Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Detecting Malware by using the Application Icon

Published on: 09.04.2014

Have you ever wondered how many malicious applications use an application icon from a legit application?

We did the same and thought about implementing a cool signature to detect if a potential malicious application uses an icon of a benign application. To do so, we collected a large set of icons by extracting them from malicious applications. Afterwards, we selected those icons which looked familiar to us:

The next step was to search for a good icon comparison algorithm. After a quick search we found a very cool differential hashing algorithm called dHash as well as an implementation in python. dHash calculates the relative gradient direction by measuring the brightness between adjacent pixels. Compared to a crypto hash function dHash ignores some of the image features. Therefore, similar but non-equal icons get the same hash. To do so it reduces the size and the color (grayscale) of an icon. Having a hashing/icon comparison algorithm which compensates modifications is necessary since the icons of malicious applications are often not identical to the those of legit applications.

Finally, we calculated unique dHashs of our set of benign icons we found in malicious apps:

We wrote a Joe Sandbox behaviour signature to detect those icons generically:

The full analysis report is available at: