2Faces: a new model of malware based on dynamic compiling and reflection

Nowadays malware writers are continually striving to find new ways to evade antimalware checks. To do this, they exploit the vulnerabilities of current antimalware that are unable to detect zero-day threats, because to detect malicious behavior, they need to know their signature, which must be stored in the database: to be recognized, a malware must already be widespread. In this paper we propose a novel malware model with the aim of promoting the development of innovative malware detection paradigms. The proposed model is based on the combination of following mechanisms: dynamic compiling, reflection and dynamic loading, to combine a series of source code snippets into a running application and dynamically alter the normal flow of program execution. We implemented the proposed malware model into the 2 Faces Android application. We show also that current antimalware technologies are not able to identify the proposed malware model and we discuss the countermeasures that can be adopted to detect the 2 Faces malware.