Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:21 PM
Connect Directly

Researchers 'Map' Android Malware Genome

New initiative promotes sharing of Android malware research worldwide, beefing up mobile anti-malware tools

Researchers at NC State today announced the Android Malware Genome Project, a malware-sharing initiative aimed at encouraging more collaboration on this new generation of malware to chart its characteristics and evolution in order to better defend against it.

Xuxian Jiang, the mastermind behind the Android Malware Genome Project, says defenses against this malware today are hampered by the lack of efficient access to samples, as well as a limited understanding of the various malware families targeting the Android. The goal is to establish a better way of sharing malware samples and analysis, and developing better tools to fight it, he says.

"Basically, at this stage we want to open up first our current collection of Android malware samples and make them available to research community. The purpose is to engage the research community to better our understanding of mobile threats and develop effective solutions against them," says Jiang, who is assistant professor of computer science at North Carolina State University. Jiang says his team is still in the process of fully mapping the genomes of Android malware families.

NC State has sent its malware research and data to several universities, research labs, and vendors thus far via the new Android Malware Genome Project, including Purdue University; University of Michigan; University of California, Riverside; Northwestern University; Fudan University in China; Texas A&M University; University of Louisiana at Lafayette; Beijing Jiaotong University in China; University of California, Berkeley; University of Texas at Dallas; Vienna University of Technology, Austria; VU University Amsterdam, The Netherlands; University of Washington; NQ Mobile, USA/China; and Mobile Defense.

To avoid abuse of the data, Jiang says NC State won't merely post the data online without vetting users. "Instead, we will have some sort of authentication mechanism in place to verify user identity or require necessary justification, if necessary," he says.

Mobile security experts long have lobbied for learning from mistakes in the PC malware world, and taking a different approach to detect and quash mobile malware. Tyler Shields, senior security researcher at Veracode, says the NC State project demonstrates how academia is trying to avoid the mistakes of the past with malware research.

"They are trying to do what hasn't been done in the traditional AV world because AV vendors make money by keeping their [research] private. They are to some degree incented not to share their data," Shields says. "Academia says we have data and we are not incented to hold it secret -- which is great."

Shield says the Project initially appears mostly to be NC State sharing its findings and work. The work of categorizing and enumerating all Android malware for trending was done to a degree in the PC world, he says, but not in such a public way as NC State is doing with the Android Malware Genome Project. "That's the real value these guys bring: attempting to do it in a public way," he says.

[ Some of the most compelling evidence over the past year shows mobile malware has bridged the gap from theoretical to practical. See 6 Discoveries That Prove Mobile Malware's Mettle. ]

NC State has collected more than 1,200 Android malware samples during the past couple of years, including DroidKungFu and GingerMaster, and will share this malware code with Genome Project participants. Jiang was in San Francisco today at the IEEE Symposium on Security and Privacy, where he announced the new program and presented NC State's latest Android malware research, which focuses on the characterization and mapping of the various families of malware -- by installation methods, activation mechanisms, as well as their payloads.

Jiang and his team tested four mobile security platforms and found that, at best, they catch 79.6 percent of Android malware and, at worst, 20.2 percent. That confirmed concerns that today's methods of detecting mobile malware aren't sufficient, according to the research.

More than 85 percent of Android malware samples repackage legitimate apps with their malicious payloads, and 93 percent have bot-like functionality. Nearly 37 percent include platform-level exploits for privilege escalation, according to the NC State research.

Whether the project will result in better anti-malware technology for the mobile space has yet to be determined, but that's the hope of Jiang and his team. "Previous experiences indicate that the study of how malware evolves is helpful to even predict what kind of malware we may expect in the future," he says. "Such insights should be needed to proactively better develop mobile security apps and protect users."

And whether mobile security vendors will be willing to share their own research is unclear. "I just hope this can motivate the data sharing among existing security vendors. Eventually, users or customers can benefit from them," Jiang says.

Veracode's Shields says the mobile industry can and should flip the traditional model of known-threat-only, signature-based detection that came out of the PC world in order to get a leg up on mobile threats. "If we use those traditional models, we will never catch up," Shields says.

Mobile technology has a few different features that could help, too, he notes, such as permissioning and sandboxing. "Those are things that could be used to augment the success rate and detection rate and heuristic applicability," he says.

The full research paper is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).