Abstract
The authors of mobile-malware have started to leverage program protection techniques to circumvent anti-viruses, or simply hinder reverse engineering. In response to the diffusion of anti-virus applications, several researches have proposed a plethora of analyses and approaches to highlight their limitations when malware authors employ program-protection techniques. An important contribution of this work is a systematization of the state of the art of anti-virus apps, comparing the existing approaches and providing a detailed analysis of their pros and cons. As a result of our systematization, we notice the lack of openness and reproducibility that, in our opinion, are crucial for any analysis methodology. Following this observation, the second contribution of this work is an open, reproducible, rigorous methodology to assess the effectiveness of mobile anti-virus tools against code-transformation attacks. Our unified workflow, released in the form of an open-source prototype, comprises a comprehensive set of obfuscation operators. It is intended to be used by anti-virus developers and vendors to test the resilience of their products against a large dataset of malware samples and obfuscations, and to obtain insights on how to improve their products with respect to particular classes of code-transformation attacks.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Antiy. http://www.antiy.net. Accessed 15 July 2016
Dalvik bytecode verifier notes. http://www.netmite.com/android/mydroid/dalvik/docs/verifier.html. Accessed 15 July 2016
Contagio mobile e mobile malware mini dump. http://contagiominidump.blogspot.com/. Accessed 15 July 2016
Dexguard. http://www.saikoa.com/dexguard. Accessed 15 July 2016
Virustotal. https://www.virustotal.com. Accessed 15 July 2016
Smartphone os market share, q2 2015, 2015. http://www.idc.com/prodserv/smartphone-os-market-share.jsp. Accessed 15 July 2016
Apvrille, A., Nigam, R.: Obfuscation in android malware, and how to fight back. In: Virus, Bulletin, pp. 1–10 (2014)
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., and Yang, K.: On the (im)possibility of obfuscating programs. In: CRYPTO ’01: Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, pp. 1–18. Springer, Berlin (2001) (ISBN 3-540-42456-3)
Christodorescu, M., Jha, S.: Testing malware detectors. In: Proceedings of the ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA ’04), pp. 34–44 (2004)
Collberg, C., and Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison-Wesley Professional, Menlo Park (2009) (ISBN 0321549252)
Collberg, C., Thomborson, C.D., Low, D.: Manufacturing cheap, resilient, and stealthy opaque constructs. In: Proceedings of Conference Record of the 25st ACM Symp. on Principles of Programming Languages (POPL ’98), pp. 184–196. ACM Press, New york (1998)
Preda, Mila Dalla, Giacobazzi, Roberto: Semantics-based code obfuscation by abstract interpretation. J. Comput. Secur. 17(6), 855–908 (2009)
Preda, M.D., Mastroeni, I., Giacobazzi, R.: A formal framework for property-driven obfuscation strategies. In: Fundamentals of computation theory—19th International Symposium, FCT 2013, Liverpool, UK, August 19-21, 2013. Proceedings, vol. 8070 of Lecture Notes in Computer Science, pp. 133–144. Springer, Berlin (2013)
F-Secure. H2 2013 threat report. Technical report (2014)
Freiling, F.C., Protsenko, M., Zhuang, Y.: An empirical evaluation of software obfuscation techniques applied to android apks. In: International Conference on Security and Privacy in Communication Networks—10th International ICST Conference, SecureComm 2014, Beijing, China, 24–26 Sept 2014, Revised Selected Papers, Part II, vol. 153 of Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, pp. 315–328. Springer, Berlin (2014)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26–29 Oct 2013, Berkeley, CA, USA, pp. 40–49. IEEE Computer Society (2013)
Fedler, R., Schette, J., Kulicke, M.: On the effectiveness of malware protection on android: an evaluation of android antivirus app. Technical report (2013)
Sridhara, S.M., Stamp, M.: Metamorphic worm that carries its own morphing engine. J. Comput. Virol. 9(2), 49–58 (2013)
Maggi, F., Valdi, A., Zanero, S.: AndroTotal: a flexible, scalable toolbox and service for testing mobile malware detectors. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, SPSM ’13, pp. 49–54. ACM. ISBN 978-1-4503-2491-5. doi:10.1145/2516760.2516768. http://doi.acm.org/10.1145/2516760.2516768. Accessed 15 July 2016
Maiorca, Davide, Ariu, Davide, Corona, Igino, Aresu, Marco, Giacinto, Giorgio: Stealth attacks: an extended insight into the obfuscation effects on android malware. Comput. & Secur. 51, 16–31 (2015)
Musale, Mangesh, Austin, Thomas H., Stamp, Mark: Hunting for metamorphic javascript malware. J. Comput. Virol. Hacking Tech. 11(2), 89–102 (2015). doi:10.1007/s11416-014-0225-8
Pellegatta, F., Maggi, F., Preda, M.D.: Aamo: another android malware obfuscator (source code). https://github.com/necst/aamo. Accessed 15 July 2016
Protsenko, M., Müller, T.: PANDORA applies non-deterministic obfuscation randomly to android. In: 8th International Conference on Malicious and Unwanted Software: “The Americas”’, MALWARE 2013, Fajardo, PR, USA, Oct 22–24, 2013, pp. 59–67. IEEE Computer Society (2013)
Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: 8th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’13, Hangzhou, China, ACM, May 08-10, 2013, pp. 329–334 (2013)
Strazzere, T., Sawyer, J.: Android hacker protection level 0. Defcon 22, Las Vegas (2014)
Symantec Corporation. Internet security threat report: 20 April 2015
Unuchek, R., Chebyshev, V.: Mobile malware evolution: 2013. https://securelist.com/analysis/kaspersky-security-bulletin/58335/mobile-malware-evolution-2013/. Feb 2014
Zheng, M., Lee, P.P.C., Lui, J.C.S.: Adam: an automatic and extensible platform to stress test android anti-virus systems (source code). http://ansrlab.cse.cuhk.edu.hk/software/adam/. Accessed 15 July 2016
Zheng, M., Lee, P.P.C., Lui, J.C.S.: ADAM: an automatic and extensible platform to stress test android anti-virus systems. In: Detection of Intrusions and Malware, and Vulnerability Assessment—9th International Conference, DIMVA 2012, Heraklion, Crete, Greece, July 26–27, 2012, Revised Selected Papers, volume 7591 of Lecture Notes in Computer Science, pp. 82–101. Springer, Berlin (2012)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy. http://www.malgenomeproject.org/. Accessed 15 July 2016
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
Rights and permissions
About this article
Cite this article
Preda, M.D., Maggi, F. Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology. J Comput Virol Hack Tech 13, 209–232 (2017). https://doi.org/10.1007/s11416-016-0282-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-016-0282-2