Obfuscated Mobile Malware Detection
zveloLABS ran an experiment on Lookout Mobile’s Android anti-malware solutions:
We staged our experiment and subjected the same malicious malware binaries, DroidDream and Gemini, into a leading Android anti-virus app, Lookout (version 8.9-00fc217), for detection. We chose Lookout out of all the mobile AV apps cited in the research paper based on its popularity alone, which at the time of this post had been positively rated in most of the 434,000 plus reviews in the Google Play store.
Emulation of the Android smartphone environment was conducted using Eclipse IDE with its corresponding android virtual machine plugin (see image 01).
Image 01: Lookout mobile security app installed on a virtual Android environment
After setting up the environment, we successfully transformed the DroidDream binaries using the disassembling/assembling technique pointed out in the research paper, taking note of the researhers’ mention that transforming mobile malware could affect its functionality. In our experiment, we assumed that DroidDream retained its functionality because the disassembling/assembling approach did not change the code. The intention of this experiment was to determine whether or not the obfuscated version would be detected. The result?
Image 02: Lookout mobile security app successfully detecting obfuscated malware
The Lookout mobile anti-virus app logs (see image 2) showed a successful detection of the transformed DroidDream malware. The app’s logs also confirmed the detection of the other transformed mobile malware sample, Gemini.
It’s important to note that the version of Lookout used in the research paper (version 8.7.1-edc6df5) was outdated and at the time the obfuscated DroidDream malware did elude detection, evident and reflected by a malicious “Bowling Time” application icon installed on the virtual Android environment (see image 03).
Image 03: Lookout mobile security app showing the obfuscated DroidDream binaries installed
Through swift reverse engineering and innovation, Lookout was able to adapt and implement measures to combat the obfuscated malware tested. This truly shows the progression of whitehat and blackhat techniques for both building and combating malware.
Out of curiosity, we submitted the transformed mobile malware DroidDream into one of our affiliate online scanners which successfully detected it. This extra step raised a great point. Submission of mobile applications into third-party scanners might come handy in helping to gauge an app’s authenticity and credibility.
zveloLABS considers both static and behavioral methods. Static analysis is simply not enough, but can still be useful in detecting new breeds of Android malware that share the same signature footprints. When paired with behavioral detection methods and machine learning technologies, malware detection effectiveness improves significantly.