Is Google Acknowledging Android Is Not Secure? Hmm…

verify_apps01

Android has been in the news a lot recently, many times not for the reason’s Google would like, but malware has boomed on Android since 2010 and doesn’t seem to be letting up anytime soon.

With all the malware out there, you can still stay safe, Google has heard the same buzz you have and have made changes to its operating system to help protect you.

But, Google is taking the necessary steps to keep their users safe and making security improvements on Android to help to keep malware off your phone and tablet.

The Threats

Android has been heavily targeted by malware authors for a number of reasons: openness, popularity, side-loading and the Google Play’s vetting process.

This has left it open to a number of attack vectors malware authors can target.

Most malware for Android is financially driven and uses various social engineering tactics. The most widely seen malware has been the premium-SMS Trojan, malware of this type attempt to send SMS messages to short code numbers that have a fee associated with them.

These types of SMS numbers are not new and in the past have been used for legitimate reasons such as television charity concerts, where a SMS number is provided so we can send a donation. The donation amount will be billed to your phone carrier.

Botnets, spyware and infostealers are a few other malware on Android.

Bot’s can come with multiple types of functionality generally click-fraud and data stealing.

Spyware and infostealers are pretty self-explanatory.

Some pretty interesting stuff bad guys can do; we’ll spend more time on the malware in future blogs.

Android

I’ll cover a bit of the Android OS and how it’s appealing to a lot of users, novice and techies alike, although these same things make it a target for malware authors.

Android offers an openness that hadn’t been seen for a smartphone, offering the ability to install apps from third-party resources and customization in many different ways — very appealing.

You can customize the OS and install any app for Android you’d like—very similar to how we enjoy customizing our PC’s.

Side-loading is a term given to being able to install apps from third party markets or via your browser — on the side. Sounds shady but perfectly acceptable on Android.

This really offers users many more options to find apps for their device.

For developers, it’s a simple process to add their app to the Google Play Store, there isn’t much vetting of the app and, with millions of Android device activated daily, there is a huge opportunity for profit.

For the techie, the openness allows for increased customization through third-party apps, rooting capabilities (bypassing security model), and custom ROMs allowing them to tweak the device how they like.

Google is open to these ideas and doesn’t have the closed off approach like Apple’s iOS.

Google

Google hasn’t come out and explicitly agreed there is a malware issue on its platform, but design improvements and acquisitions may show they are aware and aren’t standing idle counting sales of Android devices. Let’s have a look:

Bouncer

Google’s Bouncer service was introduced in February 2012 and was designed to analyze incoming apps uploaded to the Play Store by developers.

The idea behind this is to analyze apps for malicious behaviors prior to apps being published for public consumption.

It’s believed what occurs is the app is run in an emulated environment for dynamic analysis and behaviors are monitored.

I also suspect they do some static analysis and check against existing malware, especially those found in the Play Store.

This is a nice first step by Google, but like most things, holes have been found in it, and how much is it being maintained, as malware is still being discovered in the Play Store?

Verify Apps

With the update to the Jelly Bean operating system (v4.2) Android came with the “Verify Apps” feature, which is designed to check apps installed from a third party, meaning not from the Play Store.

If you install an app on Google’s bad list you’ll be presented with a warning dialog or one indicating its maliciousness and will deny installation.

You can opt out of this service if you like in Settings -> Security -> Verify Apps.

How Google identifies apps as malicious is not certain at this time.

Recent tests by independent researchers have shown this feature as not being too effective. Its likely most apps that have been pulled from the Play Store for maliciousness, like the DroidDream apps, will present this dialog.

verify_apps04

VirusTotal

In September 2012, Google announced its acquisition of VirusTotal, a very popular online antivirus service. This service allows people to upload files of many types to be checked by over 40 antivirus vendors and get almost instant results.

Having access to this technology could allow Google to check apps as they are installed increasing the efficacy of “Verify Apps.”

I expect to see some VirusTotal integration with Android in the future.

Premium SMS Confirmation

android_premium_sms

As I mentioned earlier, the largest type of malware being seen on Android are premium-SMS Trojans.

There have been some discovered in the Play Store but most are found in alternative markets primarily targeting Russian speakers.

Also with Jelly Bean OS, there is now a feature that will inform you of when a SMS is being sent to a short code or premium rate number.

When a text is being sent to one of these numbers, a dialog will be presented to ask if you’d like to send this message.

Adware Policy and Permissions

There are some other changes that show Google’s attempts to help protect its customers.

It’s made changes to its Ad Policy so it’s difficult for developers to bundle aggressive advertising SDK’s in their apps.

These types of advertising displays ads in the notification bar, install shortcuts to the home screen and add bookmarks. Really annoying stuff.

Now developers need to inform the user that this stuff is bundled and give the user an option to opt out.

Also, Google continues to improve the permission descriptions to help make it easier for us to understand the functionality being requested.

With that, when an existing app updates, Android will point out any new permissions this app is requesting, the user can then decide if you want to update.

This is something to be aware of as more Android malware has been discovered with a two phase approach: install with minimal permissions and then update with new or activated functionality.

android_permssions_upate

Remote Uninstall

The remote uninstall feature has been one of a bit of controversy as it falls under the “big brother” category.

It allows Google to pull the plug on some apps it feels are malicious and remotely uninstall them from your device.

This functionality has been used a few times, at least where it’s been publicly mentioned with the most notable being the DroidDream malicious apps in 2011.

Although malware is very active on Android, Google has been taking steps to keep it popular operating system open and secure.

Unfortunately, there are still many devices in the ecosystem running outdated versions Android and are still vulnerable. And the only way for those users to get some of the newer updates is to get a newer device.

The good news is many people are upgrading their device with nearly 60 percent of users running a 4.x version–a lot quicker adoption rate than previous versions.

There are still things Google can do to improve the ecosystem but if you are heads up and security aware you can be malware free.

We at Malwarebytes believe there is a lot more malware to be discovered out there for PC and mobile devices alike, and we will continue the hunt and keep you informed.

ABOUT THE AUTHOR

Armando Orozco

Senior Malware Intelligence Analyst

Faux geek who likes to keep it bland. Experienced in behavioral, PC, and mobile technologies.