Seediscussions,stats,andauthorprofilesforthispublicationat:http://www.researchgate.net/publication/274249693
Evaluatingmalwaresobfuscationtechniquesagainstantimalwaredetectionalgorithms
TECHNICALREPORT·MARCH2015
DOWNLOADS
50
VIEWS
15
2AUTHORS:
CorradoAaronVisaggio
UniversitàdegliStudidelSannio
63PUBLICATIONS423CITATIONS
SEEPROFILE
FrancescoMercaldo
UniversitàdegliStudidelSannio
12PUBLICATIONS3CITATIONS
SEEPROFILE
Availablefrom:CorradoAaronVisaggio
Retrievedon:14July2015
Evaluating malwares obfuscation techniques against antimalware detection algorithms
Francesco Mercaldo*, Corrado Aaron Visaggio** *[email protected] **[email protected] (contact author) March 2015
Technical Report © Department of Engineering - University of Sannio Corso Garibaldi, 107 82100 Benevento - ITALY
Evaluating malwares obfuscation techniques against antimalware detection algorithms
3
A QUICK OVERVIEW Everyday more than 1 million new Android devices are activated worldwide. This trend has decreed Android the most diffuse middleware for mobile platform. Google Play is the premier marketplace for selling and distributing Android apps and it shows incredible numbers: 1.5 billion downloads at month! Everyone agrees that Android is an incredible success, but are people sure to store their data on their android devices? This success has seen an always-growing Android malware writer interest. As a main point of this technical report we pose following question : are the actual signature based detection algorithms effective on mobile environments? We developed a framework which applies a set of transformations to Android applications smali code. We then transformed a real world malware data-set (available at: http://user.informatik.uni-goettingen.de/~darp/drebin/) and then we submitted the applications to the website www.virustotal.com, in order to evaluate the maliciousness before and after the transformations (we submitted every sample pre and post transformation process). The results is impressive: the antimalware is not able to recognize the transformed malware (given that it was able to recognize the original malware). The transformation engine is released for the scientific community with the open source license at the following url: https://github.com/faber03/AndroidMalwareEvaluatingTools
TRANSFORMATIONS We developed a transformation engine for android malware (available at: https://github.com/faber03/AndroidMalwareEvaluatingTools ), which consists of the following transformations: 1) Disassembling & Reassembling: This transformation is based on the apktool representation of the items contained in the .dex file. For disassembling an application, the command “apktool d apkname” creates several directories representing the original application resources: code, android manifest, etc. The command ”apktool b apkDirectory” creates an application based on the new apktool dex file representation. 2) Repacking Every android application has a developer signature key that will be lost after disassembling the application and then reassembling it. To create a new key we used the tool signapk to avoid detection signatures that match the developer
keys or a checksum of the entire application package.
3) Changing package name This transformation change the application package name with a random string. 4) Identifier Renaming:
Evaluating malwares obfuscation techniques against antimalware detection algorithms
4
The goal of this transformation is to rename every identifier (classes name, packages name, methods name, variables name etc…). In this case the transformation changes package name and classes identifier, for each smali file, using a random string generator, handling calls in external classes to the modified classes. Android manifest Pre-transformation
Android manifest Post-transformation
Class name Pre-transformation Class name Post-transformation
Class call and package name Pre-Transformation
Class call and package name Post-transformation
5) Data Encoding: Strings can be used to create signatures that identify malwares. This transformation encodes strings with a Caesar cipher. The original string will be restored, during application run-time, with a call to a smali function that knows the Caeser key.
Evaluating malwares obfuscation techniques against antimalware detection algorithms
5
This function has been created from a java class inserted into an android project and then the smali has been obtained thanks to apktool disassembling function. Pre-transformation string
Post-transformation string
6) Call indirections: This transformation modifies the application call graph. Into the smali code every call is changed with a call to a new method inserted by the transformation. This new method calls the original method saving the right execution order. The transformation can be applied to every kind of call, in this case it has been applied to every void smali method invoked with the “invoke-virtual” construct. Pre-transformation
Post-transformation
7) Code Reordering: The aim of this transformation is to reorder smali methods by inserting goto instructions in order to save the correct runtime execution. Every method has been changed with a new method where every instruction has been moved to a random index within the method body. The transformation has been applied only to methods that don’t contain any type of jump (if, switch, recursive calls).
