Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Anti-Virus Software for Android Fooled by Common Techniques, Researchers Say

A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques.

A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques.

In a paper published earlier this year, the researchers said they tested AV software from Symantec, AVG, Kaspersky Lab, Trend Micro, ESET, ESTSoft, Lookout, Zoner, Webroot, and Dr. Web. In order to evaluate the mobile security software, the researchers developed a tool called DroidChameleon, which is a framework that automatically applies a number of transformation techniques (some of the same ones seen in PC malware and others unique to the Android platform) to Android applications.

Android MalwareKnown malware samples were transformed to generate new variants that contain the exact malicious functions as before. These new variants were then passed to the AV products, and much to the surprise of the paper’s authors, they were rarely flagged – if at all.

“Our findings show that all the anti-malware products evaluated are susceptible to common evasion techniques and may succumb to even trivial transformations not involving code-level changes,” the paper explains. 

According to the research, 43% of the signatures used by the AV products are based on file names, checksums (or binary sequences) or information obtained by the PackageManager API. This means that, as mentioned, common transformations will render their protection useless for the most part.

For example, the researchers transformed the Android rootkit DroidDream for their test. DroidDream is a widely-known and highly dangerous application. Yet, when it was transformed, every AV program failed to catch at least two variants.

Lookout Inc., a company that only does mobile protection, failed to flag every single variant of DroidDream that it was tested against – all 14 of them. Lookout was one of the first security vendors to alert the public to the existence of DroidDream, and yet they failed to stop basic variants of it that were created in the lab.

Trend Micro also had serious problems, as they failed to detect 9 out of 10 variants of the SMS Trojan, Fake Player. This is noteworthy because they discovered the first incarnation of this mobile malware in 2010.

There is hope however. Last year 45% of the AV programs were bypassed by trivial transformations, but 12 months later that number fell to just 16%.

“We find that in all such cases where we see changes, anti-malware authors have moved to content-based matching, such as matching identifiers and strings,” the researchers noted.

“Although the changes in the signatures over the past one year may be seen as improvement, we point out that the new signatures still lack resilience against polymorphic malware as our results aptly demonstrate.”

Related: Android Trojan Fools Traditional Application Vetting Processes

Related: 95 Percent of Mobile Threats in 2012 Targeted Android, Says NQ Mobile

Related: Android Trojan Used in APT Attacks

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.