拜智慧型手機發展之賜，Android系統以及相關App的擴展數量相當快速，提供人們在行動通訊上的便利性，但也因為結合傳統手機功能，惡意程式可以在使用者不知道的情況下，擅自寄送簡訊訂閱服務，造成使用者財務損失。
本研究提出基於使用者意圖追踨與事件探勘之Android SMS木馬惡意程式偵測機制，此機制包含「使用者意圖追踨」與「事件探勘」二個部份，使用者意圖主要用來判定是否有API Call是在使用者不知道的情況下運行，藉由追踨API Call的使用來分析是否有使用者意圖情形來產生事件序列，再來利用事件探勘技術由事件序列取得最頻繁的攻擊情節。
本研究利用上述機制設計出一套系統「SMSDroidCare」，首先利用反向工程取出程式之API Call使用資訊，接著追踨API Call的使用，分析是否有使用者意圖情形，再配合事前分析SMS木馬惡意程式擅自發送SMS簡訊進行收費服務訂閱的行為所制定的事件序列類型，其符合產生的事件序列透過頻繁情節探勘出最頻繁的情節法則模式。在我們的實驗中，我們說明考慮使用者意圖與API Call的使用，藉由頻繁情節法則模式探勘結果，能夠判別及偵測惡意SMS簡訊收費服務訂閱行為，改善目前SMS木馬惡意程式偵測的準確率。

Due to the development of smartphones, the number of Android-based applications expands quite rapid, which offers people the convenience of mobile communications. Short message service (SMS) is basic communication component and one of the most frequently used services in the mobile phones so malware can send message to subscribe premium service without the user's awareness so as to cause financial charges.
This study proposes the user intent leak tracing and frequent episode rule mining to provide a static analysis for detecting the Android SMS Trojan malware. User intent leak would indicate that sensitive function call be performed without the user’s awareness and can be traced in API Call usage to produce the event sequences. These event sequences, then, can be used in frequent episode rule mining to find out the frequent episode patterns, also called frequent attack episode patterns.
Moreover, this paper leverages the proposed mechanism to develop a system, named SMSDroidCare. First, API Call usage information can be extracted from SMS Trojan malwares or begin apps using reverse engineering tool. And then, the user intent leak flow that occurs in API Call usage can be traced to produce the event sequences as well as event type has pre-defined according to how android SMS premium-rate fraud works. Next, frequent episode rules are mined from the event sequences, which identifies meaningful attack rule patterns. Finally, these rule patterns is be used to determine whether the application is malicious or not and detect malicious SMS premium-rate fraud behavior.
In the experiments, we demonstrate that SMS Trojan malwares can be detected by considering user intent leak. In addition, our proposed method can improve detecting rate of the SMS Trojan malwares.

[1]"Android Malware Genome Project," http://www.malgenomeproject.org/
[2]AndroidPolice.com. "Premium SMS Confirmation," http://www.androidpolice
.com/2012/10/17/exclusive-android-4-2-alpha-teardown-part-2-selinux-vpn-lockdown-and-premium-sms-confirmation/
[3]"APKTool," https://code.google.com/p/android-apktool/
[4]APWG Mobile Report. "White Paper: Mobile Financial Fraud," April 2013 http://docs.apwg.org/reports/mobile/APWG_Mobile_Report_v1.9.pdf
[5]Bitdefender Resource Center , "Android Vulnerability Opens Door to SMS Phishing Scams ," http://www.bitdefender.com/security/android-vulnerability
-opens-door-to-sms-phishing-scams.html, 2012
[6]CRN.com : Technology News "Android Under Attack," http://www.crn.in/
feature/android-under-attack
[7]"Dex2jar," https://code.google.com/p/dex2jar/
[8]"dmt4sp," http://liris.cnrs.fr/~crigotti/dmt4sp.html
[9]ESET Research Lab "SMS Trojan Whitepaper," http://www.welivesecurity
.com/wp-content/media_files/SMS_Trojan_Whitepaper.pdf, 2012
[10]eWeek.com: Technology News. "Mobile (SMS-Based) Malware Threats to Rise in 2013," http://www.eweek.com/mobile/mobile-malware-threats-to-rise
-in-2013/
[11]"Google Play Market," https://play.google.com/store
[12]"JD-GUI," http://java.decompiler.free.fr/?q=jdgui
[13]Lookout Reports. " State of Mobile Security 2012," https://www.lookout.com/
resources/reports/state-of-mobile-security-2012
[14]MobilePaymentsToday.com. "Report: fraud threat to mobile payments to grow in 2013," http://www.mobilepaymentstoday.com/article/205561/Report-fraud
-threat-to-mobile-payments-to-grow-in-2013
[15]PCWorld "Smishing Attacks Are on the Rise," http://www.pcworld.com/
article/254979/smishing_attacks_are_on_the_rise.html, 2012.
[16]"ProGuard," http://developer.android.com/intl/zh-tw/tools/help/proguard.html
[17]Symantec.com, "Anatomy of a SMSishing Attack," http://www.symantec.com/
connect/blogs/anatomy-smsishing-attack
[18]"TDMiner," http://people.cs.vt.edu/patnaik/software
[19]TheMobileIndian.com "Researchers uncover SMS-related vulnerability in Android," http://www.themobileindian.com/news/9181_Researchers-uncover
-SMS-related-vulnerability-in-Android
[20]The Official Lookout Blog. "Premium SMS Scams," https://blog.lookout.com/
blog/2012/10/03/avoid-premium-sms-scams/
[21]"VirusTotal-Free Online Virus, Malwar," https://www.virustotal.com/
[22]J. Ayres, J. Flannick, J. Gehrke and T. Yiu, "Sequential Pattern Mining using a bitmap representation," in Proceedings of IEEE International Conference on Data Mining (ICDM), pp. 429-435, 2002.
