This paper was converted on www.awesomepapers.org from LaTeX by an anonymous user.
Want to know more? Visit the Converter page.

DroidMorph: Are We Ready to Stop the Attack of Android Malware Clones?

Shahid Alam Dept. of Computer Engineering
Adana Science and Technology University
Adana, Turkey
[email protected]    M. Zain ul Abideen and Shahzad Saleem Dept. of Computing
National University of Science and Technology
Islamabad, Pakistan
{mabideen.msis18seecs,shahzad.saleem}@seecs.edu.pk
Abstract

The number of Android malware variants (clones) are on the rise and, to stop this attack of clones we need to develop new methods and techniques for analysing and detecting them. As a first step, we need to study how these malware clones are generated. This will help us better anticipate and recognize these clones. In this paper we present a new tool named DroidMorph, that provides morphing of Android applications (APKs) at different level of abstractions, and can be used to create Android application (malware/benign) clones. As a case study we perform testing and evaluating resilience of current commercial anti-malware products against attack of the Android malware clones generated by DroidMorph. We found that 8 out of 17 leading commercial anti-malware programs were not able to detect any of the morphed APKs. We hope that DroidMorph will be used in future research, to improve Android malware clones analysis and detection, and help stop them.

Index Terms:
Android APK, Malware variant, Morphing, Obfuscation.

I Introduction

According to the recent Symantec threat reports, Android continues to be the most targeted mobile platform, the number of new mobile malware attacks grew by 105% from 2015 to 2016 [1], and the number of new discovered mobile malware variants (clones) grew by 54% from 2016 to 2017 [2]. In addition to these simple attacks of clones, there are also Android malware clones of clones, i.e., clones of a malware family which themselves are clones. For example, DroidKungFu1, DroidKungFu2, DroidKungFu3 and DroidKungFu4 are 4 different families of the original Android DroidKungFu malware, and each of these 4 families have their own clones (variants) [3]. According to the McaFee threat report, the number of malware families found in the Google play increased by 30% in 2017 [4].

Malware writers use stealthy mutations (morphing/obfuscations) to continuously develop malware clones, thwarting detection by signature based detectors. This attack of clones seriously threatens all the mobile platforms, especially Android. In the rest of the paper we use variants and clones interchangeably.

As mentioned before, the number of Android malware clones are on the rise and, to stop this attack we need to develop new methods and techniques for analysing and detecting them. As a first step, we need to study how these malware clones are generated. This will help us better anticipate and recognize these clones. This is the main motivation for the research carried out in this paper.

In this paper, we present the design and development of an Android APK morphing tool, and using this tool evaluate resilience of the current commercial antimalware products against attack of the Android malware clones. This work also complements other such previous works [5, 6, 7, 8].

The contributions of this work are as follows:

  • Designing and developing of a morphing tool named DroidMorph, that provides morphing of Android applications (APKs) at different level of abstractions, and can be used to create Android application (malware/benign) clones.

  • Testing and evaluating resilience of current commercial antimalware products against attack of the Android malware clones generated by DroidMorph. We found that 8 out of 17 leading commercial anti-malware programs were not able to detect any of the morphed APKs.

The remainder of this paper is organized as follows. We present related work in Section II. A brief overview of DroidMorph is presented in Section III. Section IV presents the evaluation of DroidMorph by testing current commercial antimalware products against attack of the Android malware clones generated by DroidMorph. Section V finally concludes the paper.

II Related Work and Comparison

In this Section, we briefly compare four of the previous works that have evaluated the resilience of commercial antimalware products with DroidMorph.

Faruki et al. [5] evaluated anti malware products against control, data and layout transformations. Anti-malware malware programs were then evaluated against different permutations of these three transformations. They found that top rated anti-malware programs are vulnerable against permutation of these transformations.

Rastogi et al. [6] evaluated anti malware products against a combination of trivial and non-trivial obfuscations. They tested 10 anti-malware programs. Repetitive transformations were used to fail the anti-malware program.

