OWASP Italy Online Meeting - May 2026 - 4:00 – 6:00pm

Time zone: Europe/Rome
Video call link: TBD

Speakers

Vikramaditya Narayan Vikramaditya Narayan

Talk: OWASP Procology, a brand new project on Threat Modeling

Synopsis: TBD

Vikramaditya Narayan Silvia Sanna

Talk: Uncovering Android Stegomalware: Information Hiding, Repackaging, and Detection Challenges

BIO: Silvia Lucia Sanna is Post-Doc at the University of Cagliari, she received her Ph.D. in AI for Security and Cybersecurity in 2026 by Sapienza Roma. Her research focuses on AI-driven threat detection on Android through digital forensics features. Being a digital forensics consultant, she investigates Digital Forensics new frontiers, focusing on mobile, memory, gen-AI data, integrating AI in digital forensics and anti-forensics.

ABSTRACT: Android malware represents an evolving threat within the modern cybersecurity landscape due to the increasing importance of mobile systems in everyday life. Obfuscation and source code manipulations are systematically employed to bypass security measures and improve the effectiveness of attacks, especially to prevent detection or endanger the privacy of users. However, they represent only a portion of the evasive techniques that can be employed to make malicious software stealthier. In this talk, I present two complementary studies on Android malware endowed with information hiding capabilities. First, I showcase a prime assessment of the joint use of steganography and repackaging techniques to hide information within Android APK resources. Specifically, we assessed the capabilities of real-world antivirus engines aggregated by VirusTotal to identify payloads cloaked within audio and images of 20 popular Android applications. Our investigation demonstrated that repackaging steganographically modified assets is not always possible. Moreover, our results revealed that common antivirus engines are not able to reliably identify applications containing hidden data, thus highlighting the need for new Indicators of Compromise. Starting from these findings, the second part of the talk focuses on the loading stage required for the extraction and use of cloaked information. While emerging works on “stegomalware” primarily focus on the multimedia part of the attack chain, i.e., on how to detect hidden data in images or videos, this work aims at understanding whether the loader itself can generate detection signatures. To this aim, we develop a proof-of-concept implementation, which has been repacked within a real Android application and tested against several malware detection engines provided by VirusTotal. To anticipate possible offensive campaigns, we also performed tests by considering threat actors able to obfuscate the bytecode of the loader or the entire APK. Overall, the results indicate that standard tools are not ready to face stegomalware targeting Android applications. Therefore, the talk provides indications on how to improve detection, forensic analysis, and attribution phases for Android malware endowed with information hiding capabilities.

Back to the OWASP-Italy Chapter

Watch Star