Friday 26 September 09:30 - 10:00, Green room.Martin Smarda AVAST SoftwarePavel Sramek AVAST Software download slides (PDF) The concept of an application icon is common for all of today's consumer-oriented computing platforms, desktop and mobile alike. Icons are being abused by malware authors attempting to take advantage of the simplest infection vector possible: impersonating something else and convincing the user to execute a malicious program. The fraudulent icons may be resized, they may have a few pixels changed on purpose, and there are usually multiple historical versions of any given icon - which makes icons problematic as a heuristic indicator. We have developed a method that overcomes this problem by using overall visual similarity to identify potential malware. Applying an algorithm based on frequency transformation to the icons, our tool is able to place those with common traits close together. This is performed on a large scale with popular icons and a stream of fresh samples and allows us to separate suspicious ones from the rest. The result a powerful heuristic tool for uncovering big social engineering campaigns as well as offbeat samples that would likely otherwise be missed. And thanks to the icon concept being so ubiquitous, the process can be applied to Windows malware which usually mimics documents as well as the rising Android threats and their tendency to repackage popular applications with malicious code added. Click here for more details about the conference.