Evaluating malwares obfuscation techniques against antimalware detection algorithms
6
Pre-transformation
Post-transformation
8) Junk Code Insertion: This transformation provides three different junk code insertions:
1) Insertion of nop instructions into each method. 2) Insertion of nop instructions and unconditional jumps into each
method.
Evaluating malwares obfuscation techniques against antimalware detection algorithms
7
3) Allocation of three additional registers on which garbage operations are performed:
This is smali method before inserting any junk code.
This is the same method after nop insertion. (Type 1)
This is a method with nop and unconditional junk instructions (Type 2)
Evaluating malwares obfuscation techniques against antimalware detection algorithms
8
The two following screens show the same method before and after junk code insertion of Type 3 9) Composite Transformations: All the transformations combined.
Remark: The samples submitted to VirusTotal present a transformation level equal to 9.
Evaluating malwares obfuscation techniques against antimalware detection algorithms
9
THE TRANSFORMATION TOOL We developed a tool that can be used to select one application or a directory containing several applications.
Framework UI 1: in this case a single apk has been selected
The developed tool offers also an easy way to retrieve results after submitting transformed samples to VirusTotal engine:
THE RESULTS OF EXPERIMENT We worked on a data-set, composed of 5560 malwares belonging to 178 different malware families. We applied all the transformations combined together on the malware data-set.
Anti-malwares results In the following table, first column represents the Anti-Malware , the second the number of samples (without transformations) correctly detected by the
Evaluating malwares obfuscation techniques against antimalware detection algorithms
10
antimalware while in the third column (in red) the number of correctly detected samples after transformation process.
Alibaba 565 578
F-Secure 4723 4767
AVG 4734 4432
ESET-NOD32 4550 4169
Avira 4749 4054
AhnLab-V3 4615 3934
Sophos 4719 3875
GData 4747 3853
BitDefender 4735 3848
Ad-Aware 4726 3843
Emsisoft 4594 3725
MicroWorld-eScan 4642 3782
NANO-Antivirus 4716 3702
Kaspersky 4689 3543
Avast 4175 3338
DrWeb 4610 3240
CAT-QuickHeal 3967 2962
Ikarus 4467 2715
VIPRE 4767 2093
AVware 4636 2034
Microsoft 2437 1937
Fortinet 4458 1920
AegisLab 2988 1074
ClamAV 2122 1637
Cyren 4766 1629
Rising 2042 1544
Symantec 3255 1391
TrendMicro-HouseCall 3953 1292
Comodo 4711 1268
Qihoo-360 4486 1116
Evaluating malwares obfuscation techniques against antimalware detection algorithms
11
TrendMicro 3392 1080
Tencent 4522 728
McAfee 4784 600
Zillya 646 557
Jiangmin 4255 547
VBA32 2420 536
F-Prot 4692 505
Zoner 3933 389
Kingsoft 4267 367
K7GW 221 15
Baidu-International 4157 222
Norman 1058 218
ALYac 114 121
TotalDefense 1960 207
McAfee-GW-Edition 320 135
Agnitum 425 119
ViRobot 116 112
Panda 185 97
Antiy-AVL 83 82
nProtect 59 59
K7AntiVirus 150 36
TheHacker 8 2
ByteHero 0 0
Bkav 740 0
CMC 2 0
Malwarebytes 0 0
SUPERAntiSpyware 2 0
MALWARE FAMILY RESULTS
Evaluating malwares obfuscation techniques against antimalware detection algorithms
12
In the following table the results regarding the family malware are shown: the first column represents the malware family, the second the number of malwares belonging to the malware-family which are considered trusted before transformation, while in the third column the number of malwares belonging to a specific malware-family which are considered trusted after transformation.
