Malware continues to advance, getting better at infiltrating and better at avoiding detection. When it comes to mobile security, this is the biggest fear – What if my mobile device is already compromised and I don’t even know? Interestingly, a security company recently did some research on a new Android ransomware that they claim “bypasses all antivirus programs,” and a number of reputable websites have written about their claim (here, here and here for example). But, don’t believe it.
Security products still mostly rely on signatures of known exploits to detect malicious apps and activity, with various explorations into behavioral analysis, anomaly detection, machine learning and other strategies to extend beyond this limitation. Yet, evidence shows that there is a steady flow of zero days and other clever malware that regularly slips past these common detections.
Skycure takes a different approach. Sure, we have signature databases, and we employ other techniques common in the industry to efficiently catch the easy exploits that other products also identify, but that only goes so far. Skycure has created some unique technology, some of it patented, to do a better job of both predicting when something bad may happen based on precursor activity, and of course detecting the actual exploits, before any damage is done.
Take the Android ransomware referenced above as an example. In this case, the malicious code is injected into a number of common apps. The malicious code uses encryption and Java reflection to obfuscate what it is actually doing, and also waits four hours after first run before doing anything bad. Static analysis, which evaluates the code of the mobile app, looks for evidence that the app will try to do something it shouldn’t once it starts running. This would normally identify if there will be inappropriate communications, such as with Command & Control servers, but with the extensive use of obfuscation techniques, static analysis will fail here. Dynamic analysis executes the app in a safe virtual environment, typically on a server in the cloud, executing all of the functions designed into the app in order to find out what the app really does when running. By waiting 4 hours before executing the malicious code, dynamic analysis will determine that this app is running as originally designed. This is why some think this ransomware bypasses all antivirus programs.
However, there is almost always an indication that something is fishy before something bad actually happens, and that is where prediction comes in. Skycure has developed an arsenal of techniques to accurately predict and anticipate malicious behavior so users and their devices will be protected. In the case of the example above, it could be as simple as recognizing that the app the user thinks they are installing has been repackaged and doesn’t exactly match the official app from the original publisher in every way. Because Skycure uses crowd wisdom as a key source of threat intelligence, we have a huge advantage here over other vendors who rely only on local detections or those who rely primarily on data from a free consumer app. There may be other exploit indications as well, and each type of exploit will have different indications. Skycure even has a whole category of predictions that fall under the category of Indicators of Compromise (IoC) that catch a high percentage of advanced attacks.
So when someone tells you about the next undetectable malware, just tell them they must be using the wrong security solution. Skycure has you covered.
To learn more about predicting mobile exploits, read about our Mobile Threat Defense solution here, or to give us a shout at firstname.lastname@example.org.