optimized and may survive thousands of load cycles before an impact on the battery life can be measured. Nevertheless we can't eliminate such impact by constant laboratory conditions and therefore we use another approach. To exclude external influences on the test results, we measure the CPU utilization and the network traffic during simulated user activity. See Appendix A for details.

IMPLEMENTATION OF TEST CASES Basics To test the CPU utilization of the scanner, we install several known clean apps on the test device using ADB. We measure the used CPU time for each installed app. In addition to the app installation we've implemented several real world use cases, to measure the performance impact during more common activities. The basic concept of the implementation of performance test cases is always the same. The controller program1 starts an activity using the am command (Activity Manager), then it waits for a suitable time for the started activity to finish loading of the given data. The activity will be stopped and a custom broadcast will be sent to the performance monitoring app on the device. The monitoring app saves CPU and memory usage as well as the amount of network traffic for each process. The am command for starting an activity usually has the following scheme: $: am start -a android.intent.action.VIEW -d --activity-clear-task

contains an URL, e.g. http://www.google.com/ or file:///mnt/sdcard/Download/document.pdf. is optional, if omitted, the system will use the default app which is associated with the data type, e.g. the browser will display http://-data. Sometimes multiple apps can handle the data, which leads to a popup where the user has to select his preferred app. Therefore for automatic tests it's better to declare a specific package, which is used to display the data. The am command for closing an activity looks like this: $: am force-stop $: am kill

The second line is optional as force-stop should "stop everything associated with ".

1

The test device is controlled over the Android Debug Bridge.

4

Browsing Websites To browse websites, we use the Android default browser, which is in the package com.android.browser (for Android before 4.1.X) or com.android.chrome The wait time is set to 10 seconds.

Watching Video For video playback we use videos hosted on YouTube and the preinstalled YouTube app with the package com.google.android.youtube. The wait time is set to the playback time of the video rounded up to the next minute plus one extra minute. E.g. when the video playback time is 2:48, the wait time is 4 minutes.

Reading PDF Documents To open PDF documents, we use the Adobe Reader app. This app is part of our installation test cases, which usually run before the real world cases. The package is com.adobe.reader. The wait time is set to 10 seconds.

Idling We've also included three test cases for idling. No specific commands are required here. The test cases cover idle times from 10 over 20 to 30 minutes.

CERTIFICATION To receive an AV-TEST certification, a mobile security app has to achieve more than 8.0 points in our scoring scheme. The scoring is composed out of the 'Protection' category, which includes the malware detection results (combined on-demand and on-access), the 'Usability' category, which includes performance and false positives, and an extra point for additional features.

PROTECTION SCORE The protection score is calculated from the average detection rate for the prevalent malware and the real-time test. Points achieved are awarded by an allocation key, which is predefined by AVTest every year. The allocation key describes which threshold in percent is needed for the corresponding points. Range for detection score is from 0 points to 6, by an interval of 0.5 steps.

USABILITY SCORE The usability score is composed of the performance score and the false positive score. The performance score is 6.0 points minus 2.0 points for each performance impact. Performance impacts may be 'impact on the battery life', 'high traffic usage' and 'slow down'. The false positive score is 6.0 points minus 1.0 point for each false positive detection. The usability score is the sum of the performance und false positive score divided by two.

ADDITIONAL FEATURE POINT If the mobile security app provides at least two additional security features beside the malware protection, it receives an extra point. Additional security features may include Anti-Theft, Safe Browsing, Privacy Advisor, Call Blocker, Message Filtering, Parental Control, Backup and Data Encryption.

FREQUENTLY ASKED QUESTIONS (FAQ) 5

Q: There are two products with 100% detection rate, but one got a protection score of 6.0 points and the other one got just 5.5 points. A: The reason is the rounding of the detection rates. The product with 6.0 points has detected 100.00% and the product with 5.5 points only detected 99.95%, which is rounded to 100%.

