Have you ever wondered how many malicious applications use an application icon from a legit application?
We did the same and thought about implementing a cool signature to detect if a potential malicious application uses an icon of a benign application. To do so, we collected a large set of icons by extracting them from malicious applications. Afterwards, we selected those icons which looked familiar to us:
The next step was to search for a good icon comparison algorithm. After a quick search we found a very cool differential hashing algorithm called dHash
as well as an implementation
in python. dHash calculates the relative gradient direction by measuring the brightness between adjacent pixels. Compared to a crypto hash function dHash ignores some of the image features. Therefore, similar but non-equal icons get the same hash. To do so it reduces the size and the color (grayscale) of an icon. Having a hashing/icon comparison algorithm which compensates modifications is necessary since the icons of malicious applications are often not identical to the those of legit applications.
Finally, we calculated unique dHashs of our set of benign icons we found in malicious apps:
We wrote a Joe Sandbox behaviour signature to detect those icons generically:
The full analysis report is available at: