The December 2022 issue of IEEE Spectrum is here!

Close bar

Sneakier and More Sophisticated Malware Is On the Loose

An analysis of 1.2 million Android malware samples shows a trend toward more obfuscation and evasion techniques

2 min read
Grid of malware infected Android mobile devices
Illustration: Erik Vrielink/IEEE Spectrum

A new study analyzing more than a million samples of Android malware illustrates the way malicious apps have evolved over time. The results, published 30 March in IEEE Transactions on Dependable and Secure Computing, show that malware coding is becoming more cleverly hidden, or obfuscated.

“Malware in Androids is still a huge issue, despite the abundance of research,” says Guillermo Suarez-Tangil, a researcher at King’s College London who co-led the study. “A central challenge is dealing with malware that is repackaged.”

Repackaged malware is when malicious coding is embedded within legitimate apps. Suarez-Tangil and his coauthor, Gianluca Stringhini of Boston University, were interested in exploring how this type of malware has evolved over time. So, they developed a technique for slicing the malicious coding from the benign parts.

“We use differential analysis to isolate software components that are irrelevant to the malware campaign and study the behavior of the malicious slice,” Suarez-Tangil explains. “By looking at the malicious slice alone, we provide an unprecedented view of the evolution of Android malware and its current behavior.”

They applied this technique to 1.2 million samples of malware that were circulated between 2010 and 2017, and which span 1,280 families of Android malware.

Some trends that emerged from this analysis include a major shift away from malware that supports premium rate fraud, whereby expensive SMS messages are sent to users. While this type of coding was seen in 40 percent of malware families in 2013, its prevalence dropped to 10 percent in late 2016.

One feature that’s on the rise is the amount of malware that’s obfuscated, whereby the coding is cleverly hidden. “In particular, we observed that cryptography is present in 90 percent of the recent families [of malware], says Suarez-Tangil. “To the best of our knowledge, there are only few malware-detection systems capable of dealing with these forms of obfuscation and they all have limitations.”

He says this trend is especially difficult to address given a concurrent rise in evasion techniques, which help keep the malware hidden once it’s on a device. Their analysis shows that these evasion techniques are not only becoming more popular but also more diverse in nature.

If anything, this study shows that malware is evolving to be more sophisticated—and sneaky. Suarez-Tangil says researchers will need to rely on techniques such as machine learning, splicing, and dynamic analysis to keep pace with the rapid evolution of Android malware.

This article appears in the July 2020 print issue as “Mobile Malware

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
An illustration of a series
Carl De Torres

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less