A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques.
In a paper published earlier this year, the researchers said they tested AV software from Symantec, AVG, Kaspersky Lab, Trend Micro, ESET, ESTSoft, Lookout, Zoner, Webroot, and Dr. Web. In order to evaluate the mobile security software, the researchers developed a tool called DroidChameleon, which is a framework that automatically applies a number of transformation techniques (some of the same ones seen in PC malware and others unique to the Android platform) to Android applications.
Known malware samples were transformed to generate new variants that contain the exact malicious functions as before. These new variants were then passed to the AV products, and much to the surprise of the paper’s authors, they were rarely flagged – if at all.
“Our findings show that all the anti-malware products evaluated are susceptible to common evasion techniques and may succumb to even trivial transformations not involving code-level changes,” the paper explains.
According to the research, 43% of the signatures used by the AV products are based on file names, checksums (or binary sequences) or information obtained by the PackageManager API. This means that, as mentioned, common transformations will render their protection useless for the most part.
For example, the researchers transformed the Android rootkit DroidDream for their test. DroidDream is a widely-known and highly dangerous application. Yet, when it was transformed, every AV program failed to catch at least two variants.
Lookout Inc., a company that only does mobile protection, failed to flag every single variant of DroidDream that it was tested against – all 14 of them. Lookout was one of the first security vendors to alert the public to the existence of DroidDream, and yet they failed to stop basic variants of it that were created in the lab.
Trend Micro also had serious problems, as they failed to detect 9 out of 10 variants of the SMS Trojan, Fake Player. This is noteworthy because they discovered the first incarnation of this mobile malware in 2010.
There is hope however. Last year 45% of the AV programs were bypassed by trivial transformations, but 12 months later that number fell to just 16%.
“We find that in all such cases where we see changes, anti-malware authors have moved to content-based matching, such as matching identifiers and strings,” the researchers noted.
“Although the changes in the signatures over the past one year may be seen as improvement, we point out that the new signatures still lack resilience against polymorphic malware as our results aptly demonstrate.”
Related: Android Trojan Used in APT Attacks