Android malware development on public malware scanning platforms: A large-scale data-driven study

Abstract

Android malware scanning services (e.g., VirusTotal) are websites that users submit suspicious Android programs and get an array of malware detection results. With the growing popularity of such websites, we suspect that, these services are not only used by innocent users, but also, malware writers for testing the evasion capability of their malware samples. May this hypothesis be true, it not only provides interesting insight on Android malware development (AMD), but also provides opportunities for important security applications such as zero-day sample detection. In this work, we first validate this hypothesis with massive data; then design a system AMDHunter to hunt for AMDs on VirusTotal that reveals new threats for Android that has never been revealed before. This is the first systematic study of the malware development phenomenon on VirusTotal, and the first system to automatically detect such malware development cases. AMDHunter has been used in a leading security company for months. Our study is driven by the large amount of data on VirusTotal -We analyzed 153 million submissions collected on VirusTotal during 102 days. Our system identifies 1,623 AMDs with 13,855 samples from 83 countries. We also performed case studies on 890 malware samples selected from the identified AMDs, which revealed lots of new threats, e.g., the development cases of fake system/banking phishing malware, new rooting exploits and etc.