A new study analyzing more than a million samples of Android malware illustrates the way malicious apps have evolved over time. The results, published 30 March in IEEE Transactions on Dependable and Secure Computing, show that malware coding is becoming more cleverly hidden, or obfuscated.
“Malware in Androids is still a huge issue, despite the abundance of research,” says Guillermo Suarez-Tangil, a researcher at King’s College London who co-led the study. “A central challenge is dealing with malware that is repackaged.”
Repackaged malware is when malicious coding is embedded within legitimate apps. Suarez-Tangil and his coauthor, Gianluca Stringhini of Boston University, were interested in exploring how this type of malware has evolved over time. So, they developed a technique for slicing the malicious coding from the benign parts.
“We use differential analysis to isolate software components that are irrelevant to the malware campaign and study the behavior of the malicious slice,” Suarez-Tangil explains. “By looking at the malicious slice alone, we provide an unprecedented view of the evolution of Android malware and its current behavior.”
They applied this technique to 1.2 million samples of malware that were circulated between 2010 and 2017, and which span 1,280 families of Android malware.
Some trends that emerged from this analysis include a major shift away from malware that supports premium rate fraud, whereby expensive SMS messages are sent to users. While this type of coding was seen in 40 percent of malware families in 2013, its prevalence dropped to 10 percent in late 2016.
One feature that’s on the rise is the amount of malware that’s obfuscated, whereby the coding is cleverly hidden. “In particular, we observed that cryptography is present in 90 percent of the recent families [of malware], says Suarez-Tangil. “To the best of our knowledge, there are only few malware-detection systems capable of dealing with these forms of obfuscation and they all have limitations.”
He says this trend is especially difficult to address given a concurrent rise in evasion techniques, which help keep the malware hidden once it’s on a device. Their analysis shows that these evasion techniques are not only becoming more popular but also more diverse in nature.
If anything, this study shows that malware is evolving to be more sophisticated—and sneaky. Suarez-Tangil says researchers will need to rely on techniques such as machine learning, splicing, and dynamic analysis to keep pace with the rapid evolution of Android malware.
This article appears in the July 2020 print issue as “Mobile Malware
Michelle Hampson is a freelance writer based in Halifax. She frequently contributes to Spectrum's Journal Watch coverage, which highlights newsworthy studies published in IEEE journals.