Simulators are custom samples, introduced into the testing process to put the sophistication of the detection routines to the test. Our simulators were created to simulate the attack model of a ‘malicious 3rd party app store providing backdoored applications’ type of scenario, which means that counterfeit versions of legitimate applications are provided to the victims (many times pirated application versions can be downloaded for free-ofcharge). The counterfeit versions are backdoored versions of popular applications, which, while retaining the functionality of the original application, also include malicious modules.
The samples have been created using a proof-of-concept engine using static smali byte code injection techniques, making no effort to obscure the malicious actions of the injected modules. Many of the simulator samples have been modified to implement Accessibility features, which is a common trait for several malware families. For testing, we used 5 custom created samples. It is important to stress that these samples have not been collected or observed in-the-wild.