Contributors: Tommy Dong, Martin Zhang
Recently, a number of new techniques have been discovered that not only help Android malware evade detection but also help it stay installed even when detection has taken place. We are seeing these techniques incorporated across a large swath of malware families. In this blog post, we’ll do a quick round up of these techniques.
Packed Android applications have been around for a long time, but a more recent trend we’ve observed is the increasing prevalence of Android malware leveraging packing technology. In the past nine months, we’ve seen the ratio of packer use in malware that our customers encounter increase from 10 percent to 25 percent.
Figure. Packer use by Android malware in the wild by percentage
2: MultiDex apps
Android applications contain executable code contained within Dalvik Executable (DEX) files. A typical Android app has a single DEX file and standard malware detection focuses on this file. However, we’re now encountering more Android malware that splits its payload between two DEX files (MultiDex). This simple step can serve as a cheap evasion technique against static analysis.
3: Instant Run-based malware
Instant Run is a feature released with Android Studio 2.0. It allows developers to quickly deploy updates to a debug application by pushing an update .zip file into the application. We’re now seeing malware authors hiding the malware payload portion of their app in code fragments that are hidden in the .zip file used by Instant Run. This approach to detection evasion can only be used on Android Lollipop and later SDK levels. It cannot be used on apps in Google Play, as it applies only to debug-version apps that are installed by sideloading.
4: Malformed manifest files
Another technique we’re seeing more of recently is malware attempting to hide from scanners by using strange values in the app manifest file (AndroidManifest.xml) and the compiled resources file (resources.arsc). This method can trick and hang up static scanners by using inaccurate size values and magic values in headers, inserting junk data into the string pool and at the end of files, and mismatching XML namespaces.
5: Using chattr to lock malware in the system
Malware that is able to gain root privileges on a device can be particularly difficult to remove. A new technique that we’re seeing in the wild takes advantage of Android’s Linux roots to further lock the malware installation. This technique involves the chattr Linux command, which, when used on a file, can prevent it from being deleted even with root privileges. The malware packs the chattr utility, encrypted, into the app and uses it to copy and lock the payload APK into the system folder, further confusing attempts at removal.
Staying a step ahead
As the mobile ecosystem matures and becomes more sophisticated and feature rich, the arms race between mobile malware authors and mobile security products will continue to escalate. Malware authors are continuously adopting new techniques in order to improve their creations. Symantec overcomes these techniques by combining deeper static analysis, dynamic analysis, and machine learning within Symantec’s Mobile Insight to identify the malware despite evasion tactics.
Symantec continues to monitor the mobile threat landscape and analyze the latest malware so that we can stay a step ahead of malware authors and keep our customers protected.
Symantec recommends users follow these steps to stay protected from mobile threats:
- Keep your software up to date
- Only install apps from trusted sources such as Google Play
- Pay close attention to the permissions that apps request
- Install a suitable mobile security app, such as Norton, to protect your device and data
- Make frequent backups of important data