Samir Mody K7 Computing
download slides (PDF)
Many Android malware scanners, including Google's own built-in one, rely heavily on checksum-based signatures or cloud look-ups, and simple generic patterns to detect malicious apps. Simple pattern-matching is effective since obfuscation techniques currently used by Android malware authors are primitive, typically involving a modification of the metadata constituents within a self-signed ZIP-based APK archive to change its hash. The app's functionality, and hence its core binaries, remain unchanged.
However, Android malware authors have shown a tendency to follow the Windows malware model, but over a significantly shorter timeframe. As the volume of Android malware grows and more anti-virus vendors provide protection against it, it is to be expected that Android malware, like its Windows counterpart, will begin to exhibit more sophisticated detection-evasion and anti-reversing functionality. Today's Windows malware is dominated by obfuscation and packing which sets the tone for tomorrow's Android malware. In fact, the legitimate obfuscation tool ProGuard from android.com currently obscures class and method names in Android apps.
Nevertheless, it is code obfuscation which would complicate the detection strategy for Android malware, especially given memory footprint limitations. Code obfuscation in malicious apps or PUAs is not only possible, it is inevitable, GooglePlay restrictions notwithstanding. The Dalvik executable (.dex) byte-code instruction set supports registers, arithmetic operators, and even nops, thus providing scope for the insertion of junk polymorphic instructions and metamorphism.
This paper analyses the methods of obfuscation currently used by Android malware authors, and presents examples of .dex byte-code and data obfuscation techniques which are likely to be abused in the future. Let us understand the scope of tomorrow's attack.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.