SerBG 0 3
UpdtKiller 0 1
FakePlayer 0 17
Spy.GoneSixty 0 1
Updtbot 0 1
Bgserv 1 1
FakeRun 0 10
AccuTrack 1 10
Booster 0 1
Nyleaker 5 18
TigerBot 0 3
DroidSheep 0 11
Vidro 0 5
Proreso 0 2
Rooter 0 3
LifeMon 0 3
Sonus 0 1
Dougalek 0 17
Gmuse 0 3
Dialer 0 2
Fakengry 0 10
Arspam 0 1
Saiva 0 2
Moghava 2 3
Nisev 0 4
GPSpy 0 3
Fauxcopy 1 2
Evaluating malwares obfuscation techniques against antimalware detection algorithms
13
Lemon 0 6
Aks 0 5
Cawitt 0 1
Maxit 0 1
SpyPhone 2 5
PdaSpy 0 4
QPlus 0 6
FakeDoc 0 43
Mobilespy 0 13
Fakeview 0 1
Spitmo 0 11
Loozfon 0 2
TrojanSMS.Boxer.AQ 0 1
Penetho 1 18
SmsWatcher 3 3
Replicator 0 3
TrojanSMS.Stealer 0 1
Coogos 0 7
Tapsnake 0 3
SmForw 1 2
Raden 0 9
Koomer 0 2
Copycat 2 3
Kidlogger 1 6
Maistealer 0 1
Yzhc 0 25
SheriDroid 1 2
Gappusin 48 53
Spyset 0 8
Antares 0 2
Evaluating malwares obfuscation techniques against antimalware detection algorithms
14
SMSreg 7 36
TrojanSMS.Denofow 5 5
SuBatt 0 1
Luckycat 0 5
Lypro 0 1
Kiser 8 9
Fsm 0 3
Typstu 0 14
GlodEagl 0 1
SafeKidZone 1 1
Zsone 0 8
Hispo 0 3
RATC 1 1
Ksapp 0 5
MTracker 1 1
RediAssi 0 3
Netisend 0 1
Boxer 1 18
RootSmart 0 7
TrojanSMS.Hippo 5 7
Mobinauten 0 8
SpyMob 1 2
Whapsni 0 1
Nandrobox 0 7
TheftAware 2 2
Spy.ImLog 0 1
Nickspy 0 11
Generic 2 2
SMSSend 0 1
Glodream 0 49
Evaluating malwares obfuscation techniques against antimalware detection algorithms
15
MMarketPay 0 1
CrWind 0 2
FoCobers 4 15
FakeNefix 0 1
FaceNiff 1 6
SpyBubble 0 2
SMSBomber 0 1
Mania 1 6
Ssmsp 0 1
Dabom 0 2
Opfake 2 608
Gasms 0 1
SendPay 1 56
Spyoo 0 3
EWalls 0 1
Fjcon 0 2
Fakelogo 0 19
Tesbo 0 2
Ackposts 0 2
Smspacem 0 1
Iconosys 1 142
Gapev 0 6
YcChar 0 1
SpyHasb 7 11
FarMap 0 2
Ansca 0 1
Pirates 0 2
Cosha 0 11
Pirater 0 1
Imlog 1 42
Evaluating malwares obfuscation techniques against antimalware detection algorithms
16
DroidRooter 0 2
Foncy 0 2
Adsms 0 3
Biige 0 4
Qicsom 0 1
Vdloader 0 13
GGtrack 0 3
Sakezon 8 8
FinSpy 0 3
Gonca 0 5
CgFinder 0 2
MobileTx 0 68
Placms 0 11
SmsSpy 0 1
Trackplus 1 1
Zitmo 0 14
RuFraud 0 1
BeanBot 0 6
PJApps 0 1
FakeTimer 0 11
Acnetdoor 0 1
FakeInstaller 1 918
Plankton 59 554
GinMaster 0 268
Geinimi 0 82
DroidDream 0 73
Adrd 0 70
Jifake 0 26
Stealer 0 13
Stiniter 2 6
Evaluating malwares obfuscation techniques against antimalware detection algorithms
17
Fidall 0 2
Kmin 7 59
JSmsHider 1 1
Dogowar 0 1
Gamex 1 3
EICAR-Test-File 1 2
SMSZombie 0 2
DroidKungFu 0 102
Xsider 0 1
BaseBridge 1 16
ExploitLinuxLotoor 0 2
Exploit.RageCage 0 0
In the following table we resume the details of the metrics we have calculated:
totalScans: the number of malwares analyzed by an antimalware both before transformations applied and after (transformations applied).
totalMaliciousPre: the number of malwares that before being transformed are considered malicious.
totalMaliciousPost: the number of malwares considered malicious after being transformed.
totalCleanPre: : the number of malwares that before being transformed are considered clean.
clean_on_total_pre%: the percentage of malwares considered clean on the total number of malwares, before transformations applied. (by a specific antimalware).
clean_on_total_post%: the percentage of malwares considered clean on the total number of malwares, after transformations applied. (by a specific antimalware)
totalCleanPost: the number of malwares considered clean after being transformed.
