Analysis and detection of android stegomalware: the impact of the loading stage

Due to the increasing use of advanced offensive techniques, the mitigation of Android malware is an urgent need. An emerging attack trend exploits steganography to conceal malicious payloads within applications to make attacks stealthier. Even if works on “stegomalware” are starting to emerge, they primarily focus on the multimedia part of the attack chain, i.e., on how to detect hidden data in images or videos. Therefore, this work aims at understanding whether the loading stage required for the extraction of cloaked information can generate detection signatures. To this aim, we develop a proof-of-concept implementation, which has been repacked within a real Android application and tested against several malware detection engines provided by VirusTotal. To anticipate possible offensive campaigns, we also performed tests by considering threat actors able to obfuscate the bytecode of the loader or the entire APK. Results indicate that standard tools are not ready to face stegomalware targeting Android applications. Therefore, we provide indications on how to improve forensics and attribution phases for Android malware endowed with information hiding capabilities.