Researchers 'Map' Android Malware Genome
New initiative promotes sharing of Android malware research worldwide, beefing up mobile anti-malware tools
Researchers at NC State today announced the Android Malware Genome Project, a malware-sharing initiative aimed at encouraging more collaboration on this new generation of malware to chart its characteristics and evolution in order to better defend against it.
Xuxian Jiang, the mastermind behind the Android Malware Genome Project, says defenses against this malware today are hampered by the lack of efficient access to samples, as well as a limited understanding of the various malware families targeting the Android. The goal is to establish a better way of sharing malware samples and analysis, and developing better tools to fight it, he says.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- Client Windows Migration: Expert Tips for Application Readiness
"Basically, at this stage we want to open up first our current collection of Android malware samples and make them available to research community. The purpose is to engage the research community to better our understanding of mobile threats and develop effective solutions against them," says Jiang, who is assistant professor of computer science at North Carolina State University. Jiang says his team is still in the process of fully mapping the genomes of Android malware families.
NC State has sent its malware research and data to several universities, research labs, and vendors thus far via the new Android Malware Genome Project, including Purdue University; University of Michigan; University of California, Riverside; Northwestern University; Fudan University in China; Texas A&M University; University of Louisiana at Lafayette; Beijing Jiaotong University in China; University of California, Berkeley; University of Texas at Dallas; Vienna University of Technology, Austria; VU University Amsterdam, The Netherlands; University of Washington; NQ Mobile, USA/China; and Mobile Defense.
To avoid abuse of the data, Jiang says NC State won't merely post the data online without vetting users. "Instead, we will have some sort of authentication mechanism in place to verify user identity or require necessary justification, if necessary," he says.
Mobile security experts long have lobbied for learning from mistakes in the PC malware world, and taking a different approach to detect and quash mobile malware. Tyler Shields, senior security researcher at Veracode, says the NC State project demonstrates how academia is trying to avoid the mistakes of the past with malware research.
"They are trying to do what hasn't been done in the traditional AV world because AV vendors make money by keeping their [research] private. They are to some degree incented not to share their data," Shields says. "Academia says we have data and we are not incented to hold it secret -- which is great."
Shield says the Project initially appears mostly to be NC State sharing its findings and work. The work of categorizing and enumerating all Android malware for trending was done to a degree in the PC world, he says, but not in such a public way as NC State is doing with the Android Malware Genome Project. "That's the real value these guys bring: attempting to do it in a public way," he says.
[ Some of the most compelling evidence over the past year shows mobile malware has bridged the gap from theoretical to practical. See 6 Discoveries That Prove Mobile Malware's Mettle. ]
NC State has collected more than 1,200 Android malware samples during the past couple of years, including DroidKungFu and GingerMaster, and will share this malware code with Genome Project participants. Jiang was in San Francisco today at the IEEE Symposium on Security and Privacy, where he announced the new program and presented NC State's latest Android malware research, which focuses on the characterization and mapping of the various families of malware -- by installation methods, activation mechanisms, as well as their payloads.
Jiang and his team tested four mobile security platforms and found that, at best, they catch 79.6 percent of Android malware and, at worst, 20.2 percent. That confirmed concerns that today's methods of detecting mobile malware aren't sufficient, according to the research.
More than 85 percent of Android malware samples repackage legitimate apps with their malicious payloads, and 93 percent have bot-like functionality. Nearly 37 percent include platform-level exploits for privilege escalation, according to the NC State research.
Whether the project will result in better anti-malware technology for the mobile space has yet to be determined, but that's the hope of Jiang and his team. "Previous experiences indicate that the study of how malware evolves is helpful to even predict what kind of malware we may expect in the future," he says. "Such insights should be needed to proactively better develop mobile security apps and protect users."
And whether mobile security vendors will be willing to share their own research is unclear. "I just hope this can motivate the data sharing among existing security vendors. Eventually, users or customers can benefit from them," Jiang says.
Veracode's Shields says the mobile industry can and should flip the traditional model of known-threat-only, signature-based detection that came out of the PC world in order to get a leg up on mobile threats. "If we use those traditional models, we will never catch up," Shields says.
Mobile technology has a few different features that could help, too, he notes, such as permissioning and sandboxing. "Those are things that could be used to augment the success rate and detection rate and heuristic applicability," he says.
The full research paper is available here for download.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.