Popular Android Anti-Virus Software Fooled By Trivial Techniques 94
wiredmikey writes "A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques. In a paper (PDF), the researchers said they tested AV software from several well-know security vendors. In order to evaluate the mobile security software, the researchers developed a tool called DroidChameleon, which applies transformation techniques to Android applications. Known malware samples were transformed to generate new variants that contain the exact malicious functions as before. These new variants were then passed to the AV products, and much to the surprise of the paper's authors, they were rarely flagged — if at all. According to the research, 43% of the signatures used by the AV products are based on file names, checksums or information obtained by the PackageManager API. This means that, as mentioned, common transformations will render their protection useless for the most part. For example, the researchers transformed the Android rootkit Droid Dream for their test. DroidDream is a widely-known and highly dangerous application. Yet, when it was transformed, every AV program failed to catch at least two variants."
Re:This just in! (Score:5, Interesting)
Oh, hardly even then. I wrote my first polymorphic program when I was 16, and I was late to the game for that. Making a completely trivial change to the binary - have a meaningless 32-bit constant that you add (modulo 0xFFFFFFFF) with the current time in miliseconds on each run, for example - will completely bypass typical types of checksum/hash checks unless you want to store 4 billion signatures. Slightly more complex signature schemes are nonetheless equally easy to defeat. Filename checks are even easier to defeat; there's lots of ways to indicate the next file to run which can use dynamic file names. It's a game of cat and mouse, but the cats are too dumb to do anything but watch known mouseholes, while the mice can make new holes whenever they please and it only takes a mouse getting out once for the cats to lose the game.
Re:This just in! (Score:5, Interesting)
FUD sucks too.
DroidDream is NOT "a widely-known and highly dangerous application". It was a malware variant identified early in 2011 and removed from both the Android Market (now Play Store) and from the infected devices. The vulnerability it exploited has been fixed in all Android versions newer than 2.2 (Froyo).
AV vendors are terrified of Windows' plunging market share, and are desperate to find another host to leech off. This is the despairing screech of a buggy-whip maker watching their buggy-OS host vanish over a cliff.
Re:Lucky Android Users (Score:5, Interesting)
Do you have WP7 Root Tools installed on your Trophy? If so, at least three different exploits were used: the ZIP path traversal that made the interop-unlock "app" work (all the work was actually done by the installer), the Connection Setup hack that achieved interop-unlock by hijacking the network database using some debug code to inject a script that modified the registry, and the exploit that Root Tools itself used in the HTC drivers to gain arbitrary code execution in the kernel.
Just because Heathclif74 was not, so far as anybody knows, embedding any malware in his software doesn't mean he couldn't have been, or one of the many other authors posting their work on XDA-Devs and WPCentral.