Android’s rise to one of the world’s most popular operating systems has expanded its reach to billions of devices worldwide. This massive footprint is a beacon for malware developers who seek to exploit the personal data of its expansive and diverse user base. As with any operating system, Android treat actors aim to distribute their malicious software as widely as possible. Yet, the methodologies for spreading in the Android ecosystem differ significantly from those in traditional desktop environments, which historically have relied on worm-type malware for rapid propagation.
In mobile, application markets serve as a prime channel for reaching this objective, given their role in distributing billions of apps annually. However, a significant hurdle exists: to be listed on prominent platforms such as the Play Store, an app must satisfy specific criteria and undergo thorough screenings for signs of malware, both prior to and post-publication.
During our review of Android malware samples in these markets, we uncovered a multitude of evasion techniques designed to circumvent both static and dynamic detection mechanisms. From simple yet clever methods like analyzing a device’s battery level to gauge its legitimacy, to sophisticated technical tactics employing Java reflection, obfuscation, encryption, steganography, and dynamic code loading, these tactics illustrate the evolving nature of modern mobile malware.
This survey presents a thorough examination of the most advanced detection evasion techniques utilized by several of the most notorious Android malware families, with the infamous Joker and Hydra families as key examples. Our in-depth analysis elucidates the evolving sophistication of these techniques and their implications for the security of the Android ecosystem. Through this detailed exploration, we aim to provide insights that can aid in the development of more robust defense mechanisms to protect against such insidious software threats.
