DroidChameleon: evaluating Android anti-malware against transformation attacks

  title={DroidChameleon: evaluating Android anti-malware against transformation attacks},
  author={Vaibhav Rastogi and Yan Chen and Xuxian Jiang},
  booktitle={ASIA CCS '13},
Mobile malware threats have recently become a real concern. In this paper, we evaluate the state-of-the-art commercial mobile antimalware products for Android and test how resistant they are against various common obfuscation techniques (even with known malware). Such an evaluation is important for not only measuring the available defense against mobile malware threats but also proposing effective, next-generation solutions. We developed DroidChameleon, a systematic framework with various… 

Tables from this paper

Effectiveness of Android Obfuscation on Evading Anti-malware

This work verified the trend of transformed malware in evading detection, with a larger and more updated database of known malware, and proved that current mainstream AMTs do not build up resilience against obfuscation methods, but instead try to update the signature database on created variants.

Testing Android Anti-Malware against Malware Obfuscations

Researchers have evaluated the strength of different commercial antimalware tools by passing the transformed malware samples to them and found that all the antimalWARE tools can be evaded by applying either a single transformation or combination of transformations.

Mystique: Evolving Android Malware for Auditing Anti-Malware Tools

This paper proposes a meta model for Android malware to capture the common attack features and evasion features in the malware, and develops a framework, MYSTIQUE, to automatically generate malware covering four attack Features and two evasion features, by adopting the software product line engineering approach.

A Deep Camouflage: Evaluating Android’s Anti-malware Systems Robustness Against Hybridization of Obfuscation Techniques with Injection Attacks

The obtained results showed that the detection accuracy of most tested anti-malware systems dropped to about 10% or less, and the average number of engines which was able to detect malware samples decreased from 45 engines when the original dataset has been tested to about 12 engine when the camouflaged datasets have been tested.

Rage against the virtual machine: hindering dynamic analysis of Android malware

A broad range of anti-analysis techniques that malware can employ to evade dynamic analysis in emulated Android environments are presented and possible countermeasures are proposed to improve the resistance of current dynamic analysis tools against evasion attempts.

Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology

  • M. PredaF. Maggi
  • Computer Science
    Journal of Computer Virology and Hacking Techniques
  • 2016
The unified workflow is intended to be used by anti-virus developers and vendors to test the resilience of their products against a large dataset of malware samples and obfuscations, and to obtain insights on how to improve their products with respect to particular classes of code-transformation attacks.

Uncovering the Dilemmas on Antivirus Software Design in Modern Mobile Platforms

This work performed a comprehensive study on ten popular Android AVDs to evaluate the effectiveness of their scanning operations and identified the design dilemmas related to two types of malware scanning operations, namely local malware scan and cloud-based malware scan.

Android Anti-malware Against Transformation Attacks

A simple and high efficient technique for detecting malware Android applications on Play store which need to be installed and a majority of them can be find by applying risk score over known malware with less effort.

Design and implementation of robust systems for secure malware detection

This work presents two main case studies, concerning the detection of PDF and Android malware, and proposes a methodology to build a powerful mobile fingerprinting system, and examines possible attacks with which users might be able to evade it, thus preserving their privacy.



ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems

ADAM is an automated and extensible system that can evaluate, via large-scale stress tests, the effectiveness of anti-virus systems against a variety of malware samples for the Android platform and can automatically transform an original malware sample to different variants via repackaging and obfuscation techniques in order to evaluate the robustness of different anti- VIRs against malware mutation.

Dissecting Android Malware: Characterization and Evolution

Systematize or characterize existing Android malware from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software.

Testing malware detectors

A technique based on program obfuscation is presented, geared towards evaluating the resilience of malware detectors to various obfuscation transformations commonly used by hackers to disguise malware, and it is discovered that these scanners are very poor.

Effective and Efficient Malware Detection at the End Host

A novel malware detection approach is proposed that is both effective and efficient, and thus, can be used to replace or complement traditional antivirus software at the end host.

Semantics-aware malware detection

Experimental evaluation demonstrates that the malware-detection algorithm can detect variants of malware with a relatively low run-time overhead and the semantics-aware malware detection algorithm is resilient to common obfuscations used by hackers.

Crowdroid: behavior-based malware detection system for Android

The method is shown to be an effective means of isolating the malware and alerting the users of a downloaded malware, showing the potential for avoiding the spreading of a detected malware to a larger community.

Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors

This paper presents an automatic technique for extracting optimally discriminative specifications, which uniquely identify a class of programs, which can be used by a behavior-based malware detector.

RiskRanker: scalable and accurate zero-day android malware detection

An automated system called RiskRanker is developed to scalably analyze whether a particular app exhibits dangerous behavior and is used to produce a prioritized list of reduced apps that merit further investigation, demonstrating the efficacy and scalability of riskRanker to police Android markets of all stripes.

Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets

A permissionbased behavioral footprinting scheme to detect new samples of known Android malware families and a heuristics-based filtering scheme to identify certain inherent behaviors of unknown malicious families are proposed.

Synthesizing near-optimal malware specifications from suspicious behaviors

An automatic technique for extracting optimally discriminative specifications, which uniquely identify a class of programs, which can be used by a behavior-based malware detector and can be brought to bear on emerging malware-based threats for new platforms.