AVPASS is a tool for leaking the detection model of Android malware detection systems (i.e., antivirus software), and bypassing their detection logics by using the leaked information coupled with APK obfuscation techniques. AVPASS is not limited to detection features used by detection systems, and can also infer detection rules so that it can disguise any Android malware as a benign application by automatically transforming the APK binary. To prevent leakage of the application logic during transformation, AVPASS provides an Imitation Mode that allows malware developers to safely query curious detection features without sending the entire binary.
AVPASS offers several useful features to transform any Android malware so it can bypass anti-virus software. Below are the main features AVPASS offers:
+ APK obfuscation with more than 10 modules
+ Feature inference for the detection system by using individual obfuscation
+ Rule inference of the detection system by using the 2k factorial experiment
+ Targeted obfuscation to bypass a specific detection system
+ Safe query support by using Imitation Mode
* Recently, we add new features (Java reflection, complicate string encryptor) to bypass better. Unfortunately, these new modules are not compatible with some previous modules. We didn’t perform test much but we found one case of error. Since Java reflection hide all method names, pcm module (package/class/method name changer) can occur error when you run obfuscation APK. To solve this problem, we will quickly provide pc module (package/class) for only obfuscating package and class names when you already used Java reflection.
* Until the release, we recommend you not to use Java reflection with pcm module. If you just try to infer AVs feature, it’s fine to use because apktool can compile the smali into APK anyway.
– apktool: https://ibotpeaches.github.io/Apktool/
– numpy: http://www.numpy.org/
– PIL: http://www.pythonware.com/products/pil/
– magic: https://pypi.python.org/pypi/python-magic
– python-utils: https://pypi.python.org/pypi/python-utils/2.1.0
– vt: https://pypi.python.org/pypi/virustotal-api
Usage and install:
git clone https://github.com/sslab-gatech/avpass && cd avpass
./install-dep.sh (Must Root user for install all Dependencies)
Please read avpass/docs/README.MD for configuration and How to use!
change configuration: Open the file: src/conf.py
Launch individual obfuscation:
python gen_disguise.py -i YOUR_MALWARE.apk individual
Obfuscate by using inferred rules:
python gen_disguise -i YOUR_MALWARE withrule -o OUTPUT_DIR