Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:21 PM
Connect Directly

Researchers 'Map' Android Malware Genome

New initiative promotes sharing of Android malware research worldwide, beefing up mobile anti-malware tools

Researchers at NC State today announced the Android Malware Genome Project, a malware-sharing initiative aimed at encouraging more collaboration on this new generation of malware to chart its characteristics and evolution in order to better defend against it.

Xuxian Jiang, the mastermind behind the Android Malware Genome Project, says defenses against this malware today are hampered by the lack of efficient access to samples, as well as a limited understanding of the various malware families targeting the Android. The goal is to establish a better way of sharing malware samples and analysis, and developing better tools to fight it, he says.

"Basically, at this stage we want to open up first our current collection of Android malware samples and make them available to research community. The purpose is to engage the research community to better our understanding of mobile threats and develop effective solutions against them," says Jiang, who is assistant professor of computer science at North Carolina State University. Jiang says his team is still in the process of fully mapping the genomes of Android malware families.

NC State has sent its malware research and data to several universities, research labs, and vendors thus far via the new Android Malware Genome Project, including Purdue University; University of Michigan; University of California, Riverside; Northwestern University; Fudan University in China; Texas A&M University; University of Louisiana at Lafayette; Beijing Jiaotong University in China; University of California, Berkeley; University of Texas at Dallas; Vienna University of Technology, Austria; VU University Amsterdam, The Netherlands; University of Washington; NQ Mobile, USA/China; and Mobile Defense.

To avoid abuse of the data, Jiang says NC State won't merely post the data online without vetting users. "Instead, we will have some sort of authentication mechanism in place to verify user identity or require necessary justification, if necessary," he says.

Mobile security experts long have lobbied for learning from mistakes in the PC malware world, and taking a different approach to detect and quash mobile malware. Tyler Shields, senior security researcher at Veracode, says the NC State project demonstrates how academia is trying to avoid the mistakes of the past with malware research.

"They are trying to do what hasn't been done in the traditional AV world because AV vendors make money by keeping their [research] private. They are to some degree incented not to share their data," Shields says. "Academia says we have data and we are not incented to hold it secret -- which is great."

Shield says the Project initially appears mostly to be NC State sharing its findings and work. The work of categorizing and enumerating all Android malware for trending was done to a degree in the PC world, he says, but not in such a public way as NC State is doing with the Android Malware Genome Project. "That's the real value these guys bring: attempting to do it in a public way," he says.

[ Some of the most compelling evidence over the past year shows mobile malware has bridged the gap from theoretical to practical. See 6 Discoveries That Prove Mobile Malware's Mettle. ]

NC State has collected more than 1,200 Android malware samples during the past couple of years, including DroidKungFu and GingerMaster, and will share this malware code with Genome Project participants. Jiang was in San Francisco today at the IEEE Symposium on Security and Privacy, where he announced the new program and presented NC State's latest Android malware research, which focuses on the characterization and mapping of the various families of malware -- by installation methods, activation mechanisms, as well as their payloads.

Jiang and his team tested four mobile security platforms and found that, at best, they catch 79.6 percent of Android malware and, at worst, 20.2 percent. That confirmed concerns that today's methods of detecting mobile malware aren't sufficient, according to the research.

More than 85 percent of Android malware samples repackage legitimate apps with their malicious payloads, and 93 percent have bot-like functionality. Nearly 37 percent include platform-level exploits for privilege escalation, according to the NC State research.

Whether the project will result in better anti-malware technology for the mobile space has yet to be determined, but that's the hope of Jiang and his team. "Previous experiences indicate that the study of how malware evolves is helpful to even predict what kind of malware we may expect in the future," he says. "Such insights should be needed to proactively better develop mobile security apps and protect users."

And whether mobile security vendors will be willing to share their own research is unclear. "I just hope this can motivate the data sharing among existing security vendors. Eventually, users or customers can benefit from them," Jiang says.

Veracode's Shields says the mobile industry can and should flip the traditional model of known-threat-only, signature-based detection that came out of the PC world in order to get a leg up on mobile threats. "If we use those traditional models, we will never catch up," Shields says.

Mobile technology has a few different features that could help, too, he notes, such as permissioning and sandboxing. "Those are things that could be used to augment the success rate and detection rate and heuristic applicability," he says.

The full research paper is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.