Sneakier and More Sophisticated Malware Is On the Loose

An analysis of 1.2 million Android malware samples shows a trend toward more obfuscation and evasion techniques

2 min read
Grid of malware infected Android mobile devices
Illustration: Erik Vrielink/IEEE Spectrum

A new study analyzing more than a million samples of Android malware illustrates the way malicious apps have evolved over time. The results, published 30 March in IEEE Transactions on Dependable and Secure Computing, show that malware coding is becoming more cleverly hidden, or obfuscated.

“Malware in Androids is still a huge issue, despite the abundance of research,” says Guillermo Suarez-Tangil, a researcher at King’s College London who co-led the study. “A central challenge is dealing with malware that is repackaged.”

Repackaged malware is when malicious coding is embedded within legitimate apps. Suarez-Tangil and his coauthor, Gianluca Stringhini of Boston University, were interested in exploring how this type of malware has evolved over time. So, they developed a technique for slicing the malicious coding from the benign parts.

“We use differential analysis to isolate software components that are irrelevant to the malware campaign and study the behavior of the malicious slice,” Suarez-Tangil explains. “By looking at the malicious slice alone, we provide an unprecedented view of the evolution of Android malware and its current behavior.”

They applied this technique to 1.2 million samples of malware that were circulated between 2010 and 2017, and which span 1,280 families of Android malware.

Some trends that emerged from this analysis include a major shift away from malware that supports premium rate fraud, whereby expensive SMS messages are sent to users. While this type of coding was seen in 40 percent of malware families in 2013, its prevalence dropped to 10 percent in late 2016.

One feature that’s on the rise is the amount of malware that’s obfuscated, whereby the coding is cleverly hidden. “In particular, we observed that cryptography is present in 90 percent of the recent families [of malware], says Suarez-Tangil. “To the best of our knowledge, there are only few malware-detection systems capable of dealing with these forms of obfuscation and they all have limitations.”

He says this trend is especially difficult to address given a concurrent rise in evasion techniques, which help keep the malware hidden once it’s on a device. Their analysis shows that these evasion techniques are not only becoming more popular but also more diverse in nature.

If anything, this study shows that malware is evolving to be more sophisticated—and sneaky. Suarez-Tangil says researchers will need to rely on techniques such as machine learning, splicing, and dynamic analysis to keep pace with the rapid evolution of Android malware.

This article appears in the July 2020 print issue as “Mobile Malware
Mutates.”

The Conversation (0)

The Cellular Industry’s Clash Over the Movement to Remake Networks

The wireless industry is divided on Open RAN’s goal to make network components interoperable

13 min read
Photo: George Frey/AFP/Getty Images
DarkBlue2

We've all been told that 5G wireless is going to deliver amazing capabilities and services. But it won't come cheap. When all is said and done, 5G will cost almost US $1 trillion to deploy over the next half decade. That enormous expense will be borne mostly by network operators, companies like AT&T, China Mobile, Deutsche Telekom, Vodafone, and dozens more around the world that provide cellular service to their customers. Facing such an immense cost, these operators asked a very reasonable question: How can we make this cheaper and more flexible?

Their answer: Make it possible to mix and match network components from different companies, with the goal of fostering more competition and driving down prices. At the same time, they sparked a schism within the industry over how wireless networks should be built. Their opponents—and sometimes begrudging partners—are the handful of telecom-equipment vendors capable of providing the hardware the network operators have been buying and deploying for years.

Keep Reading ↓ Show less