Zheng et al. [7] evaluated anti malware products against some of the non-trivial obfuscations. They collected 222 Android malware samples from the wild. These samples were then transformed to test them on VirusTotal [9] against different anti-malware programs. They reported that one of the anti-malware program tested (AntiY AVL) is better than the others.

Protsenko et al. [8] evaluated anti malware products against data and object-oriented design obfuscations. They tested 10 popular anti-malware programs and found deficiencies in most of them. They also compared and presented the shortcomings of a state of the art static similarity tool.

All these four works have implemented prototype tools to create variants (morph) of known malware to test and evaluate commercial antimalware products. Here are some of the differences between DroidMorph and the other four works.

  • DroidMorph is implemented on top of the Soot Framework [10], whereas [5, 6, 7] use third party tools for assembling and disassembling, and another set of tools for morphing. This dependency on a set of third party tools may make their [5, 6, 7] implementation unstable and inflexible, and incompatible to work with different Android OS APKs. Soot provides all necessary functionality regarding analysis, modification, and generation of Android/Java bytecode and is compatible with different Android OS APKs.

  • Unlike [8], DroidMorph provides direct support for analysis, modification, and generation of Android (Dalvik) bytecode.

  • Beside providing non-trivial and trivial obfuscations DroidMorph also provides morphing of Android APK at different level of abstractions.

III Brief Overview of DroidMorph

Figure 1 provides a high level architectural overview of DroidMorph. We first decompile an Android APK to an intermediate form. Morphing is carried out at different level of abstractions on this intermediate form. The morphed intermediate form is then compiled to morphed Android APK. This APK is then signed to generate the final morphed and signed Android APK that is ready to run on the Android platform.

Refer to caption
Figure 1: Architectural Overview of DroidMorph

Current design of DroidMorph implements morphing at three level of abstractions, Class, Method and Body. The implementation of trivial and non-trivial obfuscations is work in progress. So far as trivial obfuscations, we have implemented morphing of Class and Method names, and as non-trivial obfuscations, we have implemented morphing of Control Flow Graph and Call Flow Graph.

TABLE I: Class distribution of the 848 Android malware samples
Class/family Number of samples
AnserverBot 187
BaseBridge 122
DroidKungFu3 309
DroidKungFu4 96
DroidDream 16
DroidDreamLight 46
Geinimi 69

IV Experimental Evaluation

We carried out an empirical study to analyse the correctness and efficiency of DroidMorph. We present in this section the empirical study, obtained results and analysis.

IV-A Dataset

Our dataset for the experiments consists of 848 Android malware programs collected from two different resources [3, 11]. Table I shows distribution of these malware samples. The malware dataset shows a variety of samples from different families.

TABLE II: Distribution of 1771 malware variants generated by DroidMorph.
      Class/family       Number of variants generated for each level of abstraction
      Class morphing       Method morphing       Body morphing       All morphing
      AnserverBot       2       182       171       2
      BaseBridge       1       117       73       1
      DroidKungFu3       63       291       281       59
      DroidKungFu4       21       91       95       19
      DroidDream       0       16       15       0
      DroidDreamLight       0       44       44       0
      Geinimi       3       66       48       3
TABLE III: Detection results of the 17 commercial anti-malware programs tested with 1771 variants of 7 malware families generated by DroidMorph listed in Table II

.       Anti-malware       Detection Rate (%)       Class morphing       Method morphing       Body morphing       All morphing       AVG       95       100       100       100       BitDefender       100       100       100       100       LineSecurity       0       0       0       0       Kaspersky       100       100       100       100       Sophos       100       100       100       100       MaxSecurity       0       100       8       0       DrWeb       95       100       95       100       ESET       83.3       100       100       100       DUSecurityLabs       0       0       0       0       VIPRE       100       100       100       100       AntivirusPro       0       0       17       0       360Security       0       0       0       0       McAfee       100       100       100       100       SecuritySystems       0       0       0       0       GoSecurity       0       0       0       0       LAAntivirusLab       0       0       0       0       Malwarebytes       100       100       100       100       Average Detection Rate       51.4       58.8       54.1       52.9

IV-B Evaluation

We used DroidMorph to generate variants of each malware family listed in Table I. The distribution of these generated malware variants are shown in Table II. Randomly selected of these malware variants were tested for there correctness by running them on an Android phone.