MTC_on_total%: the percentage of malwares considered malicious before transformations applied and clean after on the total number of analyzed malware
id_anti_
malware
Antimalw
are
total
Scan
s
totalMal
iciousPr
e
malicious_on
_total_pre_%
totalCl
eanPre
clean_on_t
otal_pre_
%
totalMali
ciousPost
malicious_on_
total_post_%
totalCl
eanPos
t
clean_on_to
tal_post_%
10 Alibaba 578 565 97.7509 13 2.2491 578 100.0000 0 0.0000
31 F-Secure 4775 4723 98.9110 52 1.0890 4767 99.8325 8 0.1675
55 AVG 4776 4734 99.1206 42 0.8794 4432 92.7973 344 7.2027
Evaluating malwares obfuscation techniques against antimalware detection algorithms
18
51 ESET-NOD32
4586 4550 99.2150 36 0.7850 4169 90.9071 417 9.0929
39 Avira 4804 4749 98.8551 55 1.1449 4054 84.3880 750 15.6120
45 AhnLab-
V3 4804 4615 96.0658 189 3.9342 3934 81.8901 870 18.1099
29 Sophos 4766 4719 99.0138 47 0.9862 3875 81.3051 891 18.6949
44 GData 4804 4747 98.8135 57 1.1865 3853 80.2040 951 19.7960
22 BitDefend
er 4803 4735 98.5842 68 1.4158 3848 80.1166 955 19.8834
28 Ad-Aware 4798 4726 98.4994 72 1.5006 3843 80.0959 955 19.9041
36 Emsisoft 4653 4594 98.7320 59 1.2680 3725 80.0559 928 19.9441
2 MicroWorld-eScan
4725 4642 98.2434 83 1.7566 3782 80.0423 943 19.9577
23 NANO-
Antivirus 4804 4716 98.1682 88 1.8318 3702 77.0608 1102 22.9392
21 Kaspersky 4803 4689 97.6265 114 2.3735 3543 73.7664 1260 26.2336
19 Avast 4789 4175 87.1790 614 12.8210 3338 69.7014 1451 30.2986
32 DrWeb 4782 4610 96.4032 172 3.5968 3240 67.7541 1542 32.2459
5
CAT-
QuickHeal
4804 3967 82.5770 837 17.4230 2962 61.6570 1842 38.3430
53 Ikarus 4782 4467 93.4128 315 6.5872 2715 56.7754 2067 43.2246
33 VIPRE 4789 4767 99.5406 22 0.4594 2093 43.7043 2696 56.2957
47 AVware 4661 4636 99.4636 25 0.5364 2034 43.6387 2627 56.3613
42 Microsoft 4802 2437 50.7497 2365 49.2503 1937 40.3374 2865 59.6626
54 Fortinet 4780 4458 93.2636 322 6.7364 1920 40.1674 2860 59.8326
43 AegisLab 3073 2988 97.2340 85 2.7660 1074 34.9496 1999 65.0504
20 ClamAV 4774 2122 44.4491 2652 55.5509 1637 34.2899 3137 65.7101
37 Cyren 4803 4766 99.2296 37 0.7704 1629 33.9163 3174 66.0837
52 Rising 4794 2042 42.5949 2752 57.4051 1544 32.2069 3250 67.7931
15 Symantec 4797 3255 67.8549 1542 32.1451 1391 28.9973 3406 71.0027
18
TrendMic
ro-
HouseCall
4778 3953 82.7334 825 17.2666 1292 27.0406 3486 72.9594
30 Comodo 4801 4711 98.1254 90 1.8746 1268 26.4112 3533 73.5888
57 Qihoo-360
4779 4486 93.8690 293 6.1310 1116 23.3522 3663 76.6478
34 TrendMic
ro 4788 3392 70.8438 1396 29.1562 1080 22.5564 3708 77.4436
27 Tencent 4787 4522 94.4642 265 5.5358 728 15.2079 4059 84.7921
6 McAfee 4801 4784 99.6459 17 0.3541 600 12.4974 4201 87.5026
