Popular Android Antiviruses Fail to Detect Cloned Malicious Apps: DroidMorph


According to a new study published by a group of scientists, anti-virus solutions for Android are still vulnerable to various types of malware, posing a severe concern as bad actors improve their toolkits to better elude detection.

“Malware writers use covert mutations (morphing/obfuscations) to produce malware clones on a constant basis, thwarting detection by signature-based detectors,” the researchers added. “This clone attack poses a severe threat to all mobile platforms, particularly Android.”

Researchers from Adana Science and Technology University in Turkey and the National University of Science and Technology in Islamabad, Pakistan, revealed their findings last week in a report.

Unlike iOS, Android devices allow users to download apps from third-party sources, raising the risk of unwitting users installing unverified and lookalike apps that clone the functionality of legitimate apps but are designed to trick users into downloading apps laced with fraudulent code capable of stealing sensitive information.

Furthermore, malware authors can use this technique to make many clones of the rogue software with varied levels of abstraction and obfuscation to hide their true intentions and get past anti-malware engines’ defence barriers.

The researchers created DroidMorph, a tool that allows Android applications (APKs) to be “morphed” by decompiling the files to an intermediate form, which is then modified and compiled to create clones, both benign and malware, to test and evaluate the resilience of commercially available anti-malware products against this attack.

Morphing could occur at various levels, according to the researchers, including those that require modifying the class and method names in the source code or something more complex that alters the program’s execution flow, such as the call graph and control-flow graph.

The researchers discovered that 8 out of 17 leading commercial anti-malware programmes failed to detect any of the cloned applications in a test using 1,771 morphed APK variants generated through DroidMorph, with an average detection rate of 51.4 percent for class morphing, 58.8 percent for method morphing, and 54.1 percent for body morphing observed across all programmes.

LineSecurity, MaxSecurity, DUSecurityLabs, AntivirusPro, 360Security, SecuritySystems, GoSecurity, and LAAntivirusLab are among the anti-malware applications that have been successfully circumvented.

The researchers plan to add further obfuscations at different levels as well as enable morphing of metadata information such as permissions encoded in an APK file as part of their future work in order to reduce detection rates.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.