In Fig. 8.4 distribution of operating systems taken into account in existing detection methods are illustrated. As we can see the most commonly used operating system is Android OS. This is due to its open structure and widespread usage that attracts both malware writers to abuse the systems and researchers to provide efficient and effective solutions to protect them.
Fig. 8.4 Distribution of operating systems taken into account in existing detection methods
Fig. 8.5 Distribution of detection sides taken into account in existing detection methods
On Device Versus on Cloud Detection
Further separation of malware detection systems, as it is discussed in more detail in , can be done based on the detection side: on the device or on the cloud. Distribution of existing works with respect to the detection side is performed and obtained results are presented in Fig.8.5. As we can see from Fig. 8.5 there is no dominant detection side, due to the fact that both approaches have their own advantages and disadvantages. The advantage of detection of malware on the device is that user data do not have to be sent into the network and, thus exposed to potential privacy breaches. Additionally, if the device is under attack a user receives an early notiflca- tion about it, and so has more time to take appropriate countermeasures. However, computational capabilities of mobile devices sometimes limit the ability to run complex malware detection systems on them. Due to this reason, computations can be offloaded to the cloud where more sophisticated algorithms are used and detection is done with higher confidence. One of the drawbacks of this approach is that in case having no connection, user stays unprotected.
Since the benchmark dataset for Android malware detection does not exist, researchers use different datasets to report their results. Fact that datasets are not always public is a significant limitation and makes comparison of research results difficult. It happens often that performance of some approaches are tested and reported only once on a specific dataset.
One aspect of ultimate importance in mobile device detection, that was previously not a limitation for regular PC detection systems, is resource consumption. However, resource consumption is often missing in the evaluation of detection methods. This makes process of design of a suitable detection system difficult, since the designer cannot estimate in advance how complex the system is and whether scarce resources of devices are suitable for given applications.