According to a new study published by a group of academics, anti-virus software for Android is still vulnerable to various types of malwares, posing a severe concern as cyber criminals improve their tools and techniques to better dodge detection.
“Malware writers use stealthy mutations (morphing/obfuscations) to continuously develop malware clones, thwarting detection by signature-based detectors,” the researchers said.
“This attack of clones seriously threatens all the mobile platforms, especially Android.”
According to a report by TheHackerNews Researchers from Adana Science and Technology University in Turkey and the National University of Science and Technology in Islamabad, Pakistan, revealed their findings last week in research.
Unlike iOS, Android devices allow users to download apps from third-party sources, raising the risk of unwitting users installing unverified and lookalike apps that clone the features of legitimate apps but are designed to trick users into downloading apps laced with fraudulent code capable of stealing sensitive information.
Furthermore, malicious hackers can use this technique to make many clones of the rogue software with varied levels of abstraction and obfuscation to hide their true intentions and get past anti-malware engines’ defense barriers, as the report says.
The researchers created DroidMorph, a tool that allows Android applications (APKs) to be “morphed” by decompiling the files to an intermediate form, which is then modified and compiled to create clones, both benign and malware, to test and evaluate the resilience of commercially available anti-malware products against this attack.
Morphing could occur at various levels, according to the researchers, including those that require modifying the class and method names in the source code or something more complex that alters the program’s execution flow, such as the call graph and control-flow graph.
According to the report, the researchers discovered that 8 out of 17 leading commercial anti-malware programs failed to detect any of the cloned applications in a test using 1,771 morphed APK variants generated through DroidMorph, with an average detection rate of 51.4 % for class morphing, 58.8 % for method morphing, and 54.1 % for body morphing observed across all programs.
LineSecurity, MaxSecurity, DUSecurityLabs, AntivirusPro, 360Security, SecuritySystems, GoSecurity, and LAAntivirusLab are among the anti-malware software that have been successfully bypassed.
The researchers plan to add further obfuscations at different levels as well as enable morphing of metadata information such as permissions encoded in an APK file as part of their future work in order to reduce detection rates.
Also read:
This bizarre iOS bug can completely disconnect your Wi-Fi
Android apps discovered with the ‘Joker’ malware: Report