How much is difficult realize a malware ignored by antimalware solutions?

Pretty simple, according to recent researches!


A group of the researchers from the Iswatlab team at the University of Sannio demonstrated how is easy to create a mobile malware that eludes antivirus solutions.

The research was conducted by Corrado Aaron Visaggio and Francesco Mercaldo, who realized an engine that applies the following transformations chain to an android malware code which alter the code’s shape, but not the behavior of the malware:

        Disassembling
|
V
Changing Package Name
|
V
Data Encoding
|
V
Code Reordering
|
V
Insert Junk Instruction NOP
|
V
Insert Junk Instruction Branch
|
V
Insert Junk Instruction Garbage
|
V
Identifiers Renaming Package
|
V
Identifiers Renaming Class
|
V
Call Indirection
|
V
Reassembling
|
V
Repacking

We developed a framework which applies a set of transformations to Android applications smali code. We then transformed a real world malware data-set and then we submitted the applications to the website www.virustotal.com, in order to evaluate the maliciousness before and after the transformations (we submitted every sample pre and post transformation process).

Some sites named this solution the “Malware Washing Machine“.


The tests

We worked on a data-set, composed of 5560 malwares belonging to 178 different malware families.
We applied all the transformations combined together on the malware data-set.

The malware data-set is available at: http://user.informatik.uni-goettingen.de/~darp/drebin/


The results?

The results is impressive: the antimalware is not able to recognize the transformed malware (given that it was able to recognize the original malware)

From the paper:

Percentage ratio of antimalwares that detect as malicious more than 
90% of the malwares that analyze.

  • Original malware set : 47%
  • Transformed malware set: 7%


The simple transformation of malwares can turn a known and recognizable malware into an undetectable malware.

This should lead research and industry to develop detection mechanisms which are robust against this trivial evasion techniques.

For more information about result and more technical details regarding the transformation chain, refer to the original paper:

https://www.iswatlab.eu/wp-content/uploads/2015/09/mobile_antimalware_evaluation.pdf


The source code

Freely available on GitHub:

https://github.com/faber03/AndroidMalwareEvaluatingTools

Comments