8 Zillya 4802 646 13.4527 4156 86.5473 557 11.5993 4245 88.4007
38 Jiangmin 4798 4255 88.6828 543 11.3172 547 11.4006 4251 88.5994
48 VBA32 4794 2420 50.4798 2374 49.5202 536 11.1806 4258 88.8194
14 F-Prot 4804 4692 97.6686 112 2.3314 505 10.5121 4299 89.4879
50 Zoner 4804 3933 81.8693 871 18.1307 389 8.0974 4415 91.9026
41 Kingsoft 4763 4267 89.5864 496 10.4136 367 7.7052 4396 92.2948
Evaluating malwares obfuscation techniques against antimalware detection algorithms
19
11 K7GW 239 221 92.4686 18 7.5314 15 6.2762 224 93.7238
56 Baidu-Internatio
nal
4794 4157 86.7126 637 13.2874 222 4.6308 4572 95.3692
16 Norman 4797 1058 22.0555 3739 77.9445 218 4.5445 4579 95.4555
46 ALYac 2793 114 4.0816 2679 95.9184 121 4.3323 2672 95.6677
17 TotalDefe
nse 4793 1960 40.8930 2833 59.1070 207 4.3188 4586 95.6812
35 McAfee-GW-
Edition
4795 320 6.6736 4475 93.3264 135 2.8154 4660 97.1846
13 Agnitum 4802 425 8.8505 4377 91.1495 119 2.4781 4683 97.5219
24 ViRobot 4789 116 2.4222 4673 97.5778 112 2.3387 4677 97.6613
49 Panda 4773 185 3.8760 4588 96.1240 97 2.0323 4676 97.9677
40 Antiy-
AVL 4687 83 1.7709 4604 98.2291 82 1.7495 4605 98.2505
3 nProtect 4783 59 1.2335 4724 98.7665 59 1.2335 4724 98.7665
9 K7AntiVirus
4742 150 3.1632 4592 96.8368 36 0.7592 4706 99.2408
12 TheHacke
r 4803 8 0.1666 4795 99.8334 2 0.0416 4801 99.9584
26 ByteHero 4804 0 0.0000 4804 100.0000 0 0.0000 4804 100.0000
1 Bkav 4795 740 15.4327 4055 84.5673 0 0.0000 4795 100.0000
4 CMC 4790 2 0.0418 4788 99.9582 0 0.0000 4790 100.0000
7 Malwareb
ytes 4801 0 0.0000 4801 100.0000 0 0.0000 4801 100.0000
25 SUPERAntiSpywar
e
4801 2 0.0417 4799 99.9583 0 0.0000 4801 100.0000
In our analysis we obtained a surprising result on a small group of anti-malwares (e.g: 46, 10, 31). These anti-malwares show a better performance in scanning transformed samples. The following table shows the results detailed for family: for each family it counts how many malwares are able to “fool” the majority of antimalware. Here we explain the metrics we have computed:
totalMalwares: the number of malwares belonging to a specific malware-family which have been analyzed both before and after being transformed at least by one antimalware.
passedMalwaresPre: the number of malwares belonging to a specific malware-family which are considered clean from the majority of antimalwares before being transformed.
passedMalwaresPost: the number of malwares belonging to a specific malware-family which are considered clean from the majority of antimalwares after being transformed.
passed_post_%:percentage of passedMalwarePost on totalMalwares .
