Seediscussions,stats,andauthorprofilesforthispublicationat:http://www.researchgate.net/publication/274249693

Evaluatingmalwaresobfuscationtechniquesagainstantimalwaredetectionalgorithms

TECHNICALREPORT·MARCH2015

DOWNLOADS

50

VIEWS

15

2AUTHORS:

CorradoAaronVisaggio

UniversitàdegliStudidelSannio

63PUBLICATIONS423CITATIONS

SEEPROFILE

FrancescoMercaldo

UniversitàdegliStudidelSannio

12PUBLICATIONS3CITATIONS

SEEPROFILE

Availablefrom:CorradoAaronVisaggio

Retrievedon:14July2015

Evaluating malwares obfuscation techniques against antimalware detection algorithms

Francesco Mercaldo*, Corrado Aaron Visaggio** *fmercaldo@unisannio.it **visaggio@unisannio.it (contact author) March 2015

Technical Report © Department of Engineering - University of Sannio Corso Garibaldi, 107 82100 Benevento - ITALY

Evaluating malwares obfuscation techniques against antimalware detection algorithms

2

Evaluating malwares obfuscation techniques against antimalware detection algorithms

3

A QUICK OVERVIEW Everyday more than 1 million new Android devices are activated worldwide. This trend has decreed Android the most diffuse middleware for mobile platform. Google Play is the premier marketplace for selling and distributing Android apps and it shows incredible numbers: 1.5 billion downloads at month! Everyone agrees that Android is an incredible success, but are people sure to store their data on their android devices? This success has seen an always-growing Android malware writer interest. As a main point of this technical report we pose following question : are the actual signature based detection algorithms effective on mobile environments? We developed a framework which applies a set of transformations to Android applications smali code. We then transformed a real world malware data-set (available at: http://user.informatik.uni-goettingen.de/~darp/drebin/) and then we submitted the applications to the website www.virustotal.com, in order to evaluate the maliciousness before and after the transformations (we submitted every sample pre and post transformation process). The results is impressive: the antimalware is not able to recognize the transformed malware (given that it was able to recognize the original malware). The transformation engine is released for the scientific community with the open source license at the following url: https://github.com/faber03/AndroidMalwareEvaluatingTools

TRANSFORMATIONS We developed a transformation engine for android malware (available at: https://github.com/faber03/AndroidMalwareEvaluatingTools ), which consists of the following transformations: 1) Disassembling & Reassembling: This transformation is based on the apktool representation of the items contained in the .dex file. For disassembling an application, the command “apktool d apkname” creates several directories representing the original application resources: code, android manifest, etc. The command ”apktool b apkDirectory” creates an application based on the new apktool dex file representation. 2) Repacking Every android application has a developer signature key that will be lost after disassembling the application and then reassembling it. To create a new key we used the tool signapk to avoid detection signatures that match the developer

keys or a checksum of the entire application package.

3) Changing package name This transformation change the application package name with a random string. 4) Identifier Renaming:

Evaluating malwares obfuscation techniques against antimalware detection algorithms

4

The goal of this transformation is to rename every identifier (classes name, packages name, methods name, variables name etc…). In this case the transformation changes package name and classes identifier, for each smali file, using a random string generator, handling calls in external classes to the modified classes. Android manifest Pre-transformation

Android manifest Post-transformation

Class name Pre-transformation Class name Post-transformation

Class call and package name Pre-Transformation

Class call and package name Post-transformation

5) Data Encoding: Strings can be used to create signatures that identify malwares. This transformation encodes strings with a Caesar cipher. The original string will be restored, during application run-time, with a call to a smali function that knows the Caeser key.

Evaluating malwares obfuscation techniques against antimalware detection algorithms

5

This function has been created from a java class inserted into an android project and then the smali has been obtained thanks to apktool disassembling function. Pre-transformation string

Post-transformation string

6) Call indirections: This transformation modifies the application call graph. Into the smali code every call is changed with a call to a new method inserted by the transformation. This new method calls the original method saving the right execution order. The transformation can be applied to every kind of call, in this case it has been applied to every void smali method invoked with the “invoke-virtual” construct. Pre-transformation

Post-transformation

7) Code Reordering: The aim of this transformation is to reorder smali methods by inserting goto instructions in order to save the correct runtime execution. Every method has been changed with a new method where every instruction has been moved to a random index within the method body. The transformation has been applied only to methods that don’t contain any type of jump (if, switch, recursive calls).

