Examining the upside of mobile security

Mobile MalwareWe’ve heard enough depressing mobile security and malware news, so let’s take an “up-side” look at some recent research on the subject. Here’s how it went down, from Dark Reading:

Researchers from Northwestern University and North Carolina State University for one year tested popular mobile AV apps for Android on their ability to detect malware that uses evasion techniques, such as changing up the code or morphing a malware sample. Polymorphism can be as simple as changing the order of the code and data files or just renaming the file, or as complex as changing the appearance of the code but not its behavior.

Guess what, malware is still an issue and mobile antivirus software still doesn’t stop all the threats, blah blah blah, we know how that story goes. Instead of rehashing those issues, let’s focus on the positive: According to the study, many antivirus software options are getting better at detecting certain malware techniques.

The good news is that the tools appear to be getting better at detecting malware that uses basic transformation/obfuscation techniques, such as repacking or reassembling the malware, via unzip or rezip, for example. These methods don’t change the code, just the packaging. In 2012, 45 percent of the AV signatures failed to detect malware that used such basic transformation techniques, but this year only 16 percent of them have missed “trivially” transformed malware samples so far, the researchers say.

In the ever-changing threat landscape of mobile security, progressive is impressive. Companies have to stop the little things so they can focus time and energy on addressing larger, more complex challenges. The next challenge, the research suggests, is detecting malware that disguises itself by changing its code.

“The result that we have here certainly indicates improvement: Anti-malware tools do not succumb as frequently to such trivial transformations. However, this is far from good. As long as anti-malware tools continue to use content-based signatures, evading them is really easy,” Chen says.

Today’s mobile AV signatures are based on byte patterns in the malware, and malware writers can easily evade AV tools by changing those bytes, according to the researchers. Some 90 percent of the malware signatures studied by the researchers don’t use static analysis of the byte-level code. Dr. Web was the only AV product employing static analysis, they say.

“The main problem with such signatures is that they are based on patterns of bytes in the malware. These bytes can, however, easily be changed without altering the functionality. Another way to say this is there could be many differently written pieces of program code that all do the same thing,” Yan says. AV technology must evolve to semantics-based detection, which analyzes the functionality in an app.

Symantec, who’s Norton Mobile Security software was included in the researchers’ tests, pointed out that just because the software didn’t detect the malware created specifically for the study doesn’t mean it fails to detect all malware instances using those techniques. That statement alone should remind you just have difficult mobile security can be. The second half of the Symantec statement sums up the challenges pretty neatly:

“Symantec constantly researches potential future advancements in attacker strategies and continually monitors the threat landscape, evaluating and evolving our protection capabilities for our mobile products to protect customers accordingly.”

Read the full article at Dark Reading >>>

Anyone involved in mobile security needs to constantly pay attention to the threats that are actually out there hitting users right now and the techniques behind those threats. Hopefully we can eventually find a way to stop the techniques, but while we’re trying to solve that puzzle addressing specific malware attacks is a good place to be.

In the meantime, take a small moment of happiness whenever we get better at mobile security – it’s a hard field to be in and every little win is a step in the right direction.

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.