Published on May 14th, 2014 📆 | 1655 Views ⚑0
Google Bouncer & Dynamic Analysis tools Fail to Detect Malware
Security Research from Columbia University have exploited weaknesses in Google's Bouncer service to sneak malicious apps on to the Android market. They published a new research paper, revealed that all such dynamic analysis tools and services are vulnerable to most of the evasion techniques they discovered.
Along with the Google bouncer, other Heuristic analysis (Dynamic) analysis tools detect malicious application based on previous knowledge of typical sequences of commands in code or of metadata (static analysis), or on behavior (dynamic analysis).
The research paper [pdf] titled “Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware” was conducted by the team of five researchers, Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis and Sotiris Ioannidis of the Institute of Computer Science from the Columbia University, USA.
They created some malware samples, those were able to hide themselves when analyzed in an emulated environment and hence developed the capability to bypass the heuristic-based dynamic and static analysis platforms, such as Andrubis, DroidBox, DroidScope, APK Analyzer, or APKScan.
“A malicious program can try to infer whether it runs in an emulated environment, and therefore evade detection by pausing all malicious activities.” the researchers said. "Even trivial techniques, such as checking the value of the IMEI, are enough to evade some of the existing dynamic analysis frameworks."
The team modified some real-world Android Malware to include the bypass techniques for heuristic-based detection and tested them against a number of dynamic analysis tools. "To assess the effectiveness of our techniques, we incorporated them in real malware samples and submitted them to publicly available Android dynamic analysis systems, with alarming results," they added.
LAB TEST RESULTS
- All analyses tools failed to beat the heuristic evasion techniques.
- All analysis tools failed to correctly infer the malicious behavior of the repackaged malware samples.
- Malware writers can fingerprint the most of the analysis services based on inferred information about their execution environment in order to develop more sophisticated and perfect evasion techniques.
- Only one tool, called ‘APK Analyzer’ was able to detect that malware application is looking for the virtual machine status to hinder analysis.
"However Google's Bouncer would have the smarts to detect the slippery malware if it were upgraded with realistic sensor event simulation, more accurate binary translation and hybrid application execution." Register reported.
Mobile malwares can pose a significant threat to the users. However, most of the evasion techniques are not new, but the paper shows that the malware authors are constantly evolving and can always find new ways to get around the security check.