Symantec Identifies Polymorphic Android App Malware

Monday, February 06, 2012

Contributed By:
Headlines

Researchers at Symantec have identified a crafty Trojan targeting Android devices which slightly modifies its code every time the malware is downloaded.

The technique is called server-side polymorphism, and it allows the malware to remain more difficult to detect when examined by traditional signature-based antivirus software defenses.

The technique has been used for years to hide malicious code targeting PCs using the Windows operating system, but has only recently been discovered in malware aimed at infecting mobile devices.

"For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites," Symantec's Security Response blog explains.

Symantec has identified multiple variants of the malware, which is being distributed by Russian-based websites offering Android application downloads.

"We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software," Symantec warns.

The malicious code is able to accomplish the "morphing" of its signature in several different ways, one of which is a manual adaptation that researchers believe is a sign that the attack are being actively administered by the malware authors.

"Opfake performs server-side polymorphism using three techniques: variable data changes, file re-ordering, and insertion of dummy files... The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family," the blog continued.

Source: http://www.symantec.com/connect/blogs/server-side-polymorphic-android-applications

Share This! |

Views:	3887
Categories:	Viruses & Malware
Tags:	Antivirus malware Application Security Research Symantec Mobile Devices Attacks Android Malicious Code variants trojan Polymorphic Malware Android.Opfake Opfake

Post Rating I Like this!

Comments:

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"Just DON'T defrag an SSD"

Spring Cleaning Your PC... Jeff D on 05-21-2012

"Phil, Thank you for taking the time to read this post, and for your note. The format for displaying the metrics here might not b..."

Making Security Metrics That Matter... Robb Reck on 05-21-2012

"An attack might even consist of multiple seemingly unrelated incidents spanning the target's supply chain. that's precisely..."

Attribution: Inductive vs. Deductive Reasoni... CP Constantine on 05-21-2012

"'the assumption that reverse engineering skills are a functional replacement for good detective skills.' - Perhaps because attri..."

Attribution: Inductive vs. Deductive Reasoni... Michael Johnson on 05-19-2012