Mobile AV apps fail to detect disguised malware

Ten of the top commercial Android antivirus software products were

beaten by common malware obfuscation methods, according to new

research.

Researchers from Northwestern University and North Carolina State

University for one year tested popular mobile AV apps for Android

on their ability to detect malware that uses evasion techniques,

such as changing up the code or morphing a malware sample.

Polymorphism can be as simple as changing the order of the code and

data files or just renaming the file, or as complex as changing the

appearance of the code but not its behavior.

 The researchers — Yan Chen and Vaibhav Rastogi of

Northwestern and Xuxian Jiang of NC State — used a homegrown

prototype malware  obfuscation /transformation tool called

DroidChameleon in their experiment, which ran from February 2012

until February 2013. The tool automatically transformed known

Android malware families, including DroidDream, Geinimi,

Fakeplayer, Bserv, BaseBridge, and Plankton, to test the mettle of

the AV programs.

The bad news: The researchers were able to cheat all of the AV

products they tested, including AVG Antivirus, Symantec Norton

Mobile Security, Lookout Mobile Security, ESET Mobile Security, Dr.

Web AntiVirus Light, Kaspersky Mobile Security, Trend Micro

Security Personal Ed, ESTSoft ALYac Android, Zoner Antivirus Free,

and Webroot Security Antivirus.

The good news is that the tools appear to be getting better at

detecting malware that uses basic transformation/obfuscation

techniques, such as repacking or reassembling the malware, via

unzip or rezip, for example. These methods don’t change the code,

just the packaging. In 2012, 45 percent of the AV signatures failed

to detect malware that used such basic transformation techniques,

but this year only 16 percent of them have missed “trivially”

transformed malware samples so far, the researchers say.

“There are some things that vendors could improve, and there also

are some fundamental problems with [their] resilience [against]

these [polymorphic malware] attacks, says Chen, associate professor

in electrical engineering and computer science at Northwestern. “We

have seen dramatic improvement for the past year” in detecting

malware with rudimentary transformation.

“The result that we have here certainly indicates improvement:

Anti-malware tools do not succumb as frequently to such trivial

transformations. However, this is far from good. As long as

anti-malware tools continue to use content-based signatures,

evading them is really easy,” Chen says.

Today’s mobile AV signatures are based on byte patterns in the

malware, and malware writers can easily evade AV tools by changing

those bytes, according to the researchers. Some 90 percent of the

malware signatures studied by the researchers don’t use static

analysis of the byte-level code. Dr. Web was the only AV product

employing static analysis, they say.

“The main problem with such signatures is that they are based on

patterns of bytes in the malware. These bytes can, however, easily

be changed without altering the functionality. Another way to say

this is there could be many differently written pieces of program

code that all do the same thing,” Yan says. AV technology must

evolve to semantics-based detection, which analyzes the

functionality in an app.

But at least one mobile vendor contends that the experiment by

Northwestern and NC State doesn’t reflect real-world threats.

“These recent test results are not representative of the current

threat landscape that Symantec customers would be exposed to. For

example, Norton Mobile Security protects against real-world threats

that are known to alter their code, and these threats were not used

in the test,” a Symantec spokesperson says. “Symantec constantly

researches potential future advancements in attacker strategies and

continually monitors the threat landscape, evaluating and evolving

our protection capabilities for our mobile products to protect

customers accordingly.”

Tim Wyatt, director of security engineering for Lookout, says the

research demonstrates the challenges of securing mobile devices

today, noting that the research focuses on the endpoint piece of

the puzzle.

“The testing performed by Northwestern/NC State confirms what we

already know: Detection of unknown and/or highly customized malware

is a challenge for traditional endpoint security. This challenge is

magnified by the constraints of mobile platforms,” Wyatt says.

“This study focused on the endpoint side of the problem, and we

believe that a comprehensive approach to addressing these

challenges combines presence on the endpoint with powerful back-end

analysis and continuous monitoring of endpoint health.”

 Mobile malware, meanwhile, is skyrocketing: According to a

recent report by NQ Mobile, more than 65,000 mobile malware threats

were discovered in 2012, a 163 percent increase from the previous

year. And 95 percent of the malware was exploiting the Android

operating system, either via application repackaging, malicious

URLs, or SMS phishing a.k.a. SMiShing.

The malware boom resulted in some 32.8 million Androids getting

infected in 2012, a 200 percent increase from 2011.

NC State’s Jiang says mobile security is evolving, and it’s not

just an AV issue. “Users need to be cautious about what kind of app

they download. A centralized [and authorized] app store is one way

to mitigate this threat, [as is] static analysis,” he says.

“Malware mostly [comes] through app stores.”

Google’s Bouncer scanning of apps is a good step, he says, as well

as next-generation mobile security features, such as sandboxing.

Samsung, for example, has developed the KNOX partitioning feature

for sandboxing apps, which could help better lock down mobile

devices, Xuxian says.

But the “stock” Android OS does not allow AV products the

appropriate privileges to perform behavioral monitoring of code,

Chen notes. “Smartphone manufacturers can certainly add their own

features to secure mobile devices,” he says. “The highest impact

however, in my opinion, would be when Android, as developed by

Google, itself had these security features. Then, every Android

device, regardless of the vendor, would have such features. There

are steps being made in this direction: SELinux additions in

Android 4.2 are an example of this.”

The researchers say they hope their findings spur improvement in

mobile malware detection. Their goal wasn’t to call out the best AV

solutions, they say, and their research didn’t cover signature

database coverage or resource use on the phones, or SMS

spam-filtering or lost device functions. “Evaluating these

functionalities remains beyond the scope of this paper,” they wrote

in their “Evaluating Android Anti-malware Against Transformation

Attacks” paper, which is available here

(PDF) for download.

Mobile AV apps fail to detect disguised malware