In a significant move to bolster its security framework, Google’s Android Security and Privacy Team has announced a collaboration with Mandiant FLARE. This partnership aims to enhance the capa open source binary analysis tool, which is pivotal in analyzing ARM ELF files commonly exploited in Android malware.
Lin Chen, a representative from Google, elaborated on the integration of Gemini AI into this upgraded toolset. The combination of capa and Gemini AI is designed to elevate malware analysis and decision-making processes, providing a more robust defense against potential threats.
Detecting malware in ELF
Chen illustrated the effectiveness of these new tools through a case study involving an illegal gambling application masquerading as a music app. This particular app, which had infiltrated the Google Play Store, was adept at loading gambling websites for users in targeted regions while employing various anti-analysis techniques. These included concealing critical functions within a native ELF file, utilizing timezone detection, and dynamically downloading and decrypting additional malicious code to evade detection.
However, by utilizing static analysis in conjunction with capa, Google’s team was able to uncover these deceptive tactics and successfully remove the app from the platform. Capa’s capabilities are specifically tailored to detect malware behaviors in ELF files, and new rules have been developed to address Android-specific threats. These rules enable the identification of behaviors such as ptrace API calls (which indicate anti-debugging measures), extraction of device and timezone information via JNI, and the downloading and decrypting of code using Base64 and Cipher API for encoding and encryption.
This streamlined approach allows analysts to pinpoint suspicious functions swiftly, eliminating the need to navigate through extensive layers of obfuscated code. Furthermore, the incorporation of Gemini AI enhances this process by summarizing the most concerning functions flagged by capa. The AI tool is capable of conducting risk level assessments and providing insights into obfuscation, anti-debugging, and cloaking strategies, which accelerates malware detection and rule formulation.
“Equipped with the fast-evolving Gemini, our analysts are able to spend less time on those sophisticated samples, minimizing the exposure for malicious apps and ensuring the safety of Android ecosystems,” Chen remarked, highlighting the importance of these advancements in maintaining a secure environment for users.