Evaluating malwares obfuscation techniques against antimalware detection algorithms
20
id_family family_name totalMalwares passedMalwaresPre passedMalwaresPost passed_post_%
36 SerBG 3 0 3 100.0000
104 UpdtKiller 1 0 1 100.0000
51 FakePlayer 17 0 17 100.0000
125 Spy.GoneSixty 1 0 1 100.0000
67 Updtbot 1 0 1 100.0000
143 Bgserv 1 1 1 100.0000
16 FakeRun 10 0 10 100.0000
83 AccuTrack 10 1 10 100.0000
161 Booster 1 0 1 100.0000
32 Nyleaker 18 5 18 100.0000
100 TigerBot 3 0 3 100.0000
47 DroidSheep 11 0 11 100.0000
117 Vidro 5 0 5 100.0000
62 Proreso 2 0 2 100.0000
137 Rooter 3 0 3 100.0000
78 LifeMon 3 0 3 100.0000
155 Sonus 1 0 1 100.0000
28 Dougalek 17 0 17 100.0000
96 Gmuse 3 0 3 100.0000
174 Dialer 2 0 2 100.0000
43 Fakengry 10 0 10 100.0000
113 Arspam 1 0 1 100.0000
58 Saiva 2 0 2 100.0000
133 Moghava 3 2 3 100.0000
8 Nisev 4 0 4 100.0000
74 GPSpy 3 0 3 100.0000
151 Fauxcopy 2 1 2 100.0000
24 Lemon 6 0 6 100.0000
91 Aks 5 0 5 100.0000
168 Cawitt 1 0 1 100.0000
39 Maxit 1 0 1 100.0000
109 SpyPhone 5 2 5 100.0000
54 PdaSpy 4 0 4 100.0000
129 QPlus 6 0 6 100.0000
4 FakeDoc 43 0 43 100.0000
70 Mobilespy 13 0 13 100.0000
147 Fakeview 1 0 1 100.0000
19 Spitmo 11 0 11 100.0000
86 Loozfon 2 0 2 100.0000
164 TrojanSMS.Boxer.AQ 1 0 1 100.0000
Evaluating malwares obfuscation techniques against antimalware detection algorithms
21
35 Penetho 18 1 18 100.0000
103 SmsWatcher 3 3 3 100.0000
50 Replicator 3 0 3 100.0000
124 TrojanSMS.Stealer 1 0 1 100.0000
66 Coogos 7 0 7 100.0000
142 Tapsnake 3 0 3 100.0000
15 SmForw 2 1 2 100.0000
82 Raden 9 0 9 100.0000
160 Koomer 2 0 2 100.0000
31 Copycat 3 2 3 100.0000
99 Kidlogger 6 1 6 100.0000
177 Maistealer 1 0 1 100.0000
46 Yzhc 25 0 25 100.0000
116 SheriDroid 2 1 2 100.0000
61 Gappusin 53 48 53 100.0000
77 Spyset 8 0 8 100.0000
154 Antares 2 0 2 100.0000
27 SMSreg 36 7 36 100.0000
95 TrojanSMS.Denofow 5 5 5 100.0000
173 SuBatt 1 0 1 100.0000
42 Luckycat 5 0 5 100.0000
112 Lypro 1 0 1 100.0000
73 Kiser 9 8 9 100.0000
150 Fsm 3 0 3 100.0000
23 Typstu 14 0 14 100.0000
90 GlodEagl 1 0 1 100.0000
167 SafeKidZone 1 1 1 100.0000
38 Zsone 8 0 8 100.0000
53 Hispo 3 0 3 100.0000
128 RATC 1 1 1 100.0000
69 Ksapp 5 0 5 100.0000
145 MTracker 1 1 1 100.0000
85 RediAssi 3 0 3 100.0000
163 Netisend 1 0 1 100.0000
34 Boxer 18 1 18 100.0000
102 RootSmart 7 0 7 100.0000
49 TrojanSMS.Hippo 7 5 7 100.0000
123 Mobinauten 8 0 8 100.0000
65 SpyMob 2 1 2 100.0000
141 Whapsni 1 0 1 100.0000
14 Nandrobox 7 0 7 100.0000
Evaluating malwares obfuscation techniques against antimalware detection algorithms
22
81 TheftAware 2 2 2 100.0000
159 Spy.ImLog 1 0 1 100.0000
30 Nickspy 11 0 11 100.0000
98 Generic 2 2 2 100.0000
176 SMSSend 1 0 1 100.0000
45 Glodream 49 0 49 100.0000
115 MMarketPay 1 0 1 100.0000
135 CrWind 2 0 2 100.0000
76 FoCobers 15 4 15 100.0000
153 FakeNefix 1 0 1 100.0000
26 FaceNiff 6 1 6 100.0000
93 SpyBubble 2 0 2 100.0000
172 SMSBomber 1 0 1 100.0000
41 Mania 6 1 6 100.0000
111 Ssmsp 1 0 1 100.0000
131 Dabom 2 0 2 100.0000
6 Opfake 608 2 608 100.0000
149 Gasms 1 0 1 100.0000
22 SendPay 56 1 56 100.0000
89 Spyoo 3 0 3 100.0000
166 EWalls 1 0 1 100.0000
107 Fjcon 2 0 2 100.0000
52 Fakelogo 19 0 19 100.0000
126 Tesbo 2 0 2 100.0000
68 Ackposts 2 0 2 100.0000
144 Smspacem 1 0 1 100.0000
17 Iconosys 142 1 142 100.0000
84 Gapev 6 0 6 100.0000
162 YcChar 1 0 1 100.0000
33 SpyHasb 11 7 11 100.0000
101 FarMap 2 0 2 100.0000
48 Ansca 1 0 1 100.0000
122 Pirates 2 0 2 100.0000
64 Cosha 11 0 11 100.0000
138 Pirater 1 0 1 100.0000
13 Imlog 42 1 42 100.0000
