Presentation Material
Abstract
With Android being the fastest-growing mobile OS and with a rapidly increasing number of Android malware samples, it is important to acknowledge the risk of exploitation of security vulnerabilities by malware.
According to Common Vulnerabilities and Exposures (CVE) data, over the past few years the total number of documented Android vulnerabilities has reached 30, with seven of them discovered in the last year. The most serious of the recent ones is the so-called ‘MasterKey’ vulnerability (CVE-2013-4787), which is reported to have affected 99 per cent of devices, compromising the APK signature validation process.
With the total number of Android samples in our database exceeding 700,000, and 2,000 new Android malware samples discovered every day, we estimate that approximately 10 per cent of the samples exploit some vulnerability, and of this, one tenth will be a ‘MasterKey’ exploit.
In this paper we will investigate recent Android malware that attempts to exploit vulnerabilities, and identify the most relevant threat families.
By using static analysis tools we will show how these malware families exploit vulnerabilities in order to compromise devices. The research will reveal the evolution of the threat families.
Additionally, we will provide an evaluation of the various analysis tools that are currently available, exploring their successes and failures, and highlighting the differences between them.
These results will be used to identify the best approach for future automated analysis, to ensure it keeps up with the rapid development of Android malware, and increasing sophistication of device exploitation.
AI Generated Summary
This research examines the evolution of Android malware exploits and evaluates the effectiveness of common static analysis tools against them. The study identifies a correlation between the rising number of Android vulnerabilities (CVEs) and the growth of mobile malware samples, with exploit-enabled samples constituting a significant and growing portion of the total malware corpus.
Key exploit families analyzed include early root exploits like RageAgainstTheCage and GingerMaster, which used encrypted payloads within assets. More sophisticated examples include DroidDream and DroidKungFu, which leveraged the Master Key vulnerability (CVE-2013-4787) to bypass APK signature verification by including duplicate, malicious files. A subsequent vulnerability (CVE-2013-4788) used an extra field in the ZIP central directory for a similar bypass. The Android/Obad family demonstrated extreme obfuscation, encrypting all class and method names and using multiple decryption stages to hinder analysis.
The second part evaluates popular static analysis tools (e.g., APKTool, Dex2Jar, JD-GUI, IDA Pro) against samples from families like Master Key, GingerMaster, and DroidKungFu. Tools frequently fail due to: 1) APK extraction errors when encountering duplicate files in Master Key exploits, leading to analysis of the benign variant; 2) Dex header manipulation, where altering the version number corrupts tool parsing; and 3) opcode junk insertion, where invalid or unused opcodes break disassemblers and decompilers. Decompilers also fail on complex control-flow obfuscation.
Practical implications are that existing static tools are largely reactive, infrequently updated, and lack comprehensive support for modern obfuscation. The research concludes that relying solely on static analysis is insufficient; a combined approach with dynamic analysis is necessary for complete malware understanding. An ideal integrated analysis environment is suggested to improve researcher efficiency.