Increasing mobile threat intelligence with apklab.io | Avast

 

There’s a secret “war” happening under the noses of hundreds of millions of online users, and it’s war on a grand scale because so many players are involved. Armies of cybercriminals, consisting of everything from solo marauders to frighteningly organized cells, launch daily attacks upon both the public and business sectors, trying all manner of technological and psychological trickery to weasel as big a payload into their digital pockets as possible.

Then there’s us. The good guys. We believe everyone deserves a safe and secure online experience, and we dedicate all our time to defeating those bad actors. Much like counterintelligence is an essential wartime tactic, we use threat intelligence to get a good picture of what the other side is doing and to stay a few steps ahead of them. Our newest tool in this arena is apklab.io, an AI-based analysis platform that we will soon share with the world.

What is threat intelligence?

Like counterintelligence, threat intelligence is collected data on the enemy’s tactics. The more data we have, the better. The term big data is used to define a mass amount of data from a variety of sources, focused on one subject. At Avast, we collect big data on the most current cyberthreats today with our network of hundreds of millions of sensors around the globe.

We’ve taken our big data and created a mobile threat intel platform (MTIP) out of it, which is apklab.io. This entailed developing reliable and fast automatic classifiers that examine every strain of malware, categorizing like with like and creating a more complete picture of that particular malware family (all its variants, etc.). We’ve also built into the platform coherent analyses of both static and dynamic flow, meaning our MTIP also studies the behavior of every malware strain while it’s dormant as well as active.

How does apklab.io work?

Our big data comes from our partners, our mobile AV clients, as well as third parties. From all of these sources, we receive file samples. We feed all the samples to apklab.io, whose first task is to assess if they are suspect or not.

If a sample is indeed suspect, it is then analyzed by the static and dynamic analysis box. As our MTIP forms a complete picture of the sample, we use machine learning to categorize it as part of a known malware family or not. The sample then lives forever in the apklab.io database to help solve future malware strain mysteries.

As an example, let’s look at the recent case of BankBot Trojan found in various apps on the Google Play Store last year. In October and November 2017, the criminals distributing the malware managed to repeatedly upload droppers to the marketplace. Using the family tracking feature in apklab.io, we were able to identify and detect every sample that was being uploaded to Google Play within a matter of minutes of them appearing.

Apklab.io for the cybersecurity community

We are currently working on making our MTIP available to cybersecurity experts around the world. We are running tests internally to make sure the platform is ready for use by the wider cybersecurity community. With this, we want to empower researchers everywhere to analyze malware strains and discover new ones as effortlessly as possible.

Apklab.io will be available by invite-only.  If you are interested in using apklab.io, email us at  [email protected]. And follow us on Twitter. We will keep you updated on the platform’s status and share with you as soon as it’s ready for partners to use. We’re all in this together, after all. There’s a war on, but we’ll persevere if we pool our resources and stick together.