Evaluating malwares obfuscation techniques against antimalware detection algorithms

6

Pre-transformation

Post-transformation

8) Junk Code Insertion: This transformation provides three different junk code insertions:

1) Insertion of nop instructions into each method. 2) Insertion of nop instructions and unconditional jumps into each

method.

Evaluating malwares obfuscation techniques against antimalware detection algorithms

7

3) Allocation of three additional registers on which garbage operations are performed:

This is smali method before inserting any junk code.

This is the same method after nop insertion. (Type 1)

This is a method with nop and unconditional junk instructions (Type 2)

Evaluating malwares obfuscation techniques against antimalware detection algorithms

8

The two following screens show the same method before and after junk code insertion of Type 3 9) Composite Transformations: All the transformations combined.

Remark: The samples submitted to VirusTotal present a transformation level equal to 9.

Evaluating malwares obfuscation techniques against antimalware detection algorithms

9

THE TRANSFORMATION TOOL We developed a tool that can be used to select one application or a directory containing several applications.

Framework UI 1: in this case a single apk has been selected

The developed tool offers also an easy way to retrieve results after submitting transformed samples to VirusTotal engine:

THE RESULTS OF EXPERIMENT We worked on a data-set, composed of 5560 malwares belonging to 178 different malware families. We applied all the transformations combined together on the malware data-set.

Anti-malwares results In the following table, first column represents the Anti-Malware , the second the number of samples (without transformations) correctly detected by the

Evaluating malwares obfuscation techniques against antimalware detection algorithms

10

antimalware while in the third column (in red) the number of correctly detected samples after transformation process.

Alibaba 565 578

F-Secure 4723 4767

AVG 4734 4432

ESET-NOD32 4550 4169

Avira 4749 4054

AhnLab-V3 4615 3934

Sophos 4719 3875

GData 4747 3853

BitDefender 4735 3848

Ad-Aware 4726 3843

Emsisoft 4594 3725

MicroWorld-eScan 4642 3782

NANO-Antivirus 4716 3702

Kaspersky 4689 3543

Avast 4175 3338

DrWeb 4610 3240

CAT-QuickHeal 3967 2962

Ikarus 4467 2715

VIPRE 4767 2093

AVware 4636 2034

Microsoft 2437 1937

Fortinet 4458 1920

AegisLab 2988 1074

ClamAV 2122 1637

Cyren 4766 1629

Rising 2042 1544

Symantec 3255 1391

TrendMicro-HouseCall 3953 1292

Comodo 4711 1268

Qihoo-360 4486 1116

Evaluating malwares obfuscation techniques against antimalware detection algorithms

11

TrendMicro 3392 1080

Tencent 4522 728

McAfee 4784 600

Zillya 646 557

Jiangmin 4255 547

VBA32 2420 536

F-Prot 4692 505

Zoner 3933 389

Kingsoft 4267 367

K7GW 221 15

Baidu-International 4157 222

Norman 1058 218

ALYac 114 121

TotalDefense 1960 207

McAfee-GW-Edition 320 135

Agnitum 425 119

ViRobot 116 112

Panda 185 97

Antiy-AVL 83 82

nProtect 59 59

K7AntiVirus 150 36

TheHacker 8 2

ByteHero 0 0

Bkav 740 0

CMC 2 0

Malwarebytes 0 0

SUPERAntiSpyware 2 0

MALWARE FAMILY RESULTS

Evaluating malwares obfuscation techniques against antimalware detection algorithms

12

In the following table the results regarding the family malware are shown: the first column represents the malware family, the second the number of malwares belonging to the malware-family which are considered trusted before transformation, while in the third column the number of malwares belonging to a specific malware-family which are considered trusted after transformation.