80 DroidRooter 2 0 2 100.0000
156 Foncy 2 0 2 100.0000
29 Adsms 3 0 3 100.0000
97 Biige 4 0 4 100.0000
175 Qicsom 1 0 1 100.0000
Evaluating malwares obfuscation techniques against antimalware detection algorithms
23
44 Vdloader 13 0 13 100.0000
114 GGtrack 3 0 3 100.0000
59 Sakezon 8 8 8 100.0000
134 FinSpy 3 0 3 100.0000
75 Gonca 5 0 5 100.0000
152 CgFinder 2 0 2 100.0000
25 MobileTx 68 0 68 100.0000
92 Placms 11 0 11 100.0000
170 SmsSpy 1 0 1 100.0000
110 Trackplus 1 1 1 100.0000
55 Zitmo 14 0 14 100.0000
130 RuFraud 1 0 1 100.0000
71 BeanBot 6 0 6 100.0000
148 PJApps 1 0 1 100.0000
20 FakeTimer 11 0 11 100.0000
165 Acnetdoor 1 0 1 100.0000
5 FakeInstaller 919 1 918 99.8912
1 Plankton 555 59 554 99.8198
3 GinMaster 269 0 268 99.6283
11 Geinimi 83 0 82 98.7952
12 DroidDream 74 0 73 98.6486
9 Adrd 72 0 70 97.2222
60 Jifake 28 0 26 92.8571
56 Stealer 14 0 13 92.8571
18 Stiniter 9 2 6 66.6667
87 Fidall 3 0 2 66.6667
10 Kmin 95 7 59 62.1053
136 JSmsHider 2 1 1 50.0000
132 Dogowar 2 0 1 50.0000
108 Gamex 6 1 3 50.0000
40 EICAR-Test-File 4 1 2 50.0000
57 SMSZombie 10 0 2 20.0000
2 DroidKungFu 561 0 102 18.1818
72 Xsider 15 0 1 6.6667
7 BaseBridge 310 1 16 5.1613
37 ExploitLinuxLotoor 61 0 2 3.2787
178 Exploit.RageCage 1 0 0 0.0000
Only 21 families on 178 didn’t obtain the max of the score after the transformation applications.
Evaluating malwares obfuscation techniques against antimalware detection algorithms
24
Conclusion In this section we summarize the main results of our experiment. Percentage ratio of antimalwares that detect as malicious more than 90% of the malwares that analyze.
Original malware set : 47% Transformed malware set: 7%
Percentage ratio of antimalwares that detect as malicious less than an half of the malwares that analyze.
Original malware set : 33% Transformed malware set: 68%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
original malwares' set transformed malwares'set
0%
10%
20%
30%
40%
50%
60%
70%
80%
original malwares' set transformed malwares'set
Evaluating malwares obfuscation techniques against antimalware detection algorithms
25
Percentage ratio of malwares considered trusted by at least an half of the antimalwares.
Original malware set : 5% Transformed malware set: 81%
Percentage of malwares family that are considered trusted by antimalware.
Original malware set : 6% Transformed malware set: 77%
The simple transformation of malwares can turn a known and recognizable malware into an undetectable malware. This should lead research and industry to develop detection mechanisms which are robust against this trivial evasion techniques. REFERENCES
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
original malwares' set transformed malwares'set
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
original malwares' set transformed malwares'set
Evaluating malwares obfuscation techniques against antimalware detection algorithms
26
[1] V. Rastogi, Y. Chen, X. Jiang, “Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks”, IEEE Transaction on Information Forensics and Security, Vol.9, No.1, January 2014 [2] Android, the world's most popular mobile platform, http://developer.android.com/about/index.html, last visit 26 March 2015 [3] A tool for reverse engineering Android apk files, http://ibotpeaches.github.io/Apktool/, last visit 26 March 2016 [4] VirusTotal, https://www.virustotal.com, last visit 26 March 2016 [5]signapk: onboard apk signing script for android devices, https://code.google.com/p/signapk/, last visit 26 March 2016