MassVet: A team of university researchers have devised a new method for detecting malicious Android apps. So far, researchers have actually discovered 127.429 malicious software, including some that allegedly exploit 20 zero-days.
The program called MassVet, it is the brainchild of eight researchers: Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang from Indiana University, Heqing Huang and Peng Liu from Penn State University, and Wei Zou from the Chinese Academy of Sciences.
The MassVet application as explained in the study by the researchers explained in the newspaper (Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at Google-Play Scale pdf) rejects the signatures of the old scanning system and instead legally compares Android frameworks to determine which applications are malicious.
Researchers even report that they can detect a malicious application in less than 10 seconds with very low false positives, and added that current Android security can not be considered as security.
In contrast to existing tracking mechanisms, which often use heavy-duty analysis techniques, our approach simply compares one application to all that is already on the market, focusing on the differences between those who share a similar UI (suggesting a possible repackage ), and the commonalities between those who are seemingly irrelevant. Once public libraries and code reuse are removed, the program becomes much clearer.
Aggregating the application's activities also shows the presence of zero-day malware. Running suspicious code dynamically? Downloading suspicious photos, or modifying the startup sequence of other applications. Access to sensitive user data, such as cards SIM, serial number and phone number? Many adware;
"The presence of these activities leads us to believe that zero-day malware is very likely to occur," the researchers said.
The MassVet application has detected up to now more than 1,2 million apps from 33 Android app stores and discovered 127429 malware applications that have avoided detection by 54 virus scanners, including the popular Virus Total mechanism.
From the infected apps discovered, 30.552 is hosted on Google Play.