article

Stealth attacks: An extended insight into the obfuscation effects on Android malware

Authors:

Davide Maiorca,

Giorgio GiacintoAuthors Info & Claims

Computers and Security, Volume 51, Issue C

Pages 16 - 31

https://doi.org/10.1016/j.cose.2015.02.007

Published: 01 June 2015 Publication History

Abstract

In order to effectively evade anti-malware solutions, Android malware authors are progressively resorting to automatic obfuscation strategies. Recent works have shown, on small-scale experiments, the possibility of evading anti-malware engines by applying simple obfuscation transformations on previously detected malware samples. In this paper, we provide a large-scale experiment in which the detection performances of a high number of anti-malware solutions are tested against two different sets of malware samples that have been obfuscated according to different strategies. Moreover, we show that anti-malware engines search for possible malicious content inside assets and entry-point classes. We also provide a temporal analysis of the detection performances of anti-malware engines to verify if their resilience has improved since 2013. Finally, we show how, by manipulating the area of the Android executable that contains the strings used by the application, it is possible to deceive anti-malware engines so that they will identify legitimate samples as malware. On one hand, the attained results show that anti-malware systems have improved their resilience against trivial obfuscation techniques. On the other hand, more complex changes to the application executable have proved to be still effective against detection. Thus, we claim that a deeper static (or dynamic) analysis of the application is needed to improve the robustness of such systems.

References

[1]

Allatori, http://www.allatori.com/features/android-obfuscation.html.

[2]

Amazon App Store, http://www.amazon.com/appstore.

[3]

Androguard, http://code.google.com/p/androguard/...

[4]

Android Open Source Project, Bytecode for the dalvik vm, 2007.

[5]

Anubis, https://anubis.iseclab.org/.

[6]

ApkFuscator, . https://github.com/strazzere/APKfuscator

[7]

A. Apvrille, R. Nigam, Obfuscation in Android malware, and how to fight back, https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Android-obfuscation.

[8]

D. Arp, M. Spreitzenbarth, M. Hbner, H. Gascon, K. Rieck, Drebin: efficient and explainable detection of android malware in your pocket, in: Proc. of 17th network and distributed system security symposium (NDSS), 2014.

[9]

Baksmali, https://code.google.com/p/smali/.

[10]

Mario Ballano, Android Malware, www.itu.int/ITU-D/eur/rf/cybersecurity/presentations/symantec-itu_mobile.pdf.

[11]

BGR, An incredibly sneaky piece of malware has finally been pulled from Google Play, http://bgr.com/2014/06/18/google-play-store-android-malware-app/.

[12]

Bluebox, Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk, https://bluebox.com/technical/android-fake-id-vulnerability/.

[13]

Cisco, Snort, http://www.snort.org.

[14]

C. Collberg, C. Thomborson, D. Low, A taxonomy of obfuscating transformations, 1997.

[15]

AV Comparatives, http://www.av-comparatives.org/.

[16]

AV Comparatives, Cybercriminals infiltrate Android markets, http://www.av-comparatives.org/wp-content/uploads/2013/08/apkstores_investigation_2013.pdf.

[17]

DashO, https://www.preemptive.com/products/dasho.

[18]

Dedexer, http://dedexer.sourceforge.net/.

[19]

DexProtector, http://dexprotector.com/.

[20]

F-Secure, Mobile threat report - Q1 2014, March 2014. https://www.f-secure.com/documents/996508/1030743/Mobile_Threat_Report_Q1_2014.pdf

[21]

H. Huang, S. Zhu, P. Liu, D. Wu, A framework for evaluating mobile app repackaging detection algorithms, in: TRUST, 2013, pp. 169-186.

[22]

C. Ionescu, Obfuscating embedded malware on android, June 2012.

[23]

X. Jiang, Security alert: new DroidKungFu variants found in alternative Chinese android markets, 2011. http://www.cs.ncsu.edu/faculty/jiang/DroidKungFu2/

[24]

Lookout Labs, Security alert: malware found targeting custom ROMs (jSMSHider), 2011. https://blog.lookout.com/blog/2011/06/15/security-alert-malware-found-targeting-custom-roms-jsmshider/

[25]

Lookout Labs, Dendroid malware can take over your camera, record audio, and sneak into Google Play, https://blog.lookout.com/blog/2014/03/06/dendroid/.

[26]

E. Lafortune, ProGuard, http://developer.android.com/tools/help/proguard.html.

[27]

F. Maggi, A. Valdi, S. Zanero, AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors, in: Proceedings of the 3rd annual ACM CCS workshop on security and privacy in smartphones and mobile devices (SPSM), ACM, 2013.

[28]

Nihilus, Reversing DexGuard 5.x, October 2013. http://androidcracking.blogspot.de/2013/10/nihilus-reversing-dexguard-5x.html

[29]

G. Nolan, Decompiling android, Apress, 2012.

[30]

Oracle, Java Reflection API, http://docs.oracle.com/javase/tutorial/reflect/.

[31]

Palo Alto Networks, Bad Certificate Management in Google Play Store, http://researchcenter.paloaltonetworks.com/2014/08/bad-certificate-management-google-play-store/.

[32]

M. Parkour, Contagio Mobile - Mobile Malware Mini Dump, http://contagiominidump.blogspot.com/.

[33]

T. Petsas, G. Voyatzis, E. Athanasopoulos, M. Polychronakis, S. Ioannidis, Rage against the virtual machine: hindering dynamic analysis of android malware, in: Proceedings of the seventh European workshop on system security, EuroSec '14, ACM, New York, NY, USA, 2014, pp. 5:1-5:6. http://doi.acm.org/10.1145/2592791.2592796

Digital Library

[34]

M. Protsenko, T. Müller, PANDORA applies non-deterministic obfuscation randomly to android, in: MALWARE, IEEE, 2013, pp. 59-67.

