A new research sheds light on how popular AV programs for Android fail to secure devices against various malware permutations. “The number of Android malware variants (clones) are on the rise and, to stop this attack of clones we need to develop new methods and techniques for analysing and detecting them,” said security researchers Shahid Alam, M. Zain ul Abideen, and Shahzad Saleem from Adana Science and Technology University, Turkey. They published their findings in a new paper titled “DroidMorph: Are We Ready to Stop the Attack of Android Malware Clones?”
According to the paper, malware writers use stealthy mutations, such as morphing and obfuscations, to continuously develop malware clones, evading signature-based detectors. “This attack of clones seriously threatens all the mobile platforms, especially Android,” the scholars said.
One of the main issues with Android is that apps can be downloaded from various third-party sources, thus increasing the chances of installing a fake, clone (lookalike) app. These apps clone a legitimate app’s functionality but instead of providing it, they trick users into downloading more apps with fraudulent code. Such apps are usually after stealing sensitive information from unsuspecting Android users.
A bigger risk is created when malware authors decide to develop multiple clones of the rogue app with various levels of obfuscation, thus masquerading their true purpose. By doing so, these apps can easily sneak into a device, circumventing the defense mechanisms provided by anti-malware engines.
What Is DroidMorph?
To test this type of attack against Android, the research team developed a tool called DroidMorph:
In this paper we present anew tool named DroidMorph, that provides morphing of Android applications (APKs) at different level of abstractions, and can be used to create Android application (malware/benign) clones. As a case study we perform testing and evaluating resilience of current commercial anti-malware products against attack of the Android malware clones generated by DroidMorph. We found that 8 out of 17 leading commercial anti-malware programs were not able to detect any of the morphed APKs. We hope that DroidMorph will be used in futurere search, to improve Android malware clones analysis and detection, and help stop them.
These results came after the researchers performed a test using 1,771 morphed APK variants generated via DroidMorph.
The anti-malware programs that failed the researchers’ test include LineSecurity, MaxSecurity, DUSecurityLabs, AntivirusPro, 360Security, SecuritySystems, GoSecurity, and LAAntivirusLab.
“We hope that DroidMorphwill be used in future research, to improve Android mal-ware clones analysis and detection, and help stop them,” the researchers concluded.