We are quite aware of the Android malware scanner Google's Bouncer that tests the apps by running them in a virtualized environment i.e. a simulated phone created in software which automatically scans the apps to watch its real behaviour on users' devices, before approving them to the Play Store market.
To protect its users and their devices from harm, Google launched this apps scanning software tool, two year ago. Bouncer is a security feature for the Android Play store Market that is designed to protect the Android users to not to be a victim of any malicious Android malware app. But does the security tool go far enough?
Despite having protective shield factor, we have seen Google play store market is surrounded by many malicious apps which easily by-passes the Bouncer scan test and targets Android users.
Security Research from Columbia University have exploited weaknesses in Google's Bouncer service to sneak malicious apps on to the Android market. They published a new research paper, revealed that all such dynamic analysis tools and services are vulnerable to most of the evasion techniques they discovered.
Along with the Google bouncer, other Heuristic analysis (Dynamic) analysis tools detect malicious application based on previous knowledge of typical sequences of commands in code or of metadata (static analysis), or on behavior (dynamic analysis).
The research paper [pdf] titled "Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware" was conducted by the team of five researchers, Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis and Sotiris Ioannidis of the Institute of Computer Science from the Columbia University, USA.
They created some malware samples, those were able to hide themselves when analyzed in an emulated environment and hence developed the capability to bypass the heuristic-based dynamic and static analysis platforms, such as Andrubis, DroidBox, DroidScope, APK Analyzer, or APKScan.
"A malicious program can try to infer whether it runs in an emulated environment, and therefore evade detection by pausing all malicious activities." the researchers said. "Even trivial techniques, such as checking the value of the IMEI, are enough to evade some of the existing dynamic analysis frameworks."
The team modified some real-world Android Malware to include the bypass techniques for heuristic-based detection and tested them against a number of dynamic analysis tools. "To assess the effectiveness of our techniques, we incorporated them in real malware samples and submitted them to publicly available Android dynamic analysis systems, with alarming results," they added.
LAB TEST RESULTS
- All analyses tools failed to beat the heuristic evasion techniques.
- All analysis tools failed to correctly infer the malicious behavior of the repackaged malware samples.
- Malware writers can fingerprint the most of the analysis services based on inferred information about their execution environment in order to develop more sophisticated and perfect evasion techniques.
- Only one tool, called 'APK Analyzer' was able to detect that malware application is looking for the virtual machine status to hinder analysis.
"However Google's Bouncer would have the smarts to detect the slippery malware if it were upgraded with realistic sensor event simulation, more accurate binary translation and hybrid application execution." Register reported.
FAILURE IN DETECTION = THREAT TO USERS
Mobile malwares can pose a significant threat to the users. However, most of the evasion techniques are not new, but the paper shows that the malware authors are constantly evolving and can always find new ways to get around the security check.
So malware may not only fool automated analysis systems, but this failure also raise security threat against your innocent devices by compromising them with undetectable malware. End users are advised to be extra vigilant when install application from App Stores and have the "Unknown sources" Android system setting unchecked to prevent dropped or drive-by-download app installs.