Symantec Identifies Polymorphic Android App Malware

Monday, February 06, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

Researchers at Symantec have identified a crafty Trojan targeting Android devices which slightly modifies its code every time the malware is downloaded.

The technique is called server-side polymorphism, and it allows the malware to remain more difficult to detect when examined by traditional signature-based antivirus software defenses.

The technique has been used for years to hide malicious code targeting PCs using the Windows operating system, but has only recently been discovered in malware aimed at infecting mobile devices.

"For quite some time, we have observed the technique of server-side polymorphism being used to infect Windows computers around the world. What this means is that every time a file is downloaded, a unique version of the file is created in order to evade traditional signature-based detection. We are now seeing this same technique being used for malicious Android applications hosted on Russian websites," Symantec's Security Response blog explains.

Symantec has identified multiple variants of the malware, which is being distributed by Russian-based websites offering Android application downloads.

"We detect all of these variants as Android.Opfake. The sites hosting Opfake include either links or buttons that can be used to download the malicious packages that are purporting to be free versions of popular Android software," Symantec warns.

The malicious code is able to accomplish the "morphing" of its signature in several different ways, one of which is a manual adaptation that researchers believe is a sign that the attack are being actively administered by the malware authors.

"Opfake performs server-side polymorphism using three techniques: variable data changes, file re-ordering, and insertion of dummy files... The applications morph themselves automatically in a few ways every time the threat is downloaded. In addition, manual modifications are also made every few days indicating that the malware authors are actively maintaining this malware family," the blog continued.

Source:  http://www.symantec.com/connect/blogs/server-side-polymorphic-android-applications

Possibly Related Articles:
16175
Viruses & Malware
Antivirus malware Application Security Research Symantec Mobile Devices Attacks Android Malicious Code variants trojan Polymorphic Malware Android.Opfake Opfake
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.