AndroWasm: an Empirical Study on Android Malware Obfuscation through WebAssembly

TL;DR

This paper explores how WebAssembly can be used by Android malware to evade detection, demonstrating its effectiveness through proof-of-concept attacks that bypass current analysis tools.

Contribution

It introduces WebAssembly as a novel obfuscation technique for Android malware and analyzes its integration and evasion capabilities within Android's execution environment.

Findings

Wasm can embed malicious payloads in Android apps.

Wasm-based malware can bypass state-of-the-art detection tools.

Proof-of-concept attacks demonstrate effective evasion of VirusTotal and MobSF.

Abstract

In recent years, stealthy Android malware has increasingly adopted sophisticated techniques to bypass automatic detection mechanisms and harden manual analysis. Adversaries typically rely on obfuscation, anti-repacking, steganography, poisoning, and evasion techniques to AI-based tools, and in-memory execution to conceal malicious functionality. In this paper, we investigate WebAssembly (Wasm) as a novel technique for hiding malicious payloads and evading traditional static analysis and signature-matching mechanisms. While Wasm is typically employed to render specific gaming activities and interact with the native components in web browsers, we provide an in-depth analysis on the mechanisms Android may employ to include Wasm modules in its execution pipeline. Additionally, we provide Proofs-of-Concept to demonstrate a threat model in which an attacker embeds and executes malicious routines, effectively bypassing IoC detection by industrial state-of-the-art tools, like VirusTotal and MobSF.