Journal
COMPUTERS & SECURITY
Volume 51, Issue -, Pages 16-31Publisher
ELSEVIER ADVANCED TECHNOLOGY
DOI: 10.1016/j.cose.2015.02.007
Keywords
Android; Malware; Obfuscation; Evasion; DexGuard; Dalvik; Entry points; Signatures; Strings; Bytecode
Categories
Funding
- Regional Administration of Sardinia, Italy [CUP F71J11000690002]
- Sardinia Regional Government
Ask authors/readers for more resources
In order to effectively evade anti-malware solutions, Android malware authors are progressively resorting to automatic obfuscation strategies. Recent works have shown, on small-scale experiments, the possibility of evading anti-malware engines by applying simple obfuscation transformations on previously detected malware samples. In this paper, we provide a large-scale experiment in which the detection performances of a high number of anti-malware solutions are tested against two different sets of malware samples that have been obfuscated according to different strategies. Moreover, we show that anti-malware engines search for possible malicious content inside assets and entry-point classes. We also provide a temporal analysis of the detection performances of anti-malware engines to verify if their resilience has improved since 2013. Finally, we show how, by manipulating the area of the Android executable that contains the strings used by the application, it is possible to deceive anti-malware engines so that they will identify legitimate samples as malware. On one hand, the attained results show that anti-malware systems have improved their resilience against trivial obfuscation techniques. On the other hand, more complex changes to the application executable have proved to be still effective against detection. Thus, we claim that a deeper static (or dynamic) analysis of the application is needed to improve the robustness of such systems. (C) 2015 Elsevier Ltd. All rights reserved.
Authors
I am an author on this paper
Click your name to claim this paper and add it to your profile.
Reviews
Recommended
No Data Available