AVPASS: Leaking and Bypassing Antivirus Detection Model Automatically

Presented at Black Hat USA 2017, July 27, 2017, 12:10 p.m. (50 minutes).

AVPASS is a tool for leaking the detection model of Android antivirus (AV) programs, and bypassing the AV detection by using the leaked information coupled with APK perturbation techniques. AVPASS is able to infer not only the detection features, but also hierarchy of detection rule chains. With help from the leaked model and the built-in APK perturbation functions, AVPASS is able to disguise any android malware as a benign application. Furthermore, using our novel additive mode, AVPASS supports safe querying and guarantees that one can test if the application will be detected by the AV without sending the whole or core parts of application. As a result, AVPASS leaked significant detection features of commercial AVs and achieved almost zero detection from VirusTotal when tested with more than 5,000 malware.

In this talk, we present the entire pipeline of the APK perturbation process, leaking model process, and auto-bypassing process. In addition, we show findings about commercial AVs, including their detection features and hierarchy, and inform the attendees about the potential weaknesses of modern AVs.

AVPASS will be demonstrated, showing that it modifies real world malware precisely, and allows them to bypass all AVs following the leaked model. AVPASS will be released with every tool that we have built, including the original source code and the related test data, to enable researchers to replicate the research on their own.


Presenters:

  • Chanil Jeon - Research Associate II, Georgia Institute of Technology
    Chanil Jeon is a Research Associate II in School of Computer Science, College of Computing, Georgia Institue of Technology, focused on computational science topics in complex systems with large-scale data. He is working on building a general model for bypassing mobile malware detection system and extracting common malware features from real-world malware data. He holds the B.S. (2006) and the Ph.D. (2013) degrees from KAIST, all in Physics.
  • Insu Yun - PhD Student, Georgia Institute of Technology
    Insu Yun is a PhD student at Georgia Institute of Technology. His research interests are focused on binary analysis and automated bug finding. Prior to joining Georgia Tech, he participated in several capture-the-flag (CTF) including DEFCON CTF. He received his BS degree in Computer Science from KAIST in 2015.
  • Jinho Jung - PhD Student, Georgia Institute of Technology
    Jinho Jung is a doctoral student at Georgia Tech Information Security Center (GTISC). Currently, his research focuses on discovering vulnerabilities and inferring decision model of mobile malware detection system, and identifying evidence of cyber-attack from the application's memory dump.
  • Max Wolotsky - PhD Student, Georgia Institute of Technology
    Max Wolotsky is a doctoral student at Georgia Institute of Technology studying Computer Science. His research interests include certified programming, mobile device security, and biometric security. He received his BS in Computer Science from Cal Poly Pomona.
  • Taesoo Kim - Assistant Professor, Georgia Institute of Technology
    Taesoo Kim is an Assistant Professor in the School of Computer Science, College of Computing, Georgia Institute of Technology. He is interested in building a system whose underlying principles justify why it should be secure. Those principles include the design of the system, analysis of its implementation, and clear separation of trusted components. He holds the B.S. from KAIST (2009), the S.M. (2011), and the PhD (2014) degrees from Massachusetts Institute of Technology, all in computer science.

Links:

Similar Presentations: