ATI Polymorphic Android Malware

In ATI, Polymorphic malware refers to samples of malware derived from a common malicious codebase that are changed in order to evade detection while remaining functionally malicious. The samples can help you test if your security solutions can catch the known popular malware families with previously never seen hashes. ATI have been delivering polymorphic samples as part of the monthly malware since 2020 which were mostly for the Windows platform and has recently extended it to include Android polymorphic malwares. The Android samples were delivered in the November 2022 Monthly Malware update by ATI as part of the standard ATI subscription.

ATI uses various morphing techniques on the Android APKs like reordering of the Manifest XML, Rebuilding the malware sample, and others to generate the polymorphic samples which differs in hash from the parent samples. We also validate that the child samples retain the same malicious behaviour as the parent samples by testing them in various Android Malware analysis sandboxes. We included 2 Android parent samples of the Pegasus malware; this is a spyware developed by the NSO group which exfiltrates data from installed social media apps, steals stored credentials, takes screenshots, photos and performs many more malicious activities. We included 2 polymorphic samples for each of them.

Effectiveness of Polymorphic Malwares

The samples under test are the follwoing 2 parent samples and 1 polymorphic child sample created with the techniques same as the ones released in the November 2022 Monthly Malware package.

We tested the Parents and their children against Virus Total and Google Play Protect .

Virus Total

In Virus Total, we uploaded the Parent and Child samples and compared the Detection Score. Detection Score corresponds to the number of antivirus and sandboxes which are successfully able to detect the sample as malicious.

To show that the child samples are just as malicious as the parent we uploaded them in Joe Malware Analysis Sandbox.

Google Play Protect

The polymorphic samples were also tested against the native Android security measure Google Play Protect. The test platform was an Android Emulator running Android 10 with Google Play services installed & updated and Google play protect activated. We also repeated some of the test scenarios in a Physical Android phone and achieved similar results.

When we installed the parent sample 1, the installation immediately failed (Fig 5) and there was a popup in the emulator that showed that the malware installation was blocked by Google Play Protect with the message indicating it tried to bypass Android security protections.\

The Popup shows Google Play Protect no longer tags it as violating security instead it just complains about being built for an older version of Android. There is also an ‘Install Anyway’ button to install the app this time and a user who is sideloading an app will likely ignore the warning and install it. So, the polymorphic sample have successfully evaded the native security measure on Android.

We also tested the parent sample 2, where we got a similar popup (Fig 7) and the installation was blocked again.

                                           Fig 7 : Parent Sample 2 Installation Blocked

When we tried to install the polymorphic version of this (Fig 8):

How to find them and run them?

To be able to access the Android Polymorphic Samples, you need to install the ‘Nov 2022 Malware Package’ either through BPS Cloud Update or manually download the package from https://support.ixiacom.com/public/support-overview/product-support/downloads-updates/versions/43451

After installation, you will find 3 StrikeLists (Fig 9). You can run them as normal Strikes by using either of the Strikelists.

Interpretation of the Results

Polymorphic malware are the same malware as the parent file as they execute and show the same behavior as the parent file in the sandboxed environment; the only difference is that there would be a some tweeked data in the malicious file making the hash different.
If the firewall or DUT can block only the parent file and not its morphed versions, then the DUT in most of the cases would be doing hash-based analysis and is not powerful enough to stop all the variations of the malware.
On the other hand, if the DUT can block both the parent file and its various morphed child malware then we can conclude that the DUT is in a better position to detect and prevent such kind of morphed malwares.

Leverage subscription service to stay ahead of attacks

Keysight's Application and Threat Intelligence (ATI) Subscription provides Daily, Monthly malwares and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously checks threats in terms of vulnerabilities and the latest malwares used by Threat actors and integrates as part of the ATI subscription, to help keep your network secure. More information is present here.

limit
3