Android malware uses server-side polymorphism to evade detection

Android malware uses server-side polymorphism to evade detection

Summary: Tricks that worked for the bad guys on Windows now being reused for Android.

SHARE:
TOPICS: Apps, Android
19

The other day we saw Android malware make use of steganography techniques, now another trick is uncovered.

Malware writers use all sorts of tricks to avoid detection, and one of those is called polymorphism. It's a cool trick that allows code to change without changing what the code actually does. A new form of polymorphism, called server-side polymorphism, has been used to evade detection on Windows systems for some time now, but security firm Symantec has discovered malware targeting the Android platfrom that uses the same trick.

The malware, called Android.Opfake, is embedded into applications hosted on Russian websites. The code is designed to modify itself every time it's downloaded to make detection more difficult. Also, it appears that the malware writers are constantly making changes and additions to the code as part of an ongoing maintenance program.

The code is capable of modifying itself on download in three different ways:

  • Variable data changes
  • File re-ordering
  • Insertion of dummy files

What's interesting about the dummy files created by the malware is that they all contain this mysterious image. Anyone know who it is?

Android.Opfake is yet another in a long line of Android malware that sends premium rate SMS messages without the user's consent.

If you are worried about such malware, then you should know that Symantec’s Norton Mobile Security protects customers against all automatically generated variants of Android.Opfake.

[poll id="749"]

Related:

Topics: Apps, Android

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • I HATE to say this.... But this does kind of sound like a rather

    long winded commercial for Symantec.

    Pagan jim
    James Quinn
  • Install Symantec Norton AV on your Android at once!

    (Source code included!) :/
    Dietrich T. Schmitz *Your
    • RE: Android apps use server-side polymorphism to evade detection

      @Dietrich T. Schmitz * Your Linux Advocate or an even better way to avoid this. Use WP 7, as it is much more stable, and secure than Andyriod. Not to mention that WP 7 also is the fastest mobile OS you can get.
      Stephen-B
      • RE: Android apps use server-side polymorphism to evade detection

        @Stephen-B Why use WP7 when the iPhone is much, much better?
        athynz
      • RE: Android apps use server-side polymorphism to evade detection

        @Stephen-B WP7 is not only ten times more virus-laden than any phone out there, it is also the ugliest and laggiest and buggiest piece of crap Microsoft has ever puked out. The Zune was 100 times better than WP7 and we all see how supportive Microsoft has been on their Zune products.

        Microsoft has certainly lost their way.
        BIGELLOW
  • RE: Android apps use server-side polymorphism to evade detection

    The image seems to be the userpic of a user named "sni_ffy2" who has posted on various Russian forums, as early March 2010. TinEye and Google Image search can't find that image in any other context.
    s1m55r
    • RE: Android apps use server-side polymorphism to evade detection

      @s1m55r It's this man.

      http://www.netlore.ru/userfiles/image/Images/folder1/svidetel2.jpg

      http://www.netlore.ru/userfiles/image/Images/NetLore1/svidetel3.jpg
      BIGELLOW
  • RE: Android apps use server-side polymorphism to evade detection

    Wasn't Symantec the company that just the other day had to "rephrase" a comment on how much malware was on Android?
    simpleone71
  • This is why security through obscurity argument is not entirely false.

    I have long argued (based on hacker comments) that the concept of security through obscurity is not entirely false. Once android and iPhones got out there in numbers, the dark-side hackers will attack. Windows Phone not so much - no interest in attacking it. The argument (STO) isn't sufficient to explain the Wintel malware phenomena but it is a small part of the equation. The real reason for that phenomena was that originally windows wasn't designed with security in mind. Gates was dreaming about connectivity without bounds and it took a while to reverse that thinking and retrofit solid security back in. That said, the reason I like windows is that it has the best development tools. They making software development fun. But those malware guys have their sights set on Android and iPhone and it make take them a while but the attacks will come.
    MeMyselfAndI_z
    • The big problem with your theory

      is that there isn't any malware for iOS out there (unless you count the jailbreak community), even though iOS devices far outnumber android devices. Hmm. Perhaps the wall serves as a protection from the barbarians outside the gate.
      baggins_z
  • RE: Android apps use server-side polymorphism to evade detection

    Gee, and I thought those Russian sites were reputable... Next thing you know, they'll be saying torrents and warez are loaded with viruses and malware too. That's it, I'm going back to the Chinese sites hosting pirated apps, they're definitely safe.

    Seriously though, common sense says you don't install stuff from shady, unknown sources... and if you do, be prepared to get bitten.
    NetAdmin1178
    • You mean like the Android app marketplace?

      NT
      baggins_z
      • RE: Android apps use server-side polymorphism to evade detection

        @baggins_z

        HAR HAR... Awesome comeback man! Keep on trollin'
        NetAdmin1178
    • RE: Android apps use server-side polymorphism to evade detection

      @NetAdmin1178 Actually baggins_z is correct - there have been numerous occasions when malware-laden apps were removed from [i][u]Google's[/u][/i] Android App Market... you know, the only app market accessible to Android owners who did not enable that "Unknown sources - Allow installation of non-Market applications" box under Application Settings on the Android OS.<br><br>BTW do YOU even own an Android based device?
      athynz
  • Im shocked, shocked I tell you, to find theres yet more android malware out

    there. Who doesnt want their phone to send high price sms messages? Whats even more awesome is that it uses some battery for you while it does it.
    Johnny Vegas
    • RE: Android apps use server-side polymorphism to evade detection

      duplicate
      rwwff
    • RE: Android apps use server-side polymorphism to evade detection

      @Johnny Vegas
      Its a question of RECEIVING premium sms, supposedly as a subscription service of "valuable" data.

      If you don't want to receive "premium" sms; it should be easy enough to turn that feature off with your carrier. Verizon was simple enough for me.
      rwwff
  • RE: Android apps use server-side polymorphism to evade detection

    Would be awesome if they pull this trick in Apple's AppStore... Or they already did that and we just didn't know?
    Samic
    • RE: Android apps use server-side polymorphism to evade detection

      @Samic No it would not be "awesome" - at least no more awesome that it is with Google's Android App Market - but AFAIK this has not happened with Apple's App Store yet.
      athynz