Android malware finds way to polymorph

Symantec is reporting that it has begun to see Android malware that exhibits similar characteristics to server-side polymorphic malware in the desktop environment.
Written by Michael Lee, Contributor

Symantec is reporting that it has begun to see Android malware that exhibits similar characteristics to server-side polymorphic malware in the desktop environment.


(Pixel Virus image by Surian Soosay, CC BY 2.0)

The company said that it has come across malicious Android applications hosted outside of the Android marketplace, which automatically change themselves each time they are downloaded. The malware, which Symantec's mobile-security product detects as Android.Opfake, makes changes to variable data, re-orders files in Android packages and/or inserts dummy files in an attempt to avoid detection.

These dummy files all contain a picture of a Russian man who has become somewhat of an internet celebrity due to people manipulating his photo into various images.

However, while the malware might share similar characteristics to polymorphic viruses, Trend Micro told ZDNet Australia that strictly speaking, it isn't the same in the mobile environment as it is in the desktop environment.

In the desktop environment, server-side polymorphic malware takes advantage of the way that it can be distributed. Infected sites distribute malware to the user by exploiting any number of vulnerabilities, but server-side polymorphic malware gives users a unique strain of the malware, making detection difficult. Detection usually occurs by looking for similar signatures, but, since the generation of malware occurs server-side, the end results are (ideally) completely different.

Trend Micro argues that Symantec's example isn't a true example of server-side polymorphic malware since the malware is self-updating on the client side.

"These are self-updating pieces of malware that use your mobile device's connectivity to either download updates, upgrades, configuration files," its US threat team wrote in an email, but it didn't write off the threat as insignificant.

"Much as it is like in the desktop environment, security solutions that use static signatures are not the best way to go, and adding heuristics will do better — but the better solution is prevention by blocking access to locations and sites that have been observed to only host mobile malware."

Although Trend Micro was unable to confirm at the time of writing whether its mobile security product was able to detect these types of threats, it placed emphasis on the need for users to raise their awareness and acknowledge that technology is only part of the solution.

"It's time for mobile users to awaken to the facts above, and the capabilities of their devices. They should treat app downloads with the same caution as they do on desktops, and install or make use of whatever security add-ons, as this creates another protective layer."

Rival security company Lookout said that it had noticed these types of threats several months ago, and its Mobile Security product already detects and protects against it.

Nevertheless, the company continues to take a cautious approach towards the threat.

"We are closely monitoring this family of malware to see how it evolves, like we would any malware family."

McAfee said it is aware of polymorphic malware, and while it did not confirm whether its product was able to guard against such threats, it had taken a similar approach to Trend Micro in recognising the importance in blocking access to malware sources.

"We are currently exploring a number of techniques to address this using existing technologies, such as white listing and behavioural analysis, as well as other techniques."

The use of behavioural analysis is a technique recently employed by Google's new server-side Bouncer service, which automatically scans the Android Marketplace for malicious apps.

Google declined to comment on whether Bouncer would detect apps that used techniques similar to polymorphism, or whether such apps had yet made it in to the Marketplace.

Editorial standards