Increasing mobile threat intelligence with apklab.io | Avast

Nikolaos Chrysaidos, 15 February 2019

Avast stays several paces ahead of cybercriminals with apklab.io.

At Avast, we firmly believe that everyone deserves a safe and secure online experience. That’s why we dedicate every day to understanding and defeating the bad actors who spread threats, violate privacy, and take advantage of the online community. Much like counterintelligence is an essential wartime tactic, we use threat intelligence to get a good picture of what the other side is doing and to stay a few steps ahead of them. Our newest tool is this arsenal is apklab.io, an AI-based analysis platform.

What is apklab.io?

APKLAB.io is a mobile threat intelligence platform (MTIP) designed to provide the most relevant information for Android™ security researchers. At Avast, we collect big data on the most current cyberthreats today with our network of hundreds of millions of sensors around the globe. We use this big data as the reference point for our MTIP apklab.io.

We developed reliable and fast automatic classifiers that examine every strain of malware, categorizing like with like, and creating a more complete picture of each particular malware family (all its variants, etc.). We’ve also built into the platform coherent analyses of both static and dynamic flow, meaning our MTIP also studies the behavior of every malware strain while it’s dormant as well as active.

apklab-io-mobile-threat-intelligence-platform

How does apklab.io work?

Our big data comes from our partners and mobile AV clients, as well as third parties. From all these sources, we receive file samples. We feed the samples to apklab.io, whose first task is to assess if they are suspect or not.

If a sample is suspected to be malicious, it is then processed by, our in-house custom-built static analysis tool, and dynamic analysis sandbox. As our MTIP forms a complete picture of the sample, we use machine learning to categorize it as either part of a known malware family or not. The sample then lives forever in the apklab.io database to help solve future malware strain mysteries. Currently we have almost 6.5M samples in the database.

As an example, let’s look at the recent case of the criminals distributing the malware managed to repeatedly upload droppers to the marketplace. Using the family tracking feature in apklab.io, we were able to identify and detect every sample that was being uploaded to Google Play within a matter of minutes of them appearing.

Video showing the analysis of an Android ransomware sample

Apklab.io for the cybersecurity community

Our community version of MTIP apklab.io is in beta and now public online. It is being tested by cybersecurity researchers. We want to empower researchers everywhere to analyze malware strains — and discover new ones — as effortlessly as possible.

If you are interested in joining the community version of apklab.io, email us at apklab@avast.com. For a demo of our business version, contact us at apklab@avast.com .  For the latest details, follow us on Twitter. It may be an uphill battle to keep users safe and secure online, but tools like apklab.io will enable us to make great strides together in reaching the top.