DEVELOPMENT OF ANDROID MALWARE EVASION TECHNIQUE FOR BYPASSING SIGNATURE-BASED ANTI- MALWARE DETECTION USING OBFUSCATION AND DYNAMIC CODE LOADING
Malware is one of the biggest threats to the Android system today. Various malware detection methods have been developed by both academics and anti-malware vendors to detect malware attacks on the Android operating system. But at the same time malware developers also continue to develop various t...
Saved in:
| Main Author: | |
|---|---|
| Format: | Theses |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/71403 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| Summary: | Malware is one of the biggest threats to the Android system today. Various malware
detection methods have been developed by both academics and anti-malware
vendors to detect malware attacks on the Android operating system. But at the same
time malware developers also continue to develop various techniques to be able to
avoid the detection system. Understanding how these techniques developed from
the perspective of malware developers is one way to predict the type of attack that
will come, thereby strengthening existing defense systems.
This study proposes a framework for modifying malware using obfuscation
techniques and dynamic code loading so that it can bypass signature-based anti-
malware detection. The framework proposed in this study exploits weaknesses in
the Android system and also a signature-based anti-malware system. Among these
weaknesses is anti-malware which tends to be slow in adopting signatures from
malware, by modifying the body of the malware, signatures that were previously
recognized become unrecognizable. In addition, there is a weakness in the Android
system where by inserting malware into legitimate applications it can bypass
PlayProtect detection. With the feature to embed malware into legitimate
applications, the proposed framework can also be used by application developers
to test the resilience of their applications from repackaging attacks.
iv
Testing and evaluation is carried out at each step of the proposed framework. From
the test results it is proven that each step can reduce the detection rate on virustotal
and testing the entire framework gives significant results in reducing the detection
rate. Then, the modified malware is successfully installed on the Android device
without being detected and performing its functions properly. From this research it
is also known that the PlayProtect system does not perform certificate checks
properly. Random use of certificates can trigger detection in PlayProtect which will
raise a warning during installation that the application is not recognized. However,
by borrowing certificates from other applications this detection can be easily
avoided. |
|---|