DroidMorph Shows Popular Android Antivirus Fails To Detect Cloned Malicious Apps
New research published by a group of academics has revealed that antivirus programs for Android remain vulnerable to different malware permutations, which could pose a serious risk as malicious actors evolve their tools to better evade scanning .
“Malware authors use stealth mutations (morphing / obscuring) to continuously develop malware clones, thwarting detection by signature-based detectors,” the researchers explain. mentionned. “This clone attack seriously threatens all mobile platforms, especially Android.”
The findings were published in a study last week by researchers at the University of Science and Technology in Adana, Turkey, and the National University of Science and Technology in Islamabad, Pakistan.
Unlike iOS, apps can be downloaded from third-party sources to Android devices, increasing the possibility that unintentional users can install unverified apps and the like that clone the functionality of a legitimate app but are designed to entice targets to download applications containing fraudulent code capable of stealing sensitive information.
Additionally, malware authors can extend this technique to develop multiple malware clones with varying levels of abstraction and obfuscation to disguise their true intent and break through the defense barriers created by anti-malware engines.
To test and assess the resilience of commercially available anti-malware products against this attack, researchers developed a tool called DroidMorph, which allows Android applications (APKs) to be “morphed” by decompiling files into an intermediate form. which is then modified and compiled. to create clones, both benign and malicious.
Morphing could be done at different levels, the researchers noted, such as those that involve changing class and method names in the source code or something non-trivial that could alter the flow of program execution, including including the call graph and the control flow chart.
In a test using 1,771 morphed APK variants generated via DroidMorph, researchers found that 8 out of 17 major commercial anti-malware programs failed to detect any of the cloned apps, with an average detection rate of 51. , 4% for class morphing, 58.8%. for method morphing and 54.1% for body morphing observed in all programs.
Anti-malware programs that have been successfully circumvented include LineSecurity, MaxSecurity, DUSecurityLabs, AntivirusPro, 360Security, SecuritySystems, GoSecurity, and LAAntivirusLab.
As future work, the researchers indicated that they intended to add more obfuscation at different levels as well as to allow the morphing of metadata information such as permissions embedded in an APK file in an effort to reduce obfuscation. detection rate.