Android virus scanners are easily fooled
Researchers at Northwestern University and North Carolina State University have discovered
that anti-virus programs for Android can usually be bypassed using trivial means. The researchers developed DroidChameleon, a tool that can modify known malware apps in numerous ways to prevent them from being detected.
Most of the ten scanners they tested mainly performed signature-based analyses. In some cases, simply changing the package name in the metadata was enough for virus scanners to consider the malware harmless. Several scanners could be fooled by unpacking the malware and then creating new installation packages. In other cases, the researchers were successful after encrypting parts of the app or redirecting function calls.
Their conclusion is unambiguous: all ten anti-virus programs could be fooled in one way or another. Many of the methods the researchers used have long been common practice with Windows malware, and some have even been used for deploying Android malware in the past. Tested scanners included anti-virus programs from AVG, Dr. Web, ESET, ESTSoft, Kaspersky, Lookout, Symantec, Trend Micro, Webroot and Zoner.
However, the researchers were also able to provide some positive news: during the test period from February 2012 to February 2013, the candidates improved steadily. While the scanners initially missed 45% of trivially modified malware samples in total, a year later, they only missed 16%; the researchers attribute this to the increased use of content-based matching.
The researchers' findings are a further reason for users to not allow the installation of apps from untrusted sources, also called sideloading, in the first place. The majority of malicious programs are to be found in areas outside of the official Google Play download catalogue – in peer-to-peer exchanges, forums, and alternative app portals. As Google at least superficially checks apps before adding them to the store, and will remove them quickly in case of complaints, Google Play users are currently still sailing in relatively calm waters.
(sno)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