SerBG 0 3

UpdtKiller 0 1

FakePlayer 0 17

Spy.GoneSixty 0 1

Updtbot 0 1

Bgserv 1 1

FakeRun 0 10

AccuTrack 1 10

Booster 0 1

Nyleaker 5 18

TigerBot 0 3

DroidSheep 0 11

Vidro 0 5

Proreso 0 2

Rooter 0 3

LifeMon 0 3

Sonus 0 1

Dougalek 0 17

Gmuse 0 3

Dialer 0 2

Fakengry 0 10

Arspam 0 1

Saiva 0 2

Moghava 2 3

Nisev 0 4

GPSpy 0 3

Fauxcopy 1 2

Evaluating malwares obfuscation techniques against antimalware detection algorithms

13

Lemon 0 6

Aks 0 5

Cawitt 0 1

Maxit 0 1

SpyPhone 2 5

PdaSpy 0 4

QPlus 0 6

FakeDoc 0 43

Mobilespy 0 13

Fakeview 0 1

Spitmo 0 11

Loozfon 0 2

TrojanSMS.Boxer.AQ 0 1

Penetho 1 18

SmsWatcher 3 3

Replicator 0 3

TrojanSMS.Stealer 0 1

Coogos 0 7

Tapsnake 0 3

SmForw 1 2

Raden 0 9

Koomer 0 2

Copycat 2 3

Kidlogger 1 6

Maistealer 0 1

Yzhc 0 25

SheriDroid 1 2

Gappusin 48 53

Spyset 0 8

Antares 0 2

Evaluating malwares obfuscation techniques against antimalware detection algorithms

14

SMSreg 7 36

TrojanSMS.Denofow 5 5

SuBatt 0 1

Luckycat 0 5

Lypro 0 1

Kiser 8 9

Fsm 0 3

Typstu 0 14

GlodEagl 0 1

SafeKidZone 1 1

Zsone 0 8

Hispo 0 3

RATC 1 1

Ksapp 0 5

MTracker 1 1

RediAssi 0 3

Netisend 0 1

Boxer 1 18

RootSmart 0 7

TrojanSMS.Hippo 5 7

Mobinauten 0 8

SpyMob 1 2

Whapsni 0 1

Nandrobox 0 7

TheftAware 2 2

Spy.ImLog 0 1

Nickspy 0 11

Generic 2 2

SMSSend 0 1

Glodream 0 49

Evaluating malwares obfuscation techniques against antimalware detection algorithms

15

MMarketPay 0 1

CrWind 0 2

FoCobers 4 15

FakeNefix 0 1

FaceNiff 1 6

SpyBubble 0 2

SMSBomber 0 1

Mania 1 6

Ssmsp 0 1

Dabom 0 2

Opfake 2 608

Gasms 0 1

SendPay 1 56

Spyoo 0 3

EWalls 0 1

Fjcon 0 2

Fakelogo 0 19

Tesbo 0 2

Ackposts 0 2

Smspacem 0 1

Iconosys 1 142

Gapev 0 6

YcChar 0 1

SpyHasb 7 11

FarMap 0 2

Ansca 0 1

Pirates 0 2

Cosha 0 11

Pirater 0 1

Imlog 1 42

Evaluating malwares obfuscation techniques against antimalware detection algorithms

16

DroidRooter 0 2

Foncy 0 2

Adsms 0 3

Biige 0 4

Qicsom 0 1

Vdloader 0 13

GGtrack 0 3

Sakezon 8 8

FinSpy 0 3

Gonca 0 5

CgFinder 0 2

MobileTx 0 68

Placms 0 11

SmsSpy 0 1

Trackplus 1 1

Zitmo 0 14

RuFraud 0 1

BeanBot 0 6

PJApps 0 1

FakeTimer 0 11

Acnetdoor 0 1

FakeInstaller 1 918

Plankton 59 554

GinMaster 0 268

Geinimi 0 82

DroidDream 0 73

Adrd 0 70

Jifake 0 26

Stealer 0 13

Stiniter 2 6

Evaluating malwares obfuscation techniques against antimalware detection algorithms

17

Fidall 0 2

Kmin 7 59

JSmsHider 1 1

Dogowar 0 1

Gamex 1 3

EICAR-Test-File 1 2

SMSZombie 0 2

DroidKungFu 0 102

Xsider 0 1

BaseBridge 1 16

ExploitLinuxLotoor 0 2

Exploit.RageCage 0 0

In the following table we resume the details of the metrics we have calculated:

totalScans: the number of malwares analyzed by an antimalware both before transformations applied and after (transformations applied).

totalMaliciousPre: the number of malwares that before being transformed are considered malicious.

totalMaliciousPost: the number of malwares considered malicious after being transformed.

totalCleanPre: : the number of malwares that before being transformed are considered clean.

clean_on_total_pre%: the percentage of malwares considered clean on the total number of malwares, before transformations applied. (by a specific antimalware).

clean_on_total_post%: the percentage of malwares considered clean on the total number of malwares, after transformations applied. (by a specific antimalware)

totalCleanPost: the number of malwares considered clean after being transformed.

