Top Android AV software fooled by common evasion techniques
Posted on 03 May 2013.
A team of researchers from Northwestern University and North Carolina State University have tested ten of the most popular Android anti-virus software and have discovered that all of them can be fooled by common code obfuscation techniques.

To evaluate the software, they have created DroidChameleon, a systematic framework that automatically applies a number of transformation techniques - some common for PC malware, and other highly specific to the Android platform - to Android applications.

"Based on the framework, we pass known malware samples (from different families) through these transformations to generate new variants of malware, which are verified to possess the originalsí malicious functionality," they explained.

Armed with these samples, they tested the effectiveness of mobile AV solutions by AVG, Symantec, Lookout, ESET, Dr. Web, Kaspersky, Trend Micro, ESTSoft, Zoner, and Webroot, and they were unpleasantly surprised that even those products that the companies claimed were be able to detect malware transformations were, in fact, not working as they should.

"Many of them may even succumb to trivial transformations such as repacking that do not involve any code-level transformation," the researchers pointed out.

Other transformations included renaming the package, files or identifiers; the encrypting of native exploit or payload, strings and array data, reordering the code, inserting junk code, and call indirection.

The project and the testing took one year to complete, and during that period the AV solutions were tested repeatedly. Some of them were improved during that time, and their manufacturers turned more towards content-based signatures. Unfortunately this only made the researchers' efforts to bypass them only a little bit harder, but still unchallenging, and polymorphic malware still passed through in the great majority of cases.

The paper they published about their research is an interesting read, and also contains several suggestions on how the problem might be solved.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th