[23]R. Agrawal and R. Srikant, "Mining Sequential Patterns," in Proceedings of International Conference on Data Engineering (ICDE), pp. 3-14, 1995.
[24]R. Agrawal and R. Srikant, "Fast algorithms for mining association rules," in Proceedings of the 20th International Conference on Very Large Data Bases, pp. 487-499, 1994.
[25]B. Coskun and P. Giura, "Mitigating SMS spam by online detection of repetitive near-duplicate messages," in Proceedings of the IEEE International Conference on Communications, 2012, pp. 999–1004.
[26]E. Chin, A. P. Felt, K. Greenwood, and D. Wagner, "Analyzing Inter-Application Communication in Android," in Proceedings of the 9th Annual International Conference on Mobile Systems, Applications, and Services, 2011.
[27]P. P. Chan, L. C. Hui, and S. M. Yiu."Droidchecker: analyzing android applications forcapability leak," in Proceedings of the 5th ACM conference on Security and Privacy in Wireless and Mobile Networks, 2012.
[28]E. Erturk, "Two Trends in Mobile Malware: Financial Motives and Transitioning from Static to Dynamic Analysis," in International Journal of Intelligent Computing Research (IJICR), Volume 3, Issues 3/4, Sep/Dec 2012.
[29]A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, "A Survey of Mobile Malware in the Wild," in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, 2011.
[30]K. Y. Huang, and C. H. Chang, "Efficient Mining of Frequent Episodes from Complex Sequences," in Journal of Information Systems, Vol. 33, pp. 96-114, 2008.
[31]K. Hamandi A. Chehab I. H. Elhajj A. Kayssi, "Android SMS Malware: Vulnerability and Mitigation," in Proceedings of the 27th International Conference on Advanced Information Networking and Applications Workshops, 2013.
[32]J. Han, J. Pei and Y. Yin, "Mining frequent patterns without candidate generation," in Proceedings of the ACM-SIGMOD International Conference on Management of Data, pp. 1-12, 2000.
[33]S. H. Lee and S. H. Jin "Warning System for Detecting Malicious Applications on Android System," in International Journal of Computer and Communication Engineering, Vol. 2, No. 3, May 2013.
[34]S. Laxman, P. S. Sastry, and K. P. Unnikrishnan, "A Fast Algorithm for Finding Frequent Episodes in Event Streams," in Proceedings of ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), pp. 410-419, 2007.
[35]H. Mannila, H. Toivonen, A. I. Verkamo, "Discovery of Frequent Episodes in Event Sequences," Data Mining and Knowledge Discovery, 1997;1:259–289.
[36]V. B. Mohata1, D. M. Dakhane, R. L. Pardhi, "Mobile Malware Detection Techniques," in International Journal of Computer Science & Engineering Technology (IJCSET), Apr 2013.
[37]M. T. Nuruzzaman, C. Lee, D. Choi, "Independent and personal SMS spam filtering," in Proceedings of the IEEE 11th International Conference on Computer and Information Technology, 2011.
[38]D. Patnaik, P. Butler, N. Ramakrishnan, L. Parida, B. J. Keller, and A. Hanauer, "Experiences with Mining Temporal Event Sequences from Electroinic Medical Records," in Proceedings of ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), pp. 360-368, 2011.
[39]J. Pei, J. Han, B. Mortazavi-Asl. J. Wang, H. Pinto, Q. Chen, U. Dayal and M. C. Hsu, "PrefixSpan: Mining Sequential Patterns Efficiently by Prefix-Projected Pattern Growth," in Proceedings of International Conference on Data Engineering (ICDE), pp. 215-224, 2001.
[40]K. Sharma, T.Dand, T. Oh and W. Stackpole, "Malware Analysis for Android Operating," in Proceedings of 8th annual symposium on information assurance (ASIA), 2013.
[41]N. Tatti, and J. Vreeken, "The Long and the Short of It: Summarizing Event Sequences with Serial Episodes," in Proceedings of ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), 2012.
[42]A. K. Uysal, S. Gunal, S. Ergin, E. Sora Gunal, "A novel framework for SMS spam filtering," in Proceedings of the IEEE International Symposium on Innovations in Intelligent Systems and Applications, Trabzon, Turkiye, 2012.
[43]A. K. Uysal, S. Gunal, S. Ergin, and E. Sora Gunal, "Detection of SMS spam messages on mobile phones," in Proceedings of the IEEE 20th Signal Processing and Communications Applications Conference, 2012.
[44]K. Yadav, S.K. Saha, P. Kumaraguru, R. Kumra, "Take Control of Your SMSes: Designing an Usable Spam SMS Filtering System," in Proceedings of the IEEE 13th International Conference on Mobile Data Management (MDM), 2012.
[45]C. Yang, V. Yegneswaran, P. Porras, G. Gu, "POSTER: Detecting money-stealing apps in alternative Android markets," in Proceedings of the 2012 ACM conference on Computer and communications security (CCS), 2012.
[46]Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang. "Appintent: Analyzing sensitive data transmission in android for privacy leakage detection, " in Proceedings of the 2013 ACM conference on Computer and communications security (CCS), 2013.
[47]Y. Zhou, X. Jiang, "Dissecting android malware: Characterization and evolution," in Proceedings of the IEEE Symposium on Security and Privacy, IEEE Computer Society, pp. 95–109, 2012.