MTC_on_total%: the percentage of malwares considered malicious before transformations applied and clean after on the total number of analyzed malware

id_anti_

malware

Antimalw

are

total

Scan

s

totalMal

iciousPr

e

malicious_on

_total_pre_%

totalCl

eanPre

clean_on_t

otal_pre_

%

totalMali

ciousPost

malicious_on_

total_post_%

totalCl

eanPos

t

clean_on_to

tal_post_%

10 Alibaba 578 565 97.7509 13 2.2491 578 100.0000 0 0.0000

31 F-Secure 4775 4723 98.9110 52 1.0890 4767 99.8325 8 0.1675

55 AVG 4776 4734 99.1206 42 0.8794 4432 92.7973 344 7.2027

Evaluating malwares obfuscation techniques against antimalware detection algorithms

18

51 ESET-NOD32

4586 4550 99.2150 36 0.7850 4169 90.9071 417 9.0929

39 Avira 4804 4749 98.8551 55 1.1449 4054 84.3880 750 15.6120

45 AhnLab-

V3 4804 4615 96.0658 189 3.9342 3934 81.8901 870 18.1099

29 Sophos 4766 4719 99.0138 47 0.9862 3875 81.3051 891 18.6949

44 GData 4804 4747 98.8135 57 1.1865 3853 80.2040 951 19.7960

22 BitDefend

er 4803 4735 98.5842 68 1.4158 3848 80.1166 955 19.8834

28 Ad-Aware 4798 4726 98.4994 72 1.5006 3843 80.0959 955 19.9041

36 Emsisoft 4653 4594 98.7320 59 1.2680 3725 80.0559 928 19.9441

2 MicroWorld-eScan

4725 4642 98.2434 83 1.7566 3782 80.0423 943 19.9577

23 NANO-

Antivirus 4804 4716 98.1682 88 1.8318 3702 77.0608 1102 22.9392

21 Kaspersky 4803 4689 97.6265 114 2.3735 3543 73.7664 1260 26.2336

19 Avast 4789 4175 87.1790 614 12.8210 3338 69.7014 1451 30.2986

32 DrWeb 4782 4610 96.4032 172 3.5968 3240 67.7541 1542 32.2459

5

CAT-

QuickHeal

4804 3967 82.5770 837 17.4230 2962 61.6570 1842 38.3430

53 Ikarus 4782 4467 93.4128 315 6.5872 2715 56.7754 2067 43.2246

33 VIPRE 4789 4767 99.5406 22 0.4594 2093 43.7043 2696 56.2957

47 AVware 4661 4636 99.4636 25 0.5364 2034 43.6387 2627 56.3613

42 Microsoft 4802 2437 50.7497 2365 49.2503 1937 40.3374 2865 59.6626

54 Fortinet 4780 4458 93.2636 322 6.7364 1920 40.1674 2860 59.8326

43 AegisLab 3073 2988 97.2340 85 2.7660 1074 34.9496 1999 65.0504

20 ClamAV 4774 2122 44.4491 2652 55.5509 1637 34.2899 3137 65.7101

37 Cyren 4803 4766 99.2296 37 0.7704 1629 33.9163 3174 66.0837

52 Rising 4794 2042 42.5949 2752 57.4051 1544 32.2069 3250 67.7931

15 Symantec 4797 3255 67.8549 1542 32.1451 1391 28.9973 3406 71.0027

18

TrendMic

ro-

HouseCall

4778 3953 82.7334 825 17.2666 1292 27.0406 3486 72.9594

30 Comodo 4801 4711 98.1254 90 1.8746 1268 26.4112 3533 73.5888

57 Qihoo-360

4779 4486 93.8690 293 6.1310 1116 23.3522 3663 76.6478

34 TrendMic

ro 4788 3392 70.8438 1396 29.1562 1080 22.5564 3708 77.4436

27 Tencent 4787 4522 94.4642 265 5.5358 728 15.2079 4059 84.7921

6 McAfee 4801 4784 99.6459 17 0.3541 600 12.4974 4201 87.5026

8 Zillya 4802 646 13.4527 4156 86.5473 557 11.5993 4245 88.4007

38 Jiangmin 4798 4255 88.6828 543 11.3172 547 11.4006 4251 88.5994

48 VBA32 4794 2420 50.4798 2374 49.5202 536 11.1806 4258 88.8194

14 F-Prot 4804 4692 97.6686 112 2.3314 505 10.5121 4299 89.4879

50 Zoner 4804 3933 81.8693 871 18.1307 389 8.0974 4415 91.9026

41 Kingsoft 4763 4267 89.5864 496 10.4136 367 7.7052 4396 92.2948

Evaluating malwares obfuscation techniques against antimalware detection algorithms

