Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology

The authors of mobile-malware have started to leverage program protection techniques to circumvent anti-viruses, or simply hinder reverse engineering. In response to the diffusion of anti-virus applications, several researches have proposed a plethora of analyses and approaches to highlight their limitations when malware authors employ program-protection techniques. An important contribution of this work is a systematization of the state of the art of anti-virus apps, comparing the existing approaches and providing a detailed analysis of their pros and cons. As a result of our systematization, we notice the lack of openness and reproducibility that, in our opinion, are crucial for any analysis methodology. Following this observation, the second contribution of this work is an open, reproducible, rigorous methodology to assess the effectiveness of mobile anti-virus tools against code-transformation attacks. Our unified workflow, released in the form of an open-source prototype, comprises a comprehensive set of obfuscation operators. It is intended to be used by anti-virus developers and vendors to test the resilience of their products against a large dataset of malware samples and obfuscations, and to obtain insights on how to improve their products with respect to particular classes of code-transformation attacks.

[1]  Mark Stamp,et al.  Hunting for metamorphic JavaScript malware , 2015, Journal of Computer Virology and Hacking Techniques.

[2]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[3]  Roberto Giacobazzi,et al.  A Formal Framework for Property-Driven Obfuscation Strategies , 2013, FCT.

[4]  R. Nigam Covering the global threat landscape OBFUSCATION IN ANDROID MALWARE, AND HOW TO FIGHT BACK , 2014 .

[5]  Julian Schütte,et al.  On the Effectiveness of Malware Protection on Android An evaluation of Android antivirus , 2013 .

[6]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[7]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[8]  John C. S. Lui,et al.  ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems , 2012, DIMVA.

[9]  Giorgio Giacinto,et al.  Stealth attacks: An extended insight into the obfuscation effects on Android malware , 2015, Comput. Secur..

[10]  Christian S. Collberg,et al.  Surreptitious Software - Obfuscation, Watermarking, and Tamperproofing for Software Protection , 2009, Addison-Wesley Software Security Series.

[11]  Roberto Giacobazzi,et al.  Semantics-based code obfuscation by abstract interpretation , 2009, J. Comput. Secur..

[12]  Clark Thomborson,et al.  Manufacturing cheap, resilient, and stealthy opaque constructs , 1998, POPL '98.

[13]  Andrea Valdi,et al.  AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors , 2013, SPSM '13.

[14]  Tilo Müller,et al.  PANDORA applies non-deterministic obfuscation randomly to Android , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[15]  Mark Stamp,et al.  Metamorphic worm that carries its own morphing engine , 2013, Journal of Computer Virology and Hacking Techniques.

[16]  Felix C. Freiling,et al.  An Empirical Evaluation of Software Obfuscation Techniques Applied to Android APKs , 2014, SecureComm.

[17]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.