• Home
  • News
  • Security
  • Malicious Android Apps Use Obfuscation, Antiemulation Techniques to Avoid Detection

Malicious Android Apps Use Obfuscation, Antiemulation Techniques to Avoid Detection

By
  • August 10, 2016
  • 01:00 PM
  • 0

A set of malicious gaming applications for Android available on the Google Play Store employ obfuscation at multiple levels and antiemulation techniques to avoid detection.

There are six malicious apps in total. They all advertise a different mod for Minecraft, the popular sandbox video game.

A developer with the account name "ValerySoftware" published the apps, each of which has been downloaded up to 500 times. That means as many as 3,000 users might be affected by the applications.

Not surprisingly, the applications don't do anything they say they will. After requesting administrative privileges, they simply load up a couple of HTML resources.

The apps then initiate a series a commands that allow them to download APK files from external sources, leak sensitive information, and (like Android.Spy.305.origin) display or silent access advertisements.

Each app is determined to carry out its malicious activities, which is reflected in its efforts to avoid detection.

Fernando Ruiz, a mobile malware researcher at Intel Security, explains:

"The payload is obfuscated at many levels with a packer, an executable and linkable format (ELF) binary crafted to decrypt the malicious code from a file stored in the asset directory of the APK. The name of the assets.dat files, binary ELF, and classes related to the malware functionality are random to avoid detection. The strings are obfuscated inside the ELF binary and the encrypted malicious .dex files."

Each app also comes equipped with antiemulation techniques that allow it to remain under the radar of automated dynamic test environments.

Given the domain information found in the malware, Ruiz and his fellow mobile malware researchers have attributed the apps to a group of European computer criminals who distribute and host malware.

That's not even the worst part. At this time, all six applications are still available for download on the Google Play Store.

Bad actors will always try to use well known brands like Minecraft to push malicious programs onto unsuspecting users. To protect themselves against that persistent threat, users should always look at an app's reviews, review the list of permissions, and research an application developer who might seem suspicious.

Related Articles:

Snowblind malware abuses Android security feature to bypass security

New Medusa malware variants target Android users in seven countries

Over 90 malicious Android apps with 5.5M installs found on Google Play

Android 15, Google Play Protect get new anti-malware and anti-fraud features

Hackers attack HFS servers to drop malware and Monero miners

David Bisson
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News, Associate Editor for Tripwire's "The State of Security" blog, Contributing Author for Carbonite, and Content Contributor to Metacompliance Ltd. and OASIS Open.
Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Mandiant mWise Conference 2024

Login

Sign in with Twitter button Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Read our posting guidelinese to learn what content is prohibited.

SUBMIT