Mandiant and the Android Security and Privacy team have collaborated to develop improved tools capable of detecting Android malware hidden in native mobile applications.
While mobile devices become central for daily activities such as banks and health care management, they are increasingly attracting malicious actors aimed at operating sensitive data. A lucrative method used by these players is to distribute malicious software via applications. Recently, the developers of these malicious software used the native code to hide malicious actions, thus complicating detection efforts.
To meet these challenges, Android has teamed up with maning Flare to update CAPA, an open source binary analysis tool, to target the analysis of ARM and Link format format files (ELF) used by Android Malware. Together, they have improved CAPA’s capacities by developing new rules designed to detect suspicious activities.
Lin Chen, which has provided information on this research, explained how the CAPA rules work to highlight the suspect code in native files. “Using the CAPA rules, we can detect the capacities observed in Android malware, highlight the suspect code and encourage gemini to summarize. This improves our examination processes for faster decisions,” said Chen.
Mandiant presented an example of cases involving an illegal game application disguised in musical application to escape the detection and bypass regulations on Google Play Store. The application used anti-analysis techniques, hiding its malware in an ELF file.
After a detailed examination, the examiners discovered that the application had adapted its operations on the basis of the user’s geographic location, revealing only its game functionalities in specific fields. The malicious application has managed to obscure behavior using ELF with stripped symbols, more complicated detection using techniques such as downloading encrypted files from remote servers.
CAPA improvements include rules to detect functions generally associated with Android malware via JNI (Java Native Interface), identifying actions such as API PTRACE calls, extraction of device data and cryptographic operations. These functions are key indicators of a malicious intention, as mandiant has identified in the game application.
In addition, collaboration has integrated the summary capacities of mandiant Gemini in the analysis process. This AI summary tool quickly reduces the list of suspicious functions, allowing analysts to focus effectively on significant risk areas. Gemini’s evaluations have been presented, attributing high -risk levels due to models suggesting malicious activities such as code dynamic loading and time -based behavioral changes.
By exploring Gemini’s capacities, he produced a summary for a particular game application: “The Android application code provided has several behaviors concerning a malicious intention. Malventy software techniques.”
The application has highlighted many obscure techniques and anti-debt methods aimed at avoiding detection, which considerably increases suspicion concerning its operations.
The wider objective of these efforts is to protect Android users and maintain the integrity of the Google Play Store by identifying and blocking applications with hidden harmful intentions. Improving the CAPA rules and the Summary of Gemini operates an essential role in this preventive extent.
While Android continues to evolve its multilayer safety strategy, these advanced tools represent a proactive step in detecting future threats and the maintenance of safety and reliability of the Android ecosystem. The research initiative reflects a continuous commitment of Mandiant and Android to collaborate closely with the safety community, refining additional refining techniques to effectively counter malware threats.
