Abstract
Nowadays malware writers are continually striving to find new ways to evade antimalware checks. To do this, they exploit the vulnerabilities of current antimalware that are unable to detect zero-day threats, because to detect malicious behavior, they need to know their signature, which must be stored in the database: to be recognized, a malware must already be widespread. In this paper we propose a novel malware model with the aim of promoting the development of innovative malware detection paradigms. The proposed model is based on the combination of following mechanisms: dynamic compiling, reflection and dynamic loading, to combine a series of source code snippets into a running application and dynamically alter the normal flow of program execution. We implemented the proposed malware model into the 2Faces Android application. We show also that current antimalware technologies are not able to identify the proposed malware model and we discuss the countermeasures that can be adopted to detect the 2Faces malware.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Bellissimo, A., Burgess, J., Fu, K.: Secure software updates: Disappointments and new challenges. In: HotSec (2006)
Buchanan, E., Roemer, R., Shacham, H., Savage, S.: When good instructions go bad: Generalizing return-oriented programming to risc. In: Proceedings of the 15th ACM conference on Computer and communications security, pp. 27–38 (2008)
Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C.A.: Composition-malware: building android malware at run time. In: 2015 10th International Conference on Availability, Reliability and Security, pp. 318–326. IEEE (2015)
Imtiaz, S.I., ur Rehman, S., Javed, A.R., Jalil, Z., Liu, X., Alnumay, W.S.: Deepamd: Detection and identification of android malware using high-efficient deep artificial neural network. Fut. Gener. Comput. Syst. 115, 844–856 (2021)
Meng, G., Xue, Y., Mahinthan, C., Narayanan, A., Liu, Y., Zhang, J., Chen, T.: Mystique: Evolving android malware for auditing anti-malware tools. In: Proceedings of the 11th ACM on Asia conference on computer and communications security, pp. 365–376 (2016)
Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., Vigna, G.: Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In: NDSS, vol. 14, pp. 23–26 (2014)
Prandini, M., Ramilli, M.: Return-oriented programming. IEEE Secur. Privacy 10(6), 84–87 (2012)
Wang, T., Lu, K., Lu, L., Chung, S., Lee, W.: Jekyll on ios: When benign apps become evil. In: 22nd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 13), pp. 559–572 (2013)
Wang, X., Li, C.: Android malware detection through machine learning on kernel task structures. Neurocomputing 435, 126–150 (2021)
Xue, Y., Meng, G., Liu, Y., Tan, T.H., Chen, H., Sun, J., Zhang, J.: Auditing anti-malware tools by evolving android malware and dynamic loading technique. IEEE Trans. Inf. Forensics Secur. 12(7), 1529–1544 (2017)
Acknowledgements
This work has been partially supported by MIUR - SecureOpenNets, EU SPARTA, CyberSANE and E-CORRIDOR projects.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
In this section are listed the source code snippets related to the implementation of the proposed malware model.
Rights and permissions
About this article
Cite this article
Casolare, R., Lacava, G., Martinelli, F. et al. 2Faces: a new model of malware based on dynamic compiling and reflection. J Comput Virol Hack Tech 18, 215–230 (2022). https://doi.org/10.1007/s11416-021-00409-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-021-00409-8