19

11 K7GW 239 221 92.4686 18 7.5314 15 6.2762 224 93.7238

56 Baidu-Internatio

nal

4794 4157 86.7126 637 13.2874 222 4.6308 4572 95.3692

16 Norman 4797 1058 22.0555 3739 77.9445 218 4.5445 4579 95.4555

46 ALYac 2793 114 4.0816 2679 95.9184 121 4.3323 2672 95.6677

17 TotalDefe

nse 4793 1960 40.8930 2833 59.1070 207 4.3188 4586 95.6812

35 McAfee-GW-

Edition

4795 320 6.6736 4475 93.3264 135 2.8154 4660 97.1846

13 Agnitum 4802 425 8.8505 4377 91.1495 119 2.4781 4683 97.5219

24 ViRobot 4789 116 2.4222 4673 97.5778 112 2.3387 4677 97.6613

49 Panda 4773 185 3.8760 4588 96.1240 97 2.0323 4676 97.9677

40 Antiy-

AVL 4687 83 1.7709 4604 98.2291 82 1.7495 4605 98.2505

3 nProtect 4783 59 1.2335 4724 98.7665 59 1.2335 4724 98.7665

9 K7AntiVirus

4742 150 3.1632 4592 96.8368 36 0.7592 4706 99.2408

12 TheHacke

r 4803 8 0.1666 4795 99.8334 2 0.0416 4801 99.9584

26 ByteHero 4804 0 0.0000 4804 100.0000 0 0.0000 4804 100.0000

1 Bkav 4795 740 15.4327 4055 84.5673 0 0.0000 4795 100.0000

4 CMC 4790 2 0.0418 4788 99.9582 0 0.0000 4790 100.0000

7 Malwareb

ytes 4801 0 0.0000 4801 100.0000 0 0.0000 4801 100.0000

25 SUPERAntiSpywar

e

4801 2 0.0417 4799 99.9583 0 0.0000 4801 100.0000

In our analysis we obtained a surprising result on a small group of anti-malwares (e.g: 46, 10, 31). These anti-malwares show a better performance in scanning transformed samples. The following table shows the results detailed for family: for each family it counts how many malwares are able to “fool” the majority of antimalware. Here we explain the metrics we have computed:

totalMalwares: the number of malwares belonging to a specific malware-family which have been analyzed both before and after being transformed at least by one antimalware.

passedMalwaresPre: the number of malwares belonging to a specific malware-family which are considered clean from the majority of antimalwares before being transformed.

passedMalwaresPost: the number of malwares belonging to a specific malware-family which are considered clean from the majority of antimalwares after being transformed.

passed_post_%:percentage of passedMalwarePost on totalMalwares .

Evaluating malwares obfuscation techniques against antimalware detection algorithms

20

id_family family_name totalMalwares passedMalwaresPre passedMalwaresPost passed_post_%

