An armada of university researchers have devised a novel method of detecting malicious applications on Android app, and by way of demonstration have dug up 127,429 shady software offerings, including some bearing exploits for a whopping 20 zero days.
The scheme dubbed MassVet is the brainchild of eight researchers: Kai Chen; Peng Wang; Yeonjoon Lee; XiaoFeng Wang; Nan Zhang of Indiana University, Heqing Huang and Peng Liu of Penn State University, and Wei Zou of the Chinese Academy of Sciences.
MassVet explained in the paper [Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale pdf] their system dumps old signature scanning and instead compares legitimate Android frameworks to establish those that are malicious.
Authors brag that it can identify a malicious app in less than 10 seconds with low false positives, and add that current vetting mechanisms stink.
Unlike existing detection mechanisms, which often utilize heavyweight program analysis techniques, our approach simply compares a submitted app with all those already on a market, focusing on the difference between those sharing a similar UI structure (indicating a possible repackaging relation), and the commonality among those seemingly unrelated. Once public libraries and other legitimate code reuse are removed, such diff/common program components become highly suspicious.
This analysis is made scalable by its simple, static nature and the feature projection techniques that enable a cloud-based, fast search for view/code differences and similarities.
The gathering of ivory tower minds say of the zero-day malware, three load and execute dynamic suspicious code; one takes sneaky photos; another modifies the booting sequence of other apps; seven rip sensitive user data like SIM card, serial, and telephone number, and several spew adware.
"The presence of these activities makes us believe that very likely they are actually zero-day malware," they say.
Spiked zero day malware VXers need not lament the death of their work, however. The research fleet finds Google more than a quarter of the time will merely ban the player, not the payload, allowing other net scum to run the same malicious code. In some gob-smacking instances bad apps are only banned from using the same name.
Another interesting finding is that we saw that some of these developers uploaded the same or similar malicious apps again after they were removed. Actually, among the 2125 reappeared apps, 604 confirmed malware (28.4 percent) showed up in the Play Store unchanged, with the same MD5 and same names. Further, those developers also published 829 apps with the same malicious code (as that of the malware) but under different names. The fact that the apps with known malicious payloads still got slipped in suggests that Google might not pay adequate attention to even known malware.
The team's platform uses the difference and similarities comparison mechanism on top of an existing comparison algorithm used in programming.
MassVet crawled more than 1.2 million apps from 33 Android app stores finding 127,429 malware apps and beating all 54 antivirus scanners, including the popular Virus Total online analysis machine, the boffins claimed.
Of those, 30,552 bad apps are hosted on Google Play.
Some malicious apps were installed millions of times on Android devices, the academic army says, while 34,026 caught by MassVet were missed by all antivirus engines.
More than 400 apps uploaded in the last 14 months were installed over a million times, and 5000 installed some 10,000 times each "impacting hundreds of millions of mobile devices". ®