Ares: Triggering Payload of Evasive Malware for Android - overview
With the emergence of mobile application markets, there has been a dramatic increase in mobile malware. Mobile platform providers are constantly creating and refining their malware-detection techniques, including static analysis and behavioral monitoring. The goal of malware writers is to hide the malware payload from those analyzers. In parallel, security analysts want to quickly detect if any software is malware in order to prevent harm to users. This confrontation is pushing malware writers to develop new evasion techniques that prevent their malware from being detected or making analysis harder.
This paper describes Ares, a system built on top of an existing behavioral analysis, based on static information-flow analysis, binary instrumentation, and multiexecution analysis, to detect and bypass many common evasive techniques used by mobile malware. Additionally, this paper presents our implementation of Ares, and shows that, when run against real-world software, Ares is able to reveal previously unknown malicious components. We also developed a test suite for evasion detection techniques: Evadroid, which we have made fully available to other researchers.
Download the paper here.
Cite as: L. Bello and M. Pistoia. Ares: Triggering Payload of Evasive Malware for Android. 5th IEEE/ACM International Conference on Mobile Software Engineering and Systems. MOBILESoft 2018, 2018.
- Ares source code:
- Evadroid 1.0 can be found in
- Evadroid source code, open for contributions and extensions:
- Patch for Android Open Source Project 5.1.51 (master from June 21st, 2015) for execution trace logging:
- The raw results of all the presented evaluations: