Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Anti-Virus Software for Android Fooled by Common Techniques, Researchers Say

A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques.

A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques.

In a paper published earlier this year, the researchers said they tested AV software from Symantec, AVG, Kaspersky Lab, Trend Micro, ESET, ESTSoft, Lookout, Zoner, Webroot, and Dr. Web. In order to evaluate the mobile security software, the researchers developed a tool called DroidChameleon, which is a framework that automatically applies a number of transformation techniques (some of the same ones seen in PC malware and others unique to the Android platform) to Android applications.

Android MalwareKnown malware samples were transformed to generate new variants that contain the exact malicious functions as before. These new variants were then passed to the AV products, and much to the surprise of the paper’s authors, they were rarely flagged – if at all.

“Our findings show that all the anti-malware products evaluated are susceptible to common evasion techniques and may succumb to even trivial transformations not involving code-level changes,” the paper explains. 

According to the research, 43% of the signatures used by the AV products are based on file names, checksums (or binary sequences) or information obtained by the PackageManager API. This means that, as mentioned, common transformations will render their protection useless for the most part.

For example, the researchers transformed the Android rootkit DroidDream for their test. DroidDream is a widely-known and highly dangerous application. Yet, when it was transformed, every AV program failed to catch at least two variants.

Lookout Inc., a company that only does mobile protection, failed to flag every single variant of DroidDream that it was tested against – all 14 of them. Lookout was one of the first security vendors to alert the public to the existence of DroidDream, and yet they failed to stop basic variants of it that were created in the lab.

Trend Micro also had serious problems, as they failed to detect 9 out of 10 variants of the SMS Trojan, Fake Player. This is noteworthy because they discovered the first incarnation of this mobile malware in 2010.

There is hope however. Last year 45% of the AV programs were bypassed by trivial transformations, but 12 months later that number fell to just 16%.

Advertisement. Scroll to continue reading.

“We find that in all such cases where we see changes, anti-malware authors have moved to content-based matching, such as matching identifiers and strings,” the researchers noted.

“Although the changes in the signatures over the past one year may be seen as improvement, we point out that the new signatures still lack resilience against polymorphic malware as our results aptly demonstrate.”

Related: Android Trojan Fools Traditional Application Vetting Processes

Related: 95 Percent of Mobile Threats in 2012 Targeted Android, Says NQ Mobile

Related: Android Trojan Used in APT Attacks

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this in-depth briefing on how to protect executives and the enterprises they lead from the growing convergence of digital, narrative, and physical attacks.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Forcepoint has appointed Guy Shamilov as CISO, Bakshi Kohli as CTO and Naveen Palavalli as CPO and CMO.

Paul Calatayud has been named CISO of developer security posture management firm Archipelo.

Cyber readiness and response firm Sygnia has appointed Avi Golan as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.