A team of researchers from Northwestern University and North Carolina State University have tested ten of the most popular Android anti-virus software and have discovered that all of them can be fooled by common code obfuscation techniques.
To evaluate the software, they have created DroidChameleon, a systematic framework that automatically applies a number of transformation techniques – some common for PC malware, and other highly specific to the Android platform – to Android applications.
“Based on the framework, we pass known malware samples (from different families) through these transformations to generate new variants of malware, which are verified to possess the originals’ malicious functionality,” they explained.
Armed with these samples, they tested the effectiveness of mobile AV solutions by AVG, Symantec, Lookout, ESET, Dr. Web, Kaspersky, Trend Micro, ESTSoft, Zoner, and Webroot, and they were unpleasantly surprised that even those products that the companies claimed were be able to detect malware transformations were, in fact, not working as they should.
“Many of them may even succumb to trivial transformations such as repacking that do not involve any code-level transformation,” the researchers pointed out.
Other transformations included renaming the package, files or identifiers; the encrypting of native exploit or payload, strings and array data, reordering the code, inserting junk code, and call indirection.
The project and the testing took one year to complete, and during that period the AV solutions were tested repeatedly. Some of them were improved during that time, and their manufacturers turned more towards content-based signatures. Unfortunately this only made the researchers’ efforts to bypass them only a little bit harder, but still unchallenging, and polymorphic malware still passed through in the great majority of cases.
The paper they published about their research is an interesting read, and also contains several suggestions on how the problem might be solved.