Android is the dominant mobile platform with 85% market share, as of the first quarter of 2017. At the same time, the number and sophistication of malicious Android apps are increasin.
Many reasons contribute to this meteoric rise of malware apps including: (1) the relative ease of creating a piggybacked app, i.e., a mutated version of a legitimate app injected with either malicious code or embedded advertisements; and (2) the prevalence of alternative Android app stores (i.e., app stores other than the official Android app store, Google Play), on which malicious apps may be distributed to users.
To protect mobile devices, users often rely on anti-malware products, which scan apps to determine if they are benign or malicious. However, many malware apps have previously evaded detection by these products. Examples of such malicious apps include Brain Test, VikingHorde, FalseGuide, and DressCode. These apps have infected millions of users before they were detected. To evade detection, malware authors often rely on code obfuscation, i.e., transforming a code into a form that is more difficult for humans, and possibly machines, to read, understand, and reverse engineer. These transformations change the syntax of code but not their semantics.
To better protect the intellectual property of benign app developers and prevent cloning of their apps, several companies have developed obfuscation tools, or obfuscators for short, that implement different code transformations (e.g., identifier renaming, string encryption, reflection, etc.). Given the use of obfuscations by malware authors, the goal of this study is to assess the performance of commercial anti-malware products against various obfuscation tools and strategies. In addition, this study assesses to evaluate the ability of obfuscation tools to generate valid, installable, and runnable obfuscated Android apps.
To study the effectiveness of anti-malware products, we applied several different obfuscation strategies on each Android app. Table 1 shows the obfuscation strategies applied in this study along with their abbreviations. In addition to these 11 obfuscation strategies, we also applied 18 combined obfuscation strategies. |
Study subjects
Obfuscation Tools |
Available on GitHub
To perform our analysis on anti-malware products, we have evaluated the performance and the resiliency of 61 commercial anti-malware products against obfuscations. In the paper, we included the top 21 products, shown in Table 3. In this website, we will include the results of all products. |
Our study answers the following research questions:
To conduct this study, we have utilized our framework to obfuscated the 6,000 original apps. Table 4 shows the number of obfuscated apps resulted from applying the 29 obfuscation strategies leveraged by the obfuscation tools. Each empty cell indicates that we did not apply the corresponding obfuscation strategy from a particular obfuscation tool. In total, we have generated 73,362 obfuscated apps
Detection rate on original and obfuscated apps. Figure 2 shows the detection rate of 21 anti-malware products on the original dataset of 6,000 apps, depicted as black bars, and the obfuscated dataset of 73,362 apps, depicted as gray bars. Figure 2 demonstrates that the detection rate of anti-malware products on the original dataset is above 85% for 16 products, and between 75% and 85% for 4 anti-malware products. |
Figure 3 contains box-and-whisker plots illustrating the impact of each obfuscation strategy on all 21 anti-malware products.
The figure below shows the impact of each obfuscation strategy on all 61 anti-malware products.
Figure 4 contains box-and-whisker plots illustrating the impact of each obfuscation tool on all 21 anti-malware products. |
The Figure on the right contains box-and-whisker plots illustrating the impact of each obfuscation tool on all 61 anti-malware products. |
A significant factor that may interact with the effect of obfuscations on anti-malware product accuracy is time. For RQ3, we conducted a time-aware analysis that studies the accuracy of anti-malware products on original and obfuscated apps that belong to the same time period for the past 10 years. Figure 5 depicts the results of this analysis. To conduct this experiment, we grouped apps to two-year time periods. Each time period contains all apps developed during that time period along with their obfuscated apps. |
Figure 6 compares the ability of obfuscation tools to produce installable and runnable apps with the detection rate of anti-malware products against obfuscated apps by each obfuscation tool. |