APPENDIX A PERFORMANCE TEST PROOF OF CONCEPT Our approach is to measure the CPU time used by the Anti-Malware while known clean apps from Google Play are installed on an Android device. The Anti-Malwares real-time protection feature will check the newly installed apps for malware and it will therefore consume CPU time. To compare different Anti-Malware products we calculate the CPU usage in %. We also monitor memory usage and the amount of network traffic for each running process. In parallel to the process monitoring the battery load is monitored and the battery state is logged every time the battery load changes. With this data we can verify our results from the process monitoring because higher CPU usage should lead to faster battery discharge. This may of course vary due to the external influence factors described above. Therefore battery discharge is not given as the measured value, but merely serves as verification that our approach of measuring the consumed CPU time is actually consistent and useful. To check whether our concept is feasible, we've implemented an Android app, which does the process monitoring and a Java program, which automatically installs applications from the Google Play website on a specific device using the Google account from the device. Read about details in the implementation part. As test device we used a Samsung Galaxy Nexus with Android 4.0.4. One test cycle includes the installation of 35 apps from Google Play. We ran five test cycles per product with the same 35 apps per each cycle. After one test cycle the apps were uninstalled. The products under test include several free and evaluation versions of popular Anti-Malware products. The following figures show the results from our test. Figure 1 compares the average CPU usage of the Anti-Malware products while 35 apps were installed from Google Play. 80.00% 70.00% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00%

Product A Product B Product C Product D Product E

6

F IGURE 1: A VERAGE CPU USAGE CHART DURING THE INSTALLATION OF 35 APPS FROM G OOGLE P LAY Figure 2 shows the discharge rate of the battery in percent per minute. 0.4 0.35 0.3 0.25 0.2

Discharge rate in % per Minute

0.15 0.1 0.05 0 Product A Product B Product C Product D Product E

F IGURE 2: H OW FAST WAS THE BATTERY DISCHARGED IN AVERAGE ? Figure 3 projects the values of figure 2 to an estimated battery life when the test would run indefinitely and the battery would discharge from 100% to 0%. 400 350 300 250 200

Estimated battery life in minutes

150 100 50 0 Product A Product B Product C Product D Product E

F IGURE 3: H OW LONG WOULD THE BATTERY LIVE WHEN THE TEST RUNS INDEFINITELY ? We can see a clear difference in the figures 2 and 3 between product A with the lowest CPU usage and the products D and E with the highest CPU usage (figure 1). There may be other influences on the battery life like I/O operations or network access, which were not part of this analysis, but it became clear that an CPU efficient programming can increase the battery life.

IMPLEMENTATION 7

The test environment is set up as client-server-infrastructure where the mobile device is the client with a monitoring Android app and a Java program is the server. Communication is performed via HTTP over Wi-Fi. The client has a list of Android apps to be installed from Google Play. It sends a request to the server including the next app identified by its Android package name and the Google account the device is registered with. Using the Selenium browser automation framework the server will log into the Google Play website and start the installation of the requested app.

F IGURE 4: T EST ENVIRONMENT SCHEME The device installs the app automatically via Wi-Fi. A broadcast receiver listens for the PACKAGE_ADDED action and saves the current state of all running processes to a report file. Then the main activity is notified to send the next request to the server. The broadcast receiver also listens for the BATTERY_CHANGED action and saves the battery state to another report file every time the battery discharges by one percent.

8

DETERMINATION OF THE PERFORMANCE OF ANDROID ANTI ...

OF ANDROID ANTI-MALWARE SCANNERS. AV-TEST GmbH. Klewitzstr. 7 ..... Families with less than 10 samples are classified as 'Other'. The total sample set.

850KB Sizes 3 Downloads 389 Views

Recommend Documents

Determination of the Degree of Freedom of Digital ...
Chinese Academy of Sciences, Wuhan 430077. Abstract ... In astronomical data processing, correlation analysis of 2-dimensional and multi-dimensional time series ... data. So, a good determination of the degree of freedom for the filtered time ...

Determination of the Diffusion Coefficients of Organic ...
between a mobile gas phase and a stationary polymer phase. ... Contract grant sponsor: University of the Basque Country; contract grant ... The comparison.

determination of dynamical parameters of the human ...
The 3rd International Conference on ... and Virtual Engineering″ ... used an install form of a plate (platform) Kistler, an electrical signal amplifier, two DAQ ...

