A group of academic researchers has created a tool that can be used to clone Android malware and test the resilience of these new variants against anti-malware detection.
Called DroidMorph, the tool allows cloning of both malicious and benign applications by making modifications at different levels of abstraction. Testing against 17 commercial anti-malware engines showed that half do not detect clones.
Implemented on top of the Suite Framework, the tool provides all the necessary functionality for the generation of Android bytecode as well as modifying and analyzing it. The tool decompiles the APK, does the morphing, and then recompiles the modified code and signs the APK.
Researchers from Adana Science and Technology University in Turkey and the National University of Science and Technology in Pakistan worked with a total of 848 samples belonging to seven Android malware families, namely AnserverBot, BaseBridge, DroidKungFu3, DroidKungFu4, DroidDream, DroidDreamLight, and Geinimi.
They used DroidMorph to generate a total of 1,771 variants of these malware families, and then tested them against the 17 anti-malware engines in VirusTotal to detect them. The results showed that 8 of them were not able to detect any morphed APK.
DroidMorph, Academics explains, implements morphing at three different levels of abstraction, namely body, class, and method. Of these, class Morphing had the lowest average detection rate, mainly because it has more variants than all Morphings.
The researchers also note that their tool enforces only basic trivial and non-trivial constraints and requires additional work to improve morphing at various levels and further reduce anti-malware detection rates. Morphing of the meta-information embedded in the APK will also be added.
“The number of Android malware clones is increasing and to stop this attack of clones we need to study how these clones are generated. We hope that future research will use DroidMorph for Android malware clone analysis and detection. to help improve and prevent them,” the researchers noted.
RELATED: Flaws in Apple Location Tracking System Could Lead to User Identity
RELATED: Research: Security agencies expose information via incorrectly sanitized PDFs
RELATED: Academics Will Attacks Target Email End-to-End Encryption