A Large-Scale Study of Android Malware Development Phenomenon on Public Malware Submission and Scanning Platform

Abstract

With the steady growth of Android malware, we suspect that, during the malware development phase, some Android malware writers use the popular public scanning services (e.g., VirusTotal) for testing the evasion capability of their malware samples, which we name Android malware development cases (AMDs). In this work, we design an AMD hunter in the context of VirusTotal to hunt for AMDs and reveal new threats for Android. First, the AMD hunter sifts through millions of file submissions on VirusTotal efficiently and alert more suspicious submission traces. Second, it performs package level analysis, static code and dynamic analyses on the APKs of the suspicious submissions to validate the AMDs. The implemented hunter has been used in a leading security company for 4 months, which processed 153 million of submissions on VirusTotal, and identified 1,623 AMDs with 13,855 samples from 83 countries. We also performed case studies on 890 malware samples selected from the identified AMDs, which revealed lots of new threats, including the development cases of fake system/banking phishing app, new rooting exploits, new JavaScript based threats, new evasions and AV probing malware. We wrote industry research articles about some AMDs and notified other security vendors to help patch their false negatives. Besides raising the awareness of the existence of AMDs, more importantly, our research provides the first systematic and efficient way to study the malware development phenomenon on VirusTotal. We will share all the samples of the identified AMDs with the research community.