It turns out that Malware, an Android virus app, can hardly detect it: US survey results

Virus measures for personal computers can be effective or not.Although it is useful as a whole, it is constantly sought to catch up with evolving threats.In addition, it may be possible to make even more malicious attacks because it accesses the "deep" system of the system.

And now, the increase in threats is increasing the popularity of antivirus apps for Android.However, it seems that the same mistakes as before are repeated here.

Many of the current issues are due to immature than for Android virus apps for Android.When Georgia Institute of Technology's research team analyzed 58 main apps, many of them have easily broken security.This is because the method of detecting malware has no diversity and cannot be adjusted in detail.

Test the countermeasure app from the "attacker's point of view"

The research team has developed a tool called "AVPASS" to perform analysis from an attacker.While avoiding detection by virus software, it can invade the system into the system.Only two tools were tools, AVPASS, always prevented attacks, AHNLAB and White Armor.In other words, 2/58, about 3 in the ratio..It was only 5 %.

"Some companies have just begun to work on virus products for mobile platforms for mobile platforms. Many of the virus products for Android have just begun to work on this research., It may not be the initial version yet. ""We want to make a loud voice that consumers should look at more than just virus measures. We need to be cautious."

The latest virus products use machine learning to catch up with malware evolution.So, in developing AVPASS, the research team began developing a method that breaks through the defense algorithm, as in the case of academic research and other open source projects.Using the development method, we performed an attack on commercial products that cannot see the contents of the code operating the program.

On July 26 (US time), the research team released a presentation and release of AVPASS at the "Black Hat USA 2017" conference held in Rasvegas.

Use open source software for analysis

In order to test 58 types of virus measures and know which "detour" will be found, the research team used a services called "Virustotal".Virustotal uses a system equipped with various tools to identify malicious links and samples, scan links and malware samples to output the results of each tool.

The research team had VIRUSTOTAL investigate various malware components and confirmed which samples detect which sample.As a result, it became possible to presume what type of detection function the product against antivirus has.

Since the research team used Virustotal for the academic license, the number of detections that could be sent was limited to less than 300 per malware sample.However, even with this degree, it was sufficient to obtain data on how to detect each service.