We used VirusTotal [9] and selected 17 anti-malware programs for our empirical study. These anti-malware programs were then used to detect the malware variants generated by DroidMorph listed in Table II. The results are shown in Table III. The results show that 8 out of 17 anti-malware programs were not able to detect any morphed APKs. Different anti-malware programs use different detection techniques like signature based, static based and behavior based detection, which use different signature and/or anomaly databases.

The result shows that DroidMorph was successful to bypass the security of 8 anti-malware programs used. The average detection rate of class morphing was better than all morphing. It is because class contains (Table II) more variants than all morphing. It is possible that anti-malware programs were able to detect less variants of DroidKungFu3 and DroidKungFu4 in class than all. To make an exact comparison we need to use equal number of variants from the same families. Anyhow, this needs more investigation. Research on DroidMorph is a work in progress, in future more work needs to be done on class level morphing which will also increase the morphing on all level increasing the effectiveness of DroidMorph.

V Conclusion

The number of Android malware clones are on the rise and to stop this attack of clones we need to study how these clones are generated. As a first step, in this paper we have presented a new tool named DroidMorph, that provides morphing of Android applications (APKs) at different level of abstractions. We used DroidMorph to generate Android malware clones to evaluate commercial anti-malware products and found that 8 out of 17 leading commercial anti-malware programs were not able to detect morphed APKs successfully. We hope that DroidMorph will be used in future research, to improve Android malware clones analysis and detection, and help stop them.

In DroidMorph, we have only implemented some basic trivial and non-trivial obfuscations (morphing). Implementation of other obfuscations is work in progress, which will further improve (reduce detection by anti-malware programs) the results. In future, we will further improve morphing at different levels, specifically class level morphing. We will also add morphing of meta information (permissions etc.) embedded in an APK which will further reduce the detection by anti-malware programs.

References

  • [1] Symantec security threat report, © Symantec Corporation 2017.
  • [2] Symantec security threat report, © Symantec Corporation 2018.
  • [3] Y. Zhou and X. Jiang, “Dissecting android malware: Characterization and evolution,” in Security and Privacy.   IEEE, 2012, pp. 95–109.
  • [4] McAfee mobile threat report Q1, © McAfee Corporation 2017.
  • [5] P. Faruki, A. Bharmal, V. Laxmi, M. Gaur, M. Conti, and M. Rajarajan, “Evaluation of Android Anti-malware Techniques against Dalvik Bytecode Obfuscation,” in TrustCom, 2014, pp. 414–421.
  • [6] V. Rastogi, Y. Chen, X. Jiang et al., “Catch me if you can: Evaluating android anti-malware against transformation attacks.” IEEE Trans. Information Forensics and Security, vol. 9, no. 1, pp. 99–108, 2014.
  • [7] M. Zheng, P. P. Lee, and J. C. Lui, “ADAM: an automatic and extensible platform to stress test android anti-virus systems,” in DIMVA.   Springer, 2012, pp. 82–101.
  • [8] M. Protsenko and T. Muller, “Pandora applies non-deterministic obfuscation randomly to android,” in Malicious and Unwanted Software:" The Americas"(MALWARE), 2013 8th International Conference on.   IEEE, 2013, pp. 59–67.
  • [9] VirusTotal, The aggregated antivirus scanning engine, https://www.virustotal.com, 2024.
  • [10] R. Vallée-Rai, P. Co, E. Gagnon, L. Hendren, P. Lam, and V. Sundaresan, “Soot - a java bytecode optimization framework,” in Proceedings of the 1999 Conference of the Centre for Advanced Studies on Collaborative Research, ser. CASCON ’99.   IBM Press, 1999, pp. 13–24.
  • [11] M. Parkour, Mobile Malware Dump, http://contagiominidump.blogspot.com, 2024.