Determination of the evaporation coefficient of D2O
Nov 20, 2008 - on the earth's atmosphere due to scattering of solar radia- tion, although some .... low to avoid heating the droplets or otherwise affecting their evaporation (Sayer ..... It has been argued that surface active solutes can lower the .

Determination of the thermodynamics of carbonic anhydrase acid ...
Retrying... Whoops! There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Determination of the thermodynamics of carbonic anhydrase acid-unfolding.pdf. Determinat

PhET Simulation- Determination of Planck's Constant.pdf ...
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item.

Determination of oxytetracycline, tetracycline and ...
spectrometry still has cost affair [2]. In general, PDA detection is sensitive and has wide scanning range. The objective of present study was to estimate the residue levels of tetracycline (oxytetracycline, tetracycline and chlortetracycline) in sla

Simultaneous determination of digoxin and ...
ability of P-gp expression [5]; and (iii) P-gp kinetic profiling. [6]. ... data acquisition and processing. ..... sions and to obtain accurate permeability data for digoxin.

PhET Simulation- Determination of Planck's Constant.pdf ...
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item.

PhET Simulation- Determination of Planck's Constant.pdf ...
PhET Simulation- Determination of Planck's Constant.pdf. PhET Simulation- Determination of Planck's Constant.pdf. Open. Extract. Open with. Sign In.

Electrochemical Determination of Dobutamine Using Gold Electrode ...
with Self-Assembled Monolayer of Functionalized Multi-Walled Carbon. Nanotubes Decorated with Ruthenium Oxide Nanoparticles. A. Mahdavi Shakiba, S.

Three-dimensional structure determination of ... - ACS Publications
2Magnetic Resonance Center (CERM), University of Florence, 50019 Sesto Fiorentino (FI), .... To avoid contact with air all samples were sealed in a glovebox.

Determination of anthocianins bilberry (Vaccinium ...
hydroxycinnamic acids (including caffeic, ferulic, and coumaric acid), hydroxybenzoic acids (including gallic and procatechuic acid), and flavonols (including kaempferol, quercetin and myricetin). Blueberries also ... rain precipitation that moves be

Anodic Stripping Voltammetric Determination of ...
liquids)" offer a renewable and modified surface, low cost and very low background current ... inserted to establish electrical contact. Corresponding Author: ...

Determination of accurate extinction coefficients and simultaneous ...
and Egle [5], Jeffrey and Humphrey [6] and Lich- tenthaler [7], produce higher Chl a/b ratios than those of Arnon [3]. Our coefficients (Table II) must, of course,.

High performance computing in structural determination ...
Accepted 7 July 2008. Available online 16 July 2008 ... increasing complexity of algorithms and the amount of data needed to push the resolution limits. High performance ..... computing power and dozens of petabytes of storage distributed.

DETERMINATION OF IRON CRITICAL LEVEL FOR SULAIMANI ...
DETERMINATION OF IRON CRITICAL LEVEL FOR SULAIMANI SOILS CULTIVAITED WITH WHEAT.pdf. DETERMINATION OF IRON CRITICAL LEVEL FOR ...

Voltammetric determination of dopamine in the ...
Jylz-Myng Zen* and I-Lang Chen. Department of Chemistry ..... The authors gratefully acknowledge financial support from the. National Science Council of the ...

Determination of the nature of the lowest triplet state of ...
Nov 21, 1997 - of applications [2]. The mechanism of the excited ..... served upon intramolecular photoinduced electron transfer and consecutive folding of a ...

Simultaneous determination of digoxin and ...
MILLENNIUM32 software (version 3.05.01) was used for data acquisition and ... the linearity, sensitivity, precision and accuracy for each ana- lyte [16].

Electrochemical determination of dopamine and ...
and KCl (5 0 0), where the data in the brackets were the concen- tration ratios. ... Aunano-ME responds well for the recovery of spiked DA with high sensitivity ...

Journal of Chromatography B Determination of ...
... Hospital, General Education Center, Tzu Chi College of Technology, Hualien, Taiwan .... the corresponding background voltammograms in 0.1 M, pH 7 PBS.

Announcement of Determination of Supporting Company for MtGox ...
Announcement of Determination of Supporting Company for MtGox Bankruptcy Proceedings.pdf. Announcement of Determination of Supporting Company for ...