Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:11 PM
Connect Directly

Mobile AV Apps Fail To Detect Disguised Malware

Researchers test popular mobile antivirus apps on ability to detect repackaged, transformed versions of known Android malware

Ten of the top commercial Android antivirus software products were beaten by common malware obfuscation methods, according to new research.

Researchers from Northwestern University and North Carolina State University for one year tested popular mobile AV apps for Android on their ability to detect malware that uses evasion techniques, such as changing up the code or morphing a malware sample. Polymorphism can be as simple as changing the order of the code and data files or just renaming the file, or as complex as changing the appearance of the code but not its behavior.

The researchers -- Yan Chen and Vaibhav Rastogi of Northwestern and Xuxian Jiang of NC State -- used a homegrown prototype malware obfuscation/transformation tool called DroidChameleon in their experiment, which ran from February 2012 until February 2013. The tool automatically transformed known Android malware families, including DroidDream, Geinimi, Fakeplayer, Bserv, BaseBridge, and Plankton, to test the mettle of the AV programs.

The bad news: The researchers were able to cheat all of the AV products they tested, including AVG Antivirus, Symantec Norton Mobile Security, Lookout Mobile Security, ESET Mobile Security, Dr. Web AntiVirus Light, Kaspersky Mobile Security, Trend Micro Security Personal Ed, ESTSoft ALYac Android, Zoner Antivirus Free, and Webroot Security & Antivirus.

The good news is that the tools appear to be getting better at detecting malware that uses basic transformation/obfuscation techniques, such as repacking or reassembling the malware, via unzip or rezip, for example. These methods don't change the code, just the packaging. In 2012, 45 percent of the AV signatures failed to detect malware that used such basic transformation techniques, but this year only 16 percent of them have missed "trivially" transformed malware samples so far, the researchers say.

"There are some things that vendors could improve, and there also are some fundamental problems with [their] resilience [against] these [polymorphic malware] attacks, says Chen, associate professor in electrical engineering and computer science at Northwestern. "We have seen dramatic improvement for the past year" in detecting malware with rudimentary transformation.

"The result that we have here certainly indicates improvement: Anti-malware tools do not succumb as frequently to such trivial transformations. However, this is far from good. As long as anti-malware tools continue to use content-based signatures, evading them is really easy," Chen says.

Today's mobile AV signatures are based on byte patterns in the malware, and malware writers can easily evade AV tools by changing those bytes, according to the researchers. Some 90 percent of the malware signatures studied by the researchers don't use static analysis of the byte-level code. Dr. Web was the only AV product employing static analysis, they say.

"The main problem with such signatures is that they are based on patterns of bytes in the malware. These bytes can, however, easily be changed without altering the functionality. Another way to say this is there could be many differently written pieces of program code that all do the same thing," Yan says. AV technology must evolve to semantics-based detection, which analyzes the functionality in an app.

But at least one mobile vendor contends that the experiment by Northwestern and NC State doesn't reflect real-world threats.

"These recent test results are not representative of the current threat landscape that Symantec customers would be exposed to. For example, Norton Mobile Security protects against real-world threats that are known to alter their code, and these threats were not used in the test," a Symantec spokesperson says. "Symantec constantly researches potential future advancements in attacker strategies and continually monitors the threat landscape, evaluating and evolving our protection capabilities for our mobile products to protect customers accordingly."

Tim Wyatt, director of security engineering for Lookout, says the research demonstrates the challenges of securing mobile devices today, noting that the research focuses on the endpoint piece of the puzzle.

"The testing performed by Northwestern/NC State confirms what we already know: Detection of unknown and/or highly customized malware is a challenge for traditional endpoint security. This challenge is magnified by the constraints of mobile platforms," Wyatt says. "This study focused on the endpoint side of the problem, and we believe that a comprehensive approach to addressing these challenges combines presence on the endpoint with powerful back-end analysis and continuous monitoring of endpoint health."

[Mobile attack vectors are becoming lucrative for the bad guys. Is your enterprise ready to stop them? See Trends In Mobile Device Threats.]

Mobile malware, meanwhile, is skyrocketing: According to a recent report by NQ Mobile, more than 65,000 mobile malware threats were discovered in 2012, a 163 percent increase from the previous year. And 95 percent of the malware was exploiting the Android operating system, either via application repackaging, malicious URLs, or SMS phishing a.k.a. SMiShing.

The malware boom resulted in some 32.8 million Androids getting infected in 2012, a 200 percent increase from 2011.

NC State's Jiang says mobile security is evolving, and it's not just an AV issue. "Users need to be cautious about what kind of app they download. A centralized [and authorized] app store is one way to mitigate this threat, [as is] static analysis," he says. "Malware mostly [comes] through app stores."

Google's Bouncer scanning of apps is a good step, he says, as well as next-generation mobile security features, such as sandboxing. Samsung, for example, has developed the KNOX partitioning feature for sandboxing apps, which could help better lock down mobile devices, Xuxian says.

But the "stock" Android OS does not allow AV products the appropriate privileges to perform behavioral monitoring of code, Chen notes. "Smartphone manufacturers can certainly add their own features to secure mobile devices," he says. "The highest impact however, in my opinion, would be when Android, as developed by Google, itself had these security features. Then, every Android device, regardless of the vendor, would have such features. There are steps being made in this direction: SELinux additions in Android 4.2 are an example of this."

The researchers say they hope their findings spur improvement in mobile malware detection. Their goal wasn't to call out the best AV solutions, they say, and their research didn't cover signature database coverage or resource use on the phones, or SMS spam-filtering or lost device functions. "Evaluating these functionalities remains beyond the scope of this paper," they wrote in their "Evaluating Android Anti-malware Against Transformation Attacks" paper, which is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/1/2013 | 2:05:32 PM
re: Mobile AV Apps Fail To Detect Disguised Malware
Great report but why the surprise? Trend Micro Symantec and others were predicting the exponential growth of Android Malware when it was at 400% a month over a year ago. I have been advised directly by Google executives and also seen it declared publically that "Google have no plans to secure the Android OS". As an open Unix derivative it is insecurable without help from the underlying hardware. AV products have to be installed and secured to the device features before the device attaches to the App store.... Intel's Mobile Android implementation has McAfee security on board (they acquired McAfee) but it is not turned on because "nobody is interested in security".The function of most of this malware is to collect personal data for organised criminals to use for targeted attacks or access Privileged Accounts. Malware is only one of many vulnerabilities (Location and Context Tracking, DLNA in the home, Watermarked Jpeg files, Social Networking, Vendor "spyware", Augmented reality etc etc.)

We need to make these phones safe "out of the box" and raise awareness as soon as possible.
User Rank: Apprentice
4/30/2013 | 8:11:12 PM
re: Mobile AV Apps Fail To Detect Disguised Malware
Definitely unsettling, but I still think the threat of mobile malware is blown out of proportion. App storefronts and ad networks are really stepping up to filter apps and ads and rid them of malware before they reach our phones. Do some get past these filters? Yes. But for the most part, mobile users are NOT facing imminent danger. From Google Play to Airpush, the war against malware isn't being lost - http://blog.airpush.com/how-ai...
User Rank: Apprentice
4/30/2013 | 3:37:46 AM
re: Mobile AV Apps Fail To Detect Disguised Malware
Inorder to stay safe from these kinds of serious problems its good to go with a good av for mobile too, I presently use CMS(Comodo Mobile Security) which is very safe and secure in safeguarding my mobile from any internet attacks!
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.