36 SerBG 3 0 3 100.0000

104 UpdtKiller 1 0 1 100.0000

51 FakePlayer 17 0 17 100.0000

125 Spy.GoneSixty 1 0 1 100.0000

67 Updtbot 1 0 1 100.0000

143 Bgserv 1 1 1 100.0000

16 FakeRun 10 0 10 100.0000

83 AccuTrack 10 1 10 100.0000

161 Booster 1 0 1 100.0000

32 Nyleaker 18 5 18 100.0000

100 TigerBot 3 0 3 100.0000

47 DroidSheep 11 0 11 100.0000

117 Vidro 5 0 5 100.0000

62 Proreso 2 0 2 100.0000

137 Rooter 3 0 3 100.0000

78 LifeMon 3 0 3 100.0000

155 Sonus 1 0 1 100.0000

28 Dougalek 17 0 17 100.0000

96 Gmuse 3 0 3 100.0000

174 Dialer 2 0 2 100.0000

43 Fakengry 10 0 10 100.0000

113 Arspam 1 0 1 100.0000

58 Saiva 2 0 2 100.0000

133 Moghava 3 2 3 100.0000

8 Nisev 4 0 4 100.0000

74 GPSpy 3 0 3 100.0000

151 Fauxcopy 2 1 2 100.0000

24 Lemon 6 0 6 100.0000

91 Aks 5 0 5 100.0000

168 Cawitt 1 0 1 100.0000

39 Maxit 1 0 1 100.0000

109 SpyPhone 5 2 5 100.0000

54 PdaSpy 4 0 4 100.0000

129 QPlus 6 0 6 100.0000

4 FakeDoc 43 0 43 100.0000

70 Mobilespy 13 0 13 100.0000

147 Fakeview 1 0 1 100.0000

19 Spitmo 11 0 11 100.0000

86 Loozfon 2 0 2 100.0000

164 TrojanSMS.Boxer.AQ 1 0 1 100.0000

Evaluating malwares obfuscation techniques against antimalware detection algorithms

21

35 Penetho 18 1 18 100.0000

103 SmsWatcher 3 3 3 100.0000

50 Replicator 3 0 3 100.0000

124 TrojanSMS.Stealer 1 0 1 100.0000

66 Coogos 7 0 7 100.0000

142 Tapsnake 3 0 3 100.0000

15 SmForw 2 1 2 100.0000

82 Raden 9 0 9 100.0000

160 Koomer 2 0 2 100.0000

31 Copycat 3 2 3 100.0000

99 Kidlogger 6 1 6 100.0000

177 Maistealer 1 0 1 100.0000

46 Yzhc 25 0 25 100.0000

116 SheriDroid 2 1 2 100.0000

61 Gappusin 53 48 53 100.0000

77 Spyset 8 0 8 100.0000

154 Antares 2 0 2 100.0000

27 SMSreg 36 7 36 100.0000

95 TrojanSMS.Denofow 5 5 5 100.0000

173 SuBatt 1 0 1 100.0000

42 Luckycat 5 0 5 100.0000

112 Lypro 1 0 1 100.0000

73 Kiser 9 8 9 100.0000

150 Fsm 3 0 3 100.0000

23 Typstu 14 0 14 100.0000

90 GlodEagl 1 0 1 100.0000

167 SafeKidZone 1 1 1 100.0000

38 Zsone 8 0 8 100.0000

53 Hispo 3 0 3 100.0000

128 RATC 1 1 1 100.0000

69 Ksapp 5 0 5 100.0000

145 MTracker 1 1 1 100.0000

85 RediAssi 3 0 3 100.0000

163 Netisend 1 0 1 100.0000

34 Boxer 18 1 18 100.0000

102 RootSmart 7 0 7 100.0000

49 TrojanSMS.Hippo 7 5 7 100.0000

123 Mobinauten 8 0 8 100.0000

65 SpyMob 2 1 2 100.0000

141 Whapsni 1 0 1 100.0000

14 Nandrobox 7 0 7 100.0000

Evaluating malwares obfuscation techniques against antimalware detection algorithms

