Tag Archives: android security

a way to slowly sunset the open source competition #android

One has to wonder about the future and the motivation for the open source Android anymore. Some conspiracy-theory-inclined folks have speculated that the master plan all along has been to attract people to the open-source Android, then slowly get the thought leaders/developers hooked on Google Play Services with proprietary lock-in i mean value add. Surprisingly, leaving gaping holes in what seems to be a poorly maintained open-source alternative codebase fits right into such hypothetical plan:

Currently, there is not much that users can do to avoid this problem. They can opt to use [mobile] browsers that are not affected by this vulnerability, such as Chrome or Firefox.

…and then just let FUD as well as real security fiascos put the open-source alternative to rest. Of course, personally I’m not into conspiracy theories, but it would be upsetting if the events took a turn in that direction. As a user, I chose Android because it’s very hackable in a good sense, and because it’s open. It would be really sad to see any of that change.

An #Android SMS Trojan that’s apparently not #malware

So I’m looking at this ad network, and I notice that some of its ads lead up to an Android binary download. Shady, right? Just the fact that there is an ad leading to a sideloaded APK is already pretty disturbