This empirical study evaluates the ability of commercial Android antivirus (AV) solutions to detect malware concealed using four specific techniques: code obfuscation and repackaging through encryption, compression, and steganography. Using real-world malware samples spanning 14 years, we developed a structured testing pipeline to transform each sample into a less-detectable version systematically. Leading antivirus engines on VirusTotal, which reliably detect the original malware, were tested against the altered malware. Although the effectiveness of the repackaging techniques varies, they all significantly reduce detection rates. While obfuscation reduces detection rates, most AV engines remain resilient to state-of-the-art obfuscation tools. We conducted the same tests at five intervals, demonstrating that AV systems quickly adapt to these hiding techniques. However, this adaptation often results in inadequate signatures. In some cases, engines misclassified the original host application as malicious, even without a hidden payload. While VirusTotal remains a valuable resource for malware analysis, our experiments highlight several limitations. These findings underscore the need for more robust threat-neutralizing techniques and advanced detection strategies to address the evolving challenges of malware in Android ecosystems. To improve the reliability of such studies, we propose best practices for conducting experiments.
Dell'Orco, D., Valeriani, L., Bianchi, G., Pellegrini, A., Merlo, A. (2025). Challenging antivirus against elusive Android malware over time. In ITASEC & SERICS 2025: Joint National Conference on Cybersecurity 2025. Aachen : CEUR-WS.
Challenging antivirus against elusive Android malware over time
Valeriani, Lorenzo;Bianchi, Giuseppe;Pellegrini, Alessandro;
2025-01-01
Abstract
This empirical study evaluates the ability of commercial Android antivirus (AV) solutions to detect malware concealed using four specific techniques: code obfuscation and repackaging through encryption, compression, and steganography. Using real-world malware samples spanning 14 years, we developed a structured testing pipeline to transform each sample into a less-detectable version systematically. Leading antivirus engines on VirusTotal, which reliably detect the original malware, were tested against the altered malware. Although the effectiveness of the repackaging techniques varies, they all significantly reduce detection rates. While obfuscation reduces detection rates, most AV engines remain resilient to state-of-the-art obfuscation tools. We conducted the same tests at five intervals, demonstrating that AV systems quickly adapt to these hiding techniques. However, this adaptation often results in inadequate signatures. In some cases, engines misclassified the original host application as malicious, even without a hidden payload. While VirusTotal remains a valuable resource for malware analysis, our experiments highlight several limitations. These findings underscore the need for more robust threat-neutralizing techniques and advanced detection strategies to address the evolving challenges of malware in Android ecosystems. To improve the reliability of such studies, we propose best practices for conducting experiments.| File | Dimensione | Formato | |
|---|---|---|---|
|
Del25 (1).pdf
accesso aperto
Tipologia:
Versione Editoriale (PDF)
Licenza:
Creative commons
Dimensione
1.51 MB
Formato
Adobe PDF
|
1.51 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
