Vulnerabilities / Threats
5/22/2012
02:21 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Researchers 'Map' Android Malware Genome

New initiative promotes sharing of Android malware research worldwide, beefing up mobile anti-malware tools

Researchers at NC State today announced the Android Malware Genome Project, a malware-sharing initiative aimed at encouraging more collaboration on this new generation of malware to chart its characteristics and evolution in order to better defend against it.

Xuxian Jiang, the mastermind behind the Android Malware Genome Project, says defenses against this malware today are hampered by the lack of efficient access to samples, as well as a limited understanding of the various malware families targeting the Android. The goal is to establish a better way of sharing malware samples and analysis, and developing better tools to fight it, he says.

"Basically, at this stage we want to open up first our current collection of Android malware samples and make them available to research community. The purpose is to engage the research community to better our understanding of mobile threats and develop effective solutions against them," says Jiang, who is assistant professor of computer science at North Carolina State University. Jiang says his team is still in the process of fully mapping the genomes of Android malware families.

NC State has sent its malware research and data to several universities, research labs, and vendors thus far via the new Android Malware Genome Project, including Purdue University; University of Michigan; University of California, Riverside; Northwestern University; Fudan University in China; Texas A&M University; University of Louisiana at Lafayette; Beijing Jiaotong University in China; University of California, Berkeley; University of Texas at Dallas; Vienna University of Technology, Austria; VU University Amsterdam, The Netherlands; University of Washington; NQ Mobile, USA/China; and Mobile Defense.

To avoid abuse of the data, Jiang says NC State won't merely post the data online without vetting users. "Instead, we will have some sort of authentication mechanism in place to verify user identity or require necessary justification, if necessary," he says.

Mobile security experts long have lobbied for learning from mistakes in the PC malware world, and taking a different approach to detect and quash mobile malware. Tyler Shields, senior security researcher at Veracode, says the NC State project demonstrates how academia is trying to avoid the mistakes of the past with malware research.

"They are trying to do what hasn't been done in the traditional AV world because AV vendors make money by keeping their [research] private. They are to some degree incented not to share their data," Shields says. "Academia says we have data and we are not incented to hold it secret -- which is great."

Shield says the Project initially appears mostly to be NC State sharing its findings and work. The work of categorizing and enumerating all Android malware for trending was done to a degree in the PC world, he says, but not in such a public way as NC State is doing with the Android Malware Genome Project. "That's the real value these guys bring: attempting to do it in a public way," he says.

[ Some of the most compelling evidence over the past year shows mobile malware has bridged the gap from theoretical to practical. See 6 Discoveries That Prove Mobile Malware's Mettle. ]

NC State has collected more than 1,200 Android malware samples during the past couple of years, including DroidKungFu and GingerMaster, and will share this malware code with Genome Project participants. Jiang was in San Francisco today at the IEEE Symposium on Security and Privacy, where he announced the new program and presented NC State's latest Android malware research, which focuses on the characterization and mapping of the various families of malware -- by installation methods, activation mechanisms, as well as their payloads.

Jiang and his team tested four mobile security platforms and found that, at best, they catch 79.6 percent of Android malware and, at worst, 20.2 percent. That confirmed concerns that today's methods of detecting mobile malware aren't sufficient, according to the research.

More than 85 percent of Android malware samples repackage legitimate apps with their malicious payloads, and 93 percent have bot-like functionality. Nearly 37 percent include platform-level exploits for privilege escalation, according to the NC State research.

Whether the project will result in better anti-malware technology for the mobile space has yet to be determined, but that's the hope of Jiang and his team. "Previous experiences indicate that the study of how malware evolves is helpful to even predict what kind of malware we may expect in the future," he says. "Such insights should be needed to proactively better develop mobile security apps and protect users."

And whether mobile security vendors will be willing to share their own research is unclear. "I just hope this can motivate the data sharing among existing security vendors. Eventually, users or customers can benefit from them," Jiang says.

Veracode's Shields says the mobile industry can and should flip the traditional model of known-threat-only, signature-based detection that came out of the PC world in order to get a leg up on mobile threats. "If we use those traditional models, we will never catch up," Shields says.

Mobile technology has a few different features that could help, too, he notes, such as permissioning and sandboxing. "Those are things that could be used to augment the success rate and detection rate and heuristic applicability," he says.

The full research paper is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.