22

81 TheftAware 2 2 2 100.0000

159 Spy.ImLog 1 0 1 100.0000

30 Nickspy 11 0 11 100.0000

98 Generic 2 2 2 100.0000

176 SMSSend 1 0 1 100.0000

45 Glodream 49 0 49 100.0000

115 MMarketPay 1 0 1 100.0000

135 CrWind 2 0 2 100.0000

76 FoCobers 15 4 15 100.0000

153 FakeNefix 1 0 1 100.0000

26 FaceNiff 6 1 6 100.0000

93 SpyBubble 2 0 2 100.0000

172 SMSBomber 1 0 1 100.0000

41 Mania 6 1 6 100.0000

111 Ssmsp 1 0 1 100.0000

131 Dabom 2 0 2 100.0000

6 Opfake 608 2 608 100.0000

149 Gasms 1 0 1 100.0000

22 SendPay 56 1 56 100.0000

89 Spyoo 3 0 3 100.0000

166 EWalls 1 0 1 100.0000

107 Fjcon 2 0 2 100.0000

52 Fakelogo 19 0 19 100.0000

126 Tesbo 2 0 2 100.0000

68 Ackposts 2 0 2 100.0000

144 Smspacem 1 0 1 100.0000

17 Iconosys 142 1 142 100.0000

84 Gapev 6 0 6 100.0000

162 YcChar 1 0 1 100.0000

33 SpyHasb 11 7 11 100.0000

101 FarMap 2 0 2 100.0000

48 Ansca 1 0 1 100.0000

122 Pirates 2 0 2 100.0000

64 Cosha 11 0 11 100.0000

138 Pirater 1 0 1 100.0000

13 Imlog 42 1 42 100.0000

80 DroidRooter 2 0 2 100.0000

156 Foncy 2 0 2 100.0000

29 Adsms 3 0 3 100.0000

97 Biige 4 0 4 100.0000

175 Qicsom 1 0 1 100.0000

Evaluating malwares obfuscation techniques against antimalware detection algorithms

23

44 Vdloader 13 0 13 100.0000

114 GGtrack 3 0 3 100.0000

59 Sakezon 8 8 8 100.0000

134 FinSpy 3 0 3 100.0000

75 Gonca 5 0 5 100.0000

152 CgFinder 2 0 2 100.0000

25 MobileTx 68 0 68 100.0000

92 Placms 11 0 11 100.0000

170 SmsSpy 1 0 1 100.0000

110 Trackplus 1 1 1 100.0000

55 Zitmo 14 0 14 100.0000

130 RuFraud 1 0 1 100.0000

71 BeanBot 6 0 6 100.0000

148 PJApps 1 0 1 100.0000

20 FakeTimer 11 0 11 100.0000

165 Acnetdoor 1 0 1 100.0000

5 FakeInstaller 919 1 918 99.8912

1 Plankton 555 59 554 99.8198

3 GinMaster 269 0 268 99.6283

11 Geinimi 83 0 82 98.7952

12 DroidDream 74 0 73 98.6486

9 Adrd 72 0 70 97.2222

60 Jifake 28 0 26 92.8571

56 Stealer 14 0 13 92.8571

18 Stiniter 9 2 6 66.6667

87 Fidall 3 0 2 66.6667

10 Kmin 95 7 59 62.1053

136 JSmsHider 2 1 1 50.0000

132 Dogowar 2 0 1 50.0000

108 Gamex 6 1 3 50.0000

40 EICAR-Test-File 4 1 2 50.0000

57 SMSZombie 10 0 2 20.0000

2 DroidKungFu 561 0 102 18.1818

72 Xsider 15 0 1 6.6667

7 BaseBridge 310 1 16 5.1613

37 ExploitLinuxLotoor 61 0 2 3.2787

178 Exploit.RageCage 1 0 0 0.0000

Only 21 families on 178 didn’t obtain the max of the score after the transformation applications.

Evaluating malwares obfuscation techniques against antimalware detection algorithms

24

Conclusion In this section we summarize the main results of our experiment. Percentage ratio of antimalwares that detect as malicious more than 90% of the malwares that analyze.

Original malware set : 47% Transformed malware set: 7%

Percentage ratio of antimalwares that detect as malicious less than an half of the malwares that analyze.

Original malware set : 33% Transformed malware set: 68%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

original malwares' set transformed malwares'set

0%

10%

20%

30%

40%

50%

60%

70%

80%

original malwares' set transformed malwares'set

Evaluating malwares obfuscation techniques against antimalware detection algorithms

25

Percentage ratio of malwares considered trusted by at least an half of the antimalwares.

Original malware set : 5% Transformed malware set: 81%

Percentage of malwares family that are considered trusted by antimalware.

Original malware set : 6% Transformed malware set: 77%

The simple transformation of malwares can turn a known and recognizable malware into an undetectable malware. This should lead research and industry to develop detection mechanisms which are robust against this trivial evasion techniques. REFERENCES

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

original malwares' set transformed malwares'set

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

original malwares' set transformed malwares'set

Evaluating malwares obfuscation techniques against antimalware detection algorithms

26

[1] V. Rastogi, Y. Chen, X. Jiang, “Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks”, IEEE Transaction on Information Forensics and Security, Vol.9, No.1, January 2014 [2] Android, the world's most popular mobile platform, http://developer.android.com/about/index.html, last visit 26 March 2015 [3] A tool for reverse engineering Android apk files, http://ibotpeaches.github.io/Apktool/, last visit 26 March 2016 [4] VirusTotal, https://www.virustotal.com, last visit 26 March 2016 [5]signapk: onboard apk signing script for android devices, https://code.google.com/p/signapk/, last visit 26 March 2016