Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:21 PM
Connect Directly

Researchers 'Map' Android Malware Genome

New initiative promotes sharing of Android malware research worldwide, beefing up mobile anti-malware tools

Researchers at NC State today announced the Android Malware Genome Project, a malware-sharing initiative aimed at encouraging more collaboration on this new generation of malware to chart its characteristics and evolution in order to better defend against it.

Xuxian Jiang, the mastermind behind the Android Malware Genome Project, says defenses against this malware today are hampered by the lack of efficient access to samples, as well as a limited understanding of the various malware families targeting the Android. The goal is to establish a better way of sharing malware samples and analysis, and developing better tools to fight it, he says.

"Basically, at this stage we want to open up first our current collection of Android malware samples and make them available to research community. The purpose is to engage the research community to better our understanding of mobile threats and develop effective solutions against them," says Jiang, who is assistant professor of computer science at North Carolina State University. Jiang says his team is still in the process of fully mapping the genomes of Android malware families.

NC State has sent its malware research and data to several universities, research labs, and vendors thus far via the new Android Malware Genome Project, including Purdue University; University of Michigan; University of California, Riverside; Northwestern University; Fudan University in China; Texas A&M University; University of Louisiana at Lafayette; Beijing Jiaotong University in China; University of California, Berkeley; University of Texas at Dallas; Vienna University of Technology, Austria; VU University Amsterdam, The Netherlands; University of Washington; NQ Mobile, USA/China; and Mobile Defense.

To avoid abuse of the data, Jiang says NC State won't merely post the data online without vetting users. "Instead, we will have some sort of authentication mechanism in place to verify user identity or require necessary justification, if necessary," he says.

Mobile security experts long have lobbied for learning from mistakes in the PC malware world, and taking a different approach to detect and quash mobile malware. Tyler Shields, senior security researcher at Veracode, says the NC State project demonstrates how academia is trying to avoid the mistakes of the past with malware research.

"They are trying to do what hasn't been done in the traditional AV world because AV vendors make money by keeping their [research] private. They are to some degree incented not to share their data," Shields says. "Academia says we have data and we are not incented to hold it secret -- which is great."

Shield says the Project initially appears mostly to be NC State sharing its findings and work. The work of categorizing and enumerating all Android malware for trending was done to a degree in the PC world, he says, but not in such a public way as NC State is doing with the Android Malware Genome Project. "That's the real value these guys bring: attempting to do it in a public way," he says.

[ Some of the most compelling evidence over the past year shows mobile malware has bridged the gap from theoretical to practical. See 6 Discoveries That Prove Mobile Malware's Mettle. ]

NC State has collected more than 1,200 Android malware samples during the past couple of years, including DroidKungFu and GingerMaster, and will share this malware code with Genome Project participants. Jiang was in San Francisco today at the IEEE Symposium on Security and Privacy, where he announced the new program and presented NC State's latest Android malware research, which focuses on the characterization and mapping of the various families of malware -- by installation methods, activation mechanisms, as well as their payloads.

Jiang and his team tested four mobile security platforms and found that, at best, they catch 79.6 percent of Android malware and, at worst, 20.2 percent. That confirmed concerns that today's methods of detecting mobile malware aren't sufficient, according to the research.

More than 85 percent of Android malware samples repackage legitimate apps with their malicious payloads, and 93 percent have bot-like functionality. Nearly 37 percent include platform-level exploits for privilege escalation, according to the NC State research.

Whether the project will result in better anti-malware technology for the mobile space has yet to be determined, but that's the hope of Jiang and his team. "Previous experiences indicate that the study of how malware evolves is helpful to even predict what kind of malware we may expect in the future," he says. "Such insights should be needed to proactively better develop mobile security apps and protect users."

And whether mobile security vendors will be willing to share their own research is unclear. "I just hope this can motivate the data sharing among existing security vendors. Eventually, users or customers can benefit from them," Jiang says.

Veracode's Shields says the mobile industry can and should flip the traditional model of known-threat-only, signature-based detection that came out of the PC world in order to get a leg up on mobile threats. "If we use those traditional models, we will never catch up," Shields says.

Mobile technology has a few different features that could help, too, he notes, such as permissioning and sandboxing. "Those are things that could be used to augment the success rate and detection rate and heuristic applicability," he says.

The full research paper is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-13
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
PUBLISHED: 2019-12-13
samurai 0.7 has a heap-based buffer overflow in canonpath in util.c via a crafted build file.
PUBLISHED: 2019-12-13
Yabasic 2.86.2 has a heap-based buffer overflow in myformat in function.c via a crafted BASIC source file.
PUBLISHED: 2019-12-13
E5572-855 with versions earlier than has an improper authentication vulnerability. The device does not perform a sufficient authentication when doing certain operations, successful exploit could allow an attacker to cause the device to reboot after launch a man in the middle att...
PUBLISHED: 2019-12-13
Huawei smartphones HUAWEI Y9 2019 and Honor View 20 have a denial of service vulnerability. Due to insufficient input validation of specific value when parsing the messages, an attacker may send specially crafted TD-SCDMA messages from a rogue base station to the affected devices to exploit this vul...