Dear Jan,
First of all, yes we had decrease in the detection rate in the the test performed in March 2013 which was the signal to change the internal sample processing - we will see probably next week how we achieved in the last, yet not publicized test.
However, there are also other testers around the internet with slightly different results, check out http://www.pcsecuritylabs.net/document/report/pcsl_android_201301_cn.pdf which is unfortunately Chinese but results are readable. This test was performed approximately in the same time as the av-test test you are referring to.
I am concerned that your product is giving me false sense of security. Can you please tell me your/Avast Mobile approach to Android OS malware detection, analysis and protection?
FYI: My concern was triggered by this article at http://www.mccormick.northwestern.edu/news/articles/2013/05/android-antiviral-products-easily-evaded-northwestern-study-says-yan-chen.html. For example, in the referred paper (http://list.cs.northwestern.edu/mobile/droidchameleon_nu_eecs_13_01.pdf) they state:
Well,… It’s better to summarize that in bullets:
-
There’s no product having 100% malware coverage (It’s exactly the same for windows, Android, or any other platform you can think of) - we are really close and always trying to cover all the samples we know about
-
The detection mechanism should be as quick as possible - no one wants to wait five minutes to analyze downloaded application. And that’s just one app, what about full system scan?
-
Main analysis is made in the viruslab by the human or by the automatic procedures - this will always produce detection our product is able to understand
-
There always were, are and will be researches doing the exactly same ‘research’ → repacking malware and checking how detection abilities change
-
We must keep our eye on the real threat landscape!
-
But we also have to process the samples synthetically made by these people, unfortunately!
-
The report shows only two simple things.
[li]Who’s using full-file-hashes to detect files (every change leads to detection failure) and who’s using better solution) - nothing else.
- Static analysis has it’s own borders.
[/li]
And shortly about our approach. We don’t use checksums as they are really inefficient. We currently use patterns (multi-pattern approach) and algorithmic approach that enable us to create really generic detections able to spot polymorphic malware.
Best Regads
J. Sejtko