Mandiant partners with Android team to tackle concealed malware

Mandiant and the Android Security and Privacy Team have collaborated to develop enhanced tools capable of detecting Android malware concealed within native files of mobile applications.

As mobile devices become central to daily activities such as banking and healthcare management, they increasingly attract malicious actors aiming to exploit sensitive data. One lucrative method employed by these actors involves distributing malware through apps. Recently, developers of such malware have been using native code to conceal malicious actions, thus complicating detection efforts.

To address these challenges, Android has partnered with Mandiant FLARE to update capa, an open-source binary analysis tool, to target the analysis of native ARM Executable and Linkable Format (ELF) files used by Android malware. Together, they have enhanced capa's capabilities by developing new rules designed to detect suspicious activities.

Lin Chen, who provided insights into this research, explained how capa rules work to highlight suspect code within native files. "Using capa rules, we can detect capabilities observed in Android malware, highlight suspicious code, and prompt Gemini for summarization. This enhances our review processes for faster decisions," Chen stated.

Mandiant showcased a sample case involving an illegal gambling app disguised as a music application to evade detection and bypass regulations on Google Play Store. The app employed anti-analysis techniques, hiding its malicious functionalities within an ELF file.

Upon detailed examination, reviewers discovered that the app adapted its operations based on the geographical location of the user, only revealing its gambling features in specific areas. The malicious app managed to obfuscate behavior by utilizing ELFs with stripped symbols, complicated detection further by using techniques like downloading encrypted files from remote servers.

The capa enhancements incorporate rules to detect functions typically associated with Android malware through JNI (Java Native Interface) calls, identifying actions like ptrace API calls, device data extraction, and cryptographic operations. These functions are key indicators of malicious intent, as Mandiant identified in the gambling app.

Furthermore, the collaboration has integrated Mandiant's Gemini summarization capabilities into the analysis process. This AI-driven summarization tool swiftly narrows down the list of suspicious functions, enabling analysts to focus efficiently on areas of significant risk. Gemini's assessments were showcased, assigning high-risk levels due to patterns suggesting malicious activities such as dynamic code loading and time-based behavioral changes.

In exploring Gemini's capabilities, it produced a summary for a particular gambling app: "The provided Android application code exhibits several concerning behaviors strongly indicative of malicious intent. The risk level is assessed as HIGH due to the presence of multiple red flags consistent with sophisticated Android malware techniques."

The application highlighted numerous obfuscation techniques and anti-debugging methods aimed at detection avoidance, significantly raising suspicion about its operations.

The broader objective of these efforts is to safeguard Android users and maintain the integrity of the Google Play Store by identifying and blocking apps with concealed harmful intentions. The enhancement of capa rules and Gemini's summarization functions a critical role in this preventive measure.

As Android continues to evolve its multi-layered security strategy, these advanced tools represent a proactive step in detecting future threats and maintaining the safety and reliability of the Android ecosystem. The research initiative reflects an ongoing commitment by both Mandiant and Android to collaborate closely with the security research community, further refining techniques to counteract malware threats effectively.