Researchers at the Northwestern University in Illinois recently worked with partners from the North Carolina State University to test the ten most popular antiviral products for Android, in order to ascertain how secure these are in protecting Android devices from virus attacks.
The results do not make for pleasant reading, with both parties agreeing that each solution could be “easily circumnavigated” by “even the most simple obfuscation techniques”.
“The results are quite surprising,” said Yan Chen, the associate professor of electrical engineering and computer science at Northwestern’s McCormick School of Engineering and Applied Science.
“Many of these products are blind to even trivial transformation attacks not involving code-level changes — operations a teenager could perform.”
For the test, researchers used a tool they had developed (called DroidChameleon) to see how the most popular Android antiviral products — which were not named — fared when faced with one of six common viruses.
Using DroidChameleon, they carried out a number of “common techniques” of trying to get a virus onto the Android device, from making changes to the virus’s binary code and file name to running a command on the virus to repackage or reassemble it.
Dozens of these viruses were tested on the antiviral products, and the researchers found that they often slipped through the software undetected. This led them to claim that all of the Android antiviral products could be evaded, although they did admit that their susceptibility to attacks did vary.
In conclusion, the researchers argued that this software weakness was down to the use of “overly simply content-based signatures” – the special pattern used to screen for viruses — and urged software firms to use a more sophisticated static analysis to seek out these “transformed” attacks.
It wasn’t all bad news however – testers found that 45% of antiviral products with content-based signature patterns could be evaded with “trivial transformations” last year, compared to just 16% in 2013.