The Department of Computer Science at the North Carolina State University has started the Android Malware Genome Project in an attempt to dissect Android based malware and see what makes it tick. The researchers are working with a collection of some 1,200 examples of Android malware, including the very first Trojans found in August 2010.
The team has started to systematically analyze the malware and create a database of the varying characteristics, including how the malware gets installed, how it is activated, and the nature of the malicious payloads. Not surprisingly, one “discovery” made by the team is that malware is “evolving rapidly to circumvent the detection from existing mobile anti-virus software.”
“In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples,” wrote Yajin Zhou and Xuxian Jiang in a paper called “Dissecting Android Malware: Characterization and Evolution” (PDF).
Using their huge collection of nasty apps, the team did some experiments using four common anti-virus suites for Android and found that the best of the bunch detected 79.6% of the malware, while the worst one detected only 20.2%. It is hoped that the Genome Project will lead to a better next generation of anti-malware solutions for Android.
Here is the performance of the four AV apps tested:
In picking apart the examples in the dataset, the researchers came up with some interesting statistics. First, 86.0% of all Android malware is actually repackaged versions of legitimate apps, but with malicious payloads. Secondly, around one third (36.7%) of malware uses root exploits to fully compromise the device’s security. But most alarmingly, more than 90% turn the compromised phones into a botnet controlled through the Internet or by text messages. Interestingly, the most common way malware authors make money is by the use of premium-rate SMS numbers or by making phone calls without the user’s awareness.