Android malware uses server-side polymorphism to evade detection

Tricks that worked for the bad guys on Windows now being reused for Android.

The other day we saw Android malware make use of steganography techniques, now another trick is uncovered.

Malware writers use all sorts of tricks to avoid detection, and one of those is called polymorphism. It's a cool trick that allows code to change without changing what the code actually does. A new form of polymorphism, called server-side polymorphism, has been used to evade detection on Windows systems for some time now, but security firm Symantec has discovered malware targeting the Android platfrom that uses the same trick.

The malware, called Android.Opfake, is embedded into applications hosted on Russian websites. The code is designed to modify itself every time it's downloaded to make detection more difficult. Also, it appears that the malware writers are constantly making changes and additions to the code as part of an ongoing maintenance program.

The code is capable of modifying itself on download in three different ways:

  • Variable data changes
  • File re-ordering
  • Insertion of dummy files

What's interesting about the dummy files created by the malware is that they all contain this mysterious image. Anyone know who it is?

Android.Opfake is yet another in a long line of Android malware that sends premium rate SMS messages without the user's consent.

If you are worried about such malware, then you should know that Symantec’s Norton Mobile Security protects customers against all automatically generated variants of Android.Opfake.

[poll id="749"]


Show Comments