Sneakier and More Sophisticated Malware Is On the Loose

An analysis of 1.2 million Android malware samples shows a trend toward more obfuscation and evasion techniques

2 min read
Grid of malware infected Android mobile devices
Illustration: Erik Vrielink/IEEE Spectrum

A new study analyzing more than a million samples of Android malware illustrates the way malicious apps have evolved over time. The results, published 30 March in IEEE Transactions on Dependable and Secure Computing, show that malware coding is becoming more cleverly hidden, or obfuscated.

“Malware in Androids is still a huge issue, despite the abundance of research,” says Guillermo Suarez-Tangil, a researcher at King’s College London who co-led the study. “A central challenge is dealing with malware that is repackaged.”

Repackaged malware is when malicious coding is embedded within legitimate apps. Suarez-Tangil and his coauthor, Gianluca Stringhini of Boston University, were interested in exploring how this type of malware has evolved over time. So, they developed a technique for slicing the malicious coding from the benign parts.

“We use differential analysis to isolate software components that are irrelevant to the malware campaign and study the behavior of the malicious slice,” Suarez-Tangil explains. “By looking at the malicious slice alone, we provide an unprecedented view of the evolution of Android malware and its current behavior.”

They applied this technique to 1.2 million samples of malware that were circulated between 2010 and 2017, and which span 1,280 families of Android malware.

Some trends that emerged from this analysis include a major shift away from malware that supports premium rate fraud, whereby expensive SMS messages are sent to users. While this type of coding was seen in 40 percent of malware families in 2013, its prevalence dropped to 10 percent in late 2016.

One feature that’s on the rise is the amount of malware that’s obfuscated, whereby the coding is cleverly hidden. “In particular, we observed that cryptography is present in 90 percent of the recent families [of malware], says Suarez-Tangil. “To the best of our knowledge, there are only few malware-detection systems capable of dealing with these forms of obfuscation and they all have limitations.”

He says this trend is especially difficult to address given a concurrent rise in evasion techniques, which help keep the malware hidden once it’s on a device. Their analysis shows that these evasion techniques are not only becoming more popular but also more diverse in nature.

If anything, this study shows that malware is evolving to be more sophisticated—and sneaky. Suarez-Tangil says researchers will need to rely on techniques such as machine learning, splicing, and dynamic analysis to keep pace with the rapid evolution of Android malware.

This article appears in the July 2020 print issue as “Mobile Malware
Mutates.”

The Conversation (0)

How the FCC Settles Radio-Spectrum Turf Wars

Remember the 5G-airport controversy? Here’s how such disputes play out

11 min read
This photo shows a man in the basket of a cherry picker working on an antenna as an airliner passes overhead.

The airline and cellular-phone industries have been at loggerheads over the possibility that 5G transmissions from antennas such as this one, located at Los Angeles International Airport, could interfere with the radar altimeters used in aircraft.

Patrick T. Fallon/AFP/Getty Images
Blue

You’ve no doubt seen the scary headlines: Will 5G Cause Planes to Crash? They appeared late last year, after the U.S. Federal Aviation Administration warned that new 5G services from AT&T and Verizon might interfere with the radar altimeters that airplane pilots rely on to land safely. Not true, said AT&T and Verizon, with the backing of the U.S. Federal Communications Commission, which had authorized 5G. The altimeters are safe, they maintained. Air travelers didn’t know what to believe.

Another recent FCC decision had also created a controversy about public safety: okaying Wi-Fi devices in a 6-gigahertz frequency band long used by point-to-point microwave systems to carry safety-critical data. The microwave operators predicted that the Wi-Fi devices would disrupt their systems; the Wi-Fi interests insisted they would not. (As an attorney, I represented a microwave-industry group in the ensuing legal dispute.)

Keep Reading ↓Show less
{"imageShortcodeIds":["29845282"]}