Using image similarity algorithms on application icons to discover new malware families on multiple platforms

Friday 26 September 09:30 - 10:00, Green room.

Martin Smarda AVAST Software
Pavel Sramek AVAST Software

  download slides (PDF)

The concept of an application icon is common for all of today's consumer-oriented computing platforms, desktop and mobile alike. Icons are being abused by malware authors attempting to take advantage of the simplest infection vector possible: impersonating something else and convincing the user to execute a malicious program. The fraudulent icons may be resized, they may have a few pixels changed on purpose, and there are usually multiple historical versions of any given icon - which makes icons problematic as a heuristic indicator.

We have developed a method that overcomes this problem by using overall visual similarity to identify potential malware. Applying an algorithm based on frequency transformation to the icons, our tool is able to place those with common traits close together. This is performed on a large scale with popular icons and a stream of fresh samples and allows us to separate suspicious ones from the rest. The result a powerful heuristic tool for uncovering big social engineering campaigns as well as offbeat samples that would likely otherwise be missed. And thanks to the icon concept being so ubiquitous, the process can be applied to Windows malware which usually mimics documents as well as the rising Android threats and their tendency to repackage popular applications with malicious code added.

Click here for more details about the conference.

Martin Smarda

Martin Smarda

Martin Smarda is a member of AVAST Software's Virus Lab, where he has worked as a malware analyst since the spring of 2012. A year after joining AVAST he graduated with honors and received his Master's degree in systems programming from the Czech Technical University in Prague. He loves low-level programming and understanding how things work inside. Therefore he strives for new experiences and knowledge from many different fields. Currently, his primary focus is on fighting Windows malware and on developing tools for automating it. His life outside the world of computers consists of working for his family's farm, riding horses and educating people in an environment-friendly lifestyle.

Pavel Sramek

Pavel Sramek

Pavel Sramek joined AVAST Software's Virus Lab as a malware analyst in early 2012 and received his Master's degree in systems programming (graduating with honours) from the Czech Technical University in Prague the following year. During his studies, he was always fascinated by the magic of low-level programming, which quickly grew into an interest in reverse engineering. Although dealing mostly with Windows malware, he prefers a versatile approach to his work, mixing reversing with writing custom automation tools and never focusing at one particular area for too long. When not sitting in front of a computer monitor, he enjoys traveling around the world, photography and alpine skiing.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.