This paper empirically explores the resilience of the current Android ecosystem against stegomalware, which involves both Java/Kotlin and native code. To this aim, we rely on a methodology that goes beyond traditional approaches by hiding malicious Java code and extending it to encoding and dynamically loading native libraries at runtime. By merging app resources, steganography, and repackaging, the methodology seamlessly embeds malware samples into the assets of a host app, making detection significantly more challenging. We implemented the methodology in a tool, StegoPack, which allows the extraction and execution of the payload at runtime through reverse steganography. We used StegoPack to embed wellknown DEX and native malware samples over 14 years into real Android host apps. We then challenged top-notch antivirus engines, which previously had high detection rates on the original malware, to detect the embedded samples. Our results reveal a significant reduction in the number of detections (up to zero in most cases), indicating that current detection techniques, while thorough in analyzing app code, largely disregard app assets, leading us to believe that steganographic adversaries are not even included in the adversary models of most deployed defensive analysis systems. Thus, we propose potential countermeasures for StegoPack to detect steganographic data in the app assets and the dynamic loader used to execute malware.
Dell'Orco, D., Bernardinetti, G., Bianchi, G., Merlo, A., Pellegrini, A. (2025). Would you mind hiding my malware? Building malicious Android apps with StegoPack. PERVASIVE AND MOBILE COMPUTING, 111, 1-29 [10.1016/j.pmcj.2025.102060].
Would you mind hiding my malware? Building malicious Android apps with StegoPack
Bernardinetti, G;Bianchi, G;Pellegrini, A
2025-01-01
Abstract
This paper empirically explores the resilience of the current Android ecosystem against stegomalware, which involves both Java/Kotlin and native code. To this aim, we rely on a methodology that goes beyond traditional approaches by hiding malicious Java code and extending it to encoding and dynamically loading native libraries at runtime. By merging app resources, steganography, and repackaging, the methodology seamlessly embeds malware samples into the assets of a host app, making detection significantly more challenging. We implemented the methodology in a tool, StegoPack, which allows the extraction and execution of the payload at runtime through reverse steganography. We used StegoPack to embed wellknown DEX and native malware samples over 14 years into real Android host apps. We then challenged top-notch antivirus engines, which previously had high detection rates on the original malware, to detect the embedded samples. Our results reveal a significant reduction in the number of detections (up to zero in most cases), indicating that current detection techniques, while thorough in analyzing app code, largely disregard app assets, leading us to believe that steganographic adversaries are not even included in the adversary models of most deployed defensive analysis systems. Thus, we propose potential countermeasures for StegoPack to detect steganographic data in the app assets and the dynamic loader used to execute malware.| File | Dimensione | Formato | |
|---|---|---|---|
|
Dell25.pdf
accesso aperto
Tipologia:
Versione Editoriale (PDF)
Licenza:
Creative commons
Dimensione
5.11 MB
Formato
Adobe PDF
|
5.11 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