[35]

V. Rastogi, Y. Chen, X. Jiang, DroidChameleon: evaluating android anti-malware against transformation attacks, in: Proceedings of the 8th ACM SIGSAC symposium on information, computer and communications security, ASIA CCS '13, ACM, New York, NY, USA, 2013, pp. 329-334.

Digital Library

[36]

V. Rastogi, Y. Chen, X. Jiang, Catch me if you can: evaluating android anti-malware against transformation attacks, IEEE Trans Inf Forens Secur, 9 (2014) 99-108.

Digital Library

[37]

Saikoa, DexGuard, http://www.saikoa.com/dexguard.

[38]

Samsung App Store, http://apps.samsung.com.

[39]

SecurityWatch, Banking Malware Pulled From Google Play, http://securitywatch.pcmag.com/mobile-security/325324-banking-malware-pulled-from-google-play.

[40]

Trendmicro, A look at Google Bouncer, http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-at-google-bouncer/.

[41]

R. Unuchek, The most sophisticated Android Trojan, June 2013. https://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan

[42]

VirusTotal, https://www.virustotal.com.

[43]

R. Yu, Ginmaster: a case study in Android Malware, in: Virus bulletin conference, 2013.

[44]

M. Zheng, P.P.C. Lee, J.C.S. Lui, ADAM: an automatic and extensible platform to stress test android anti-virus systems, in: DIMVA - detection of intrusions and malware, and vulnerability assessment - 9th Int. Conf, 2012, pp. 82-101.

[45]

Y. Zhou, X. Jiang, Android malware genome project, 2012. http://www.malgenomeproject.org/

[46]

Y. Zhou, X. Jiang, Dissecting android malware: characterization and evolution, in: Security and privacy (SP), 2012 IEEE symposium on, 2012, pp. 95-109.

Cited By

Aldini APetrelli T(2024)Image-based detection and classification of Android malware through CNN modelsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670441(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670441
Miltenberger MArzt S(2024)Precisely Extracting Complex Variable Values from Android AppsACM Transactions on Software Engineering and Methodology10.1145/364959133:5(1-56)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3649591
Haidros Rahima Manzil HManohar Naik S(2024)Detection approaches for android malwareExpert Systems with Applications: An International Journal10.1016/j.eswa.2023.122255238:PFOnline publication date: 15-Mar-2024
https://dl.acm.org/doi/10.1016/j.eswa.2023.122255
Show More Cited By

Recommendations

Cubismo: decloaking server-side malware via cubist program analysis
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Malware written in dynamic languages such as PHP routinely employ anti-analysis techniques such as obfuscation schemes and evasive tricks to avoid detection. On top of that, attackers use automated malware creation tools to create numerous variants with ...
AndroOBFS: time-tagged obfuscated Android malware dataset with family information
MSR '22: Proceedings of the 19th International Conference on Mining Software Repositories

With the large-scale adaptation of Android OS and ever-increasing contributions in the Android application space, Android has become the number one target of malware writers. In recent years, a large number of automatic malware detection and ...
Obfuscation: The Hidden Malware

A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 51, Issue C

June 2015

63 pages

ISSN:0167-4048

Issue’s Table of Contents

Copyright © Elsevier Ltd.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 June 2015

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

42
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Aldini APetrelli T(2024)Image-based detection and classification of Android malware through CNN modelsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670441(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3670441
Miltenberger MArzt S(2024)Precisely Extracting Complex Variable Values from Android AppsACM Transactions on Software Engineering and Methodology10.1145/364959133:5(1-56)Online publication date: 4-Jun-2024
https://dl.acm.org/doi/10.1145/3649591
Haidros Rahima Manzil HManohar Naik S(2024)Detection approaches for android malwareExpert Systems with Applications: An International Journal10.1016/j.eswa.2023.122255238:PFOnline publication date: 15-Mar-2024
https://dl.acm.org/doi/10.1016/j.eswa.2023.122255
Sharma YArora A(2024)A comprehensive review on permissions-based Android malware detectionInternational Journal of Information Security10.1007/s10207-024-00822-223:3(1877-1912)Online publication date: 1-Jun-2024
https://dl.acm.org/doi/10.1007/s10207-024-00822-2
Kargén UMauthe NShahmehri N(2023)Characterizing the Use of Code Obfuscation in Malicious and Benign Android AppsProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600194(1-12)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3600194
Gao CCai MYin SHuang GLi HYuan WLuo X(2023)Obfuscation-Resilient Android Malware Analysis Based on Complementary FeaturesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.330250918(5056-5068)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3302509
Berger HDvir AMariconti EHajaj C(2023)Breaking the structure of MaMaDroidExpert Systems with Applications: An International Journal10.1016/j.eswa.2023.120429228:COnline publication date: 15-Oct-2023
https://dl.acm.org/doi/10.1016/j.eswa.2023.120429
Albahar MElSayed MJurcut A(2022)A Modified ResNeXt for Android Malware Identification and ClassificationComputational Intelligence and Neuroscience10.1155/2022/86347842022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/8634784
Acharya SRawat UBhatnagar R(2022)A Comprehensive Review of Android SecuritySecurity and Communication Networks10.1155/2022/77759172022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/7775917
Pasdar ALee YHong SLiu TZhou YBertizzolo LSecci S(2022)MAPSProceedings of the 17th ACM Workshop on Mobility in the Evolving Internet Architecture10.1145/3556548.3559629(13-18)Online publication date: 21-Oct-2022
https://dl.acm.org/doi/10.1145/3556548.3559629
Show More Cited By

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents