What type of malware detection, analysis & protection is Avast Mobile using?

[jvopalensky]

Hi,

I am concerned that your product is giving me false sense of security. Can you please tell me your/Avast Mobile approach to Android OS malware detection, analysis and protection?

FYI: My concern was triggered by this article at http://www.mccormick.northwestern.edu/news/articles/2013/05/android-antiviral-products-easily-evaded-northwestern-study-says-yan-chen.html. For example, in the referred paper (http://list.cs.northwestern.edu/mobile/droidchameleon_nu_eecs_13_01.pdf) they state:

Anti-malware tools have evolved towards content-based signatures over the past one year. We studied compare our findings that we obtained in February 2012 (Table VII) to our present findings obtained in February 2013 (Table VI). Some of the anti-malware tools have changed considerably for the same malware samples. Last year, 45% of the signatures were evaded by trivial transformations, i.e., repacking and assembling/disassembling. Such signatures have virtually no resilience against polymorphism. Our present results show a marked decrease in this fraction to 16%.  We find that in all such cases where we see changes, anti-malware authors have moved to content-based matching, such as matching identifiers and strings. Furthermore, for malware using native code exploits, many anti-malware tools previously matched on the native exploits and payloads alone. The situation has changed now as all of these additionally match on some content in the rest of the application as well. Although the changes in the signatures over the past one year may be seen as improvement, we point out that the new signatures still lack resilience against polymorphic malware as our results aptly demonstrate."

Also reading the latest test results from av-test.org (http://www.av-test.org/en/tests/mobile-devices/android/mar-2013/) I see your virus detection & analysis abilities decreased in March 2013 from the Jan. 2013 tests.

Can you explain?

Thanks in advance. / Jan

[jsejtko]

Dear Jan,

First of all, yes we had decrease in the detection rate in the the test performed in March 2013 which was the signal to change the internal sample processing - we will see probably next week how we achieved in the last, yet not publicized test.

However, there are also other testers around the internet with slightly different results, check out http://www.pcsecuritylabs.net/document/report/pcsl_android_201301_cn.pdf which is unfortunately Chinese but results are readable. This test was performed approximately in the same time as the av-test test you are referring to.

I am concerned that your product is giving me false sense of security. Can you please tell me your/Avast Mobile approach to Android OS malware detection, analysis and protection?

FYI: My concern was triggered by this article at http://www.mccormick.northwestern.edu/news/articles/2013/05/android-antiviral-products-easily-evaded-northwestern-study-says-yan-chen.html. For example, in the referred paper (http://list.cs.northwestern.edu/mobile/droidchameleon_nu_eecs_13_01.pdf) they state:

Well,... It's better to summarize that in bullets:

• There's no product having 100% malware coverage (It's exactly the same for windows, Android, or any other platform you can think of) - we are really close and always trying to cover all the samples we know about
• The detection mechanism should be as quick as possible - no one wants to wait five minutes to analyze downloaded application. And that's just one app, what about full system scan?
• Main analysis is made in the viruslab by the human or by the automatic procedures - this will always produce detection our product is able to understand
• There always were, are and will be researches doing the exactly same 'research' -> repacking malware and checking how detection abilities change
• We must keep our eye on the real threat landscape!
• But we also have to process the samples synthetically made by these people, unfortunately!
• The report shows only two simple things.
  
  • Who's using full-file-hashes to detect files (every change leads to detection failure) and who's using better solution) - nothing else.
  • Static analysis has it's own borders.

And shortly about our approach. We don't use checksums as they are really inefficient. We currently use patterns (multi-pattern approach) and algorithmic approach that enable us to create really generic detections able to spot polymorphic malware.

Best Regads
J. Sejtko

[jvopalensky]

Thanks for the clarification. / Jan

[triobrothers]

I recalled once my modem/router firewall failed, it was disabled due to software bug.

Almost all Android devices at home connected to the wifi started to pop up an 'ad' informing us to update a 'game' that none of us downloaded.

Since my phone pops up first, I was curious.
Instead of clicking 'No', I clicked the other button.

The download began, installation began,and viola, Avast kicks in and alert me of the Trojan, which I forgotten what its name was.

The aftermath was, ran Avast, and Avast alerted most of the apps I have installed were infected by the same malware. WhatsApp, FireFox, Viber, you named it. Almost half of them were 'killed'.

What amazed me was Avast detected the malware upon installation, but why did it failed to detect the malware from infecting other already installed apps?