Top Android AV software fooled by common evasion techniques
Posted on 03 May 2013.
A team of researchers from Northwestern University and North Carolina State University have tested ten of the most popular Android anti-virus software and have discovered that all of them can be fooled by common code obfuscation techniques.

To evaluate the software, they have created DroidChameleon, a systematic framework that automatically applies a number of transformation techniques - some common for PC malware, and other highly specific to the Android platform - to Android applications.

"Based on the framework, we pass known malware samples (from different families) through these transformations to generate new variants of malware, which are verified to possess the originalsí malicious functionality," they explained.

Armed with these samples, they tested the effectiveness of mobile AV solutions by AVG, Symantec, Lookout, ESET, Dr. Web, Kaspersky, Trend Micro, ESTSoft, Zoner, and Webroot, and they were unpleasantly surprised that even those products that the companies claimed were be able to detect malware transformations were, in fact, not working as they should.

"Many of them may even succumb to trivial transformations such as repacking that do not involve any code-level transformation," the researchers pointed out.

Other transformations included renaming the package, files or identifiers; the encrypting of native exploit or payload, strings and array data, reordering the code, inserting junk code, and call indirection.

The project and the testing took one year to complete, and during that period the AV solutions were tested repeatedly. Some of them were improved during that time, and their manufacturers turned more towards content-based signatures. Unfortunately this only made the researchers' efforts to bypass them only a little bit harder, but still unchallenging, and polymorphic malware still passed through in the great majority of cases.

The paper they published about their research is an interesting read, and also contains several suggestions on how the problem might be solved.


Infosec management strategies and the modern CTO

Posted on 21 January 2015.  |  Brandon Hoffman, Lumeta's CTO, talks about the management strategies that are essential in the information security industry. He also offers advice to those stepping into the CTO role for the first time, and talks about the evolution of network situational awareness.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Jan 23rd