Antiviruses for Android may not see the virus - study and "Laundry viruses"
How long does it take to create a virus for a mobile environment? - from 1 to 2 minutes
A group of researchers from the University of Sannio (Italy) has demonstrated how easy it is to make the famous Android virus "white and fluffy." It is not easy to write malicious code that will bypass the protection, but there are methods to disguise the virus by generating a new file.
')
The difference between the creation and generation of such a program is that in the second case the “creator” of the program does not write a line of code, but simply presses the “create” button.
The researchers created an engine that uses up to 8 options for creating such mobile scripts that change the shape of the code without affecting the behavior of the malicious programs themselves.
The developers called their engine "laundry viruses."
The engine was developed by a malware researcher for Android and works according to the following possible scenarios:
• Disassembly and reassembly (Disassembling & Reassembling).
• Repacking
• Changing package name
• Identifier Renaming
• Data Encoding
• Indirect call (Call indirections)
• Code Reordering
• Insert a trash code (Junk Code Insertion)
• Composite Transformations
The researchers used their engine to modify 5560 malicious programs that 57 manufacturers of anti-malware protection identified as dangerous. The developers tested their malicious solution on 57 well-known antivirus programs. However, after modification, all these antiviruses no longer recognized most of the already known but slightly disguised viruses.
“Will baseline detection algorithms be effective in a mobile environment for already known signatures? We have developed a script that applies small changes in the code of android applications. Then we applied this modifier in real, known viruses, and sent applications to www.virustotal.com before and after the modification - and noted the results of our tests “before” modification and “after”. - said Professor Corado Vizadzhio, team leader - “The results are impressive: antiviruses could not recognize slightly modified viruses (although they were recognized before)”
The test showed that some viruses were recognized by antivirus and after modification - but it was the smaller part.
- In this table - in the first column: manufacturers of protection, in the second - the number of recognized viruses (before transformation), and in the third - the number of recognized viruses after transformation (red).
The “virus laundry” file experiment engine was implemented for scientific purposes on the Open Source license and is available on GitHub . Details of the test (in English) .
Such a test raised the discussion about the possibility to limit the generation of malware, as experts have shown that you can create viruses without writing a line when, using only slightly modified, already known viruses.
In addition, these studies have shown how much IT’s vulnerability changes with a changing environment, in this case we are talking about the mobile environment (where, as Google predicts, everything is moving), and how easy it is to produce “new” viruses, just by changing conditional commas in the code, or by making only very minor changes - we get malicious software that most of the antiviruses that are already familiar with the “parent” virus code do not recognize.
As the saying goes: the new is well forgotten old!
Based on the message
SIM-CLOUD - Fail-safe cloud in Germany
Dedicated servers in reliable data centers in Germany!
Any configuration, quick build and free installation
A group of researchers from the University of Sannio (Italy) has demonstrated how easy it is to make the famous Android virus "white and fluffy." It is not easy to write malicious code that will bypass the protection, but there are methods to disguise the virus by generating a new file.
')
The difference between the creation and generation of such a program is that in the second case the “creator” of the program does not write a line of code, but simply presses the “create” button.
The researchers created an engine that uses up to 8 options for creating such mobile scripts that change the shape of the code without affecting the behavior of the malicious programs themselves.
The developers called their engine "laundry viruses."
The engine was developed by a malware researcher for Android and works according to the following possible scenarios:
• Disassembly and reassembly (Disassembling & Reassembling).
• Repacking
• Changing package name
• Identifier Renaming
• Data Encoding
• Indirect call (Call indirections)
• Code Reordering
• Insert a trash code (Junk Code Insertion)
• Composite Transformations
The researchers used their engine to modify 5560 malicious programs that 57 manufacturers of anti-malware protection identified as dangerous. The developers tested their malicious solution on 57 well-known antivirus programs. However, after modification, all these antiviruses no longer recognized most of the already known but slightly disguised viruses.
“Will baseline detection algorithms be effective in a mobile environment for already known signatures? We have developed a script that applies small changes in the code of android applications. Then we applied this modifier in real, known viruses, and sent applications to www.virustotal.com before and after the modification - and noted the results of our tests “before” modification and “after”. - said Professor Corado Vizadzhio, team leader - “The results are impressive: antiviruses could not recognize slightly modified viruses (although they were recognized before)”
The test showed that some viruses were recognized by antivirus and after modification - but it was the smaller part.
- In this table - in the first column: manufacturers of protection, in the second - the number of recognized viruses (before transformation), and in the third - the number of recognized viruses after transformation (red).
The “virus laundry” file experiment engine was implemented for scientific purposes on the Open Source license and is available on GitHub . Details of the test (in English) .
Such a test raised the discussion about the possibility to limit the generation of malware, as experts have shown that you can create viruses without writing a line when, using only slightly modified, already known viruses.
In addition, these studies have shown how much IT’s vulnerability changes with a changing environment, in this case we are talking about the mobile environment (where, as Google predicts, everything is moving), and how easy it is to produce “new” viruses, just by changing conditional commas in the code, or by making only very minor changes - we get malicious software that most of the antiviruses that are already familiar with the “parent” virus code do not recognize.
As the saying goes: the new is well forgotten old!
Based on the message
SIM-CLOUD - Fail-safe cloud in Germany
Dedicated servers in reliable data centers in Germany!
Any configuration, quick build and free installation
Source: https://habr.com/ru/post/311670/
All Articles