Measuring and Explaining the Effects of Android App Transformations in Online Malware Detection

TL;DR

This paper presents a data-driven method to measure and explain how Android app transformations affect malware detection by antivirus engines, revealing underlying detection mechanisms and indicators of compromise.

Contribution

It introduces a novel interaction model and large-scale empirical analysis of antivirus responses to app transformations, enhancing understanding of malware detection processes.

Findings

Antivirus engines exhibit specific response patterns to app transformations.

Certain app features serve as indicators of compromise during detection.

Detection effectiveness varies across different analysis techniques.

Abstract

It is well known that antivirus engines are vulnerable to evasion techniques (e.g., obfuscation) that transform malware into its variants. However, it cannot be necessarily attributed to the effectiveness of these evasions, and the limits of engines may also make this unsatisfactory result. In this study, we propose a data-driven approach to measure the effect of app transformations to malware detection, and further explain why the detection result is produced by these engines. First, we develop an interaction model for antivirus engines, illustrating how they respond with different detection results in terms of varying inputs. Six app transformation techniques are implemented in order to generate a large number of Android apps with traceable changes. Then we undertake a one-month tracking of app detection results from multiple antivirus engines, through which we obtain over 971K detection reports from VirusTotal for 179K apps in total. Last, we conduct a comprehensive analysis of antivirus engines based on these reports from the perspectives of signature-based, static analysis-based, and dynamic analysis-based detection techniques. The results, together with 7 highlighted findings, identify a number of sealed working mechanisms occurring inside antivirus engines and what are the indicators of compromise in apps during malware detection.