StegWare: A Novel Malware Model Exploiting Payload Steganography and Dynamic Compilation

Android is the most widely used mobile operating system in the world. Due to its popularity, has become a target for attackers who are constantly working to develop aggressive malicious payloads aimed to steal confi-dential and sensitive data from our mobile devices. Despite the security policies provided by the Android operating system, malicious applications continue to proliferate on official and third-party markets. Unfortunately, current anti-malware software is unable to detect the so-called zero-day threats due to its signature-based approach. For this reason, it is necessary to develop methods aimed to enforce Android security mechanisms. With this in mind, in this paper we highlight how a series of features available in current high-level programming languages and typically used for totally legitimate purposes, can become a potential source of malicious payload injection if used in a given sequence. To demonstrate the effectiveness to perpetrate this attack, we design a new malware model that takes advantage of several Android features inherited from the Java language, such as reflection, dynamic compilation, and dynamic loading including steganographic techniques to hide the malicious payload code. We implement the proposed malware model in the Stegware Android application. In detail, the proposed malware model is based, on the app side, on the compilation and execution of Java code at runtime and. from the attacker side, on a software architecture capable of making the new malware model automatic and distributed. We evaluate the effectiveness of the proposed malware model by submitting it to 73 free and commercial antimalware, and by demonstrating its ability to circumvent the security features of the Android operating systems and the current antimalware detection.