MassVet: A team of university researchers have devised a new method for detecting malicious Android applications. So far, researchers have discovered 127.429 malicious software, including some allegedly exploiting 20 zero-day.
The program, called MassVet, is the brainchild of eight researchers: Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang from Indiana University, Heqing Huang and Peng Liu from Penn State University, and Wei Zou from the Chinese Academy of Science.
The MassVet application as explained in the study by the researchers explained in the newspaper (Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at Google-Play Scale pdf) discards legacy scanning system signatures and instead compares legitimate Android frameworks to determine which applications they are malicious.
Researchers even report that they can detect a malicious application in less than 10 seconds with very low false positives, and added that current Android security can not be considered as security.
Unlike existing detection mechanisms, which often use heavy-duty techniques analysiss, our approach simply compares an app with all those already on the market, focusing on the differences that exist between those that share a similar UI (suggesting a possible repackaging), and the commonalities between those that are seemingly unrelated. Once public libraries and code reuse are removed, the program becomes much clearer.
Aggregating the application's activities also shows the presence of zero-day malware. Running suspicious code dynamically? Downloading suspicious photos, or modifying the startup sequence of other applications. Access to sensitive user data such as SIM card, serial number and phone number? Many adware;
"The presence of these activities leads us to believe that zero-day malware is very likely to occur," the researchers said.
The MassVet application has detected up to now more than 1,2 million apps from 33 Android app stores and discovered 127429 malware applications that have avoided detection by 54 virus scanners, including the popular Virus Total mechanism.
From the infected apps discovered, 30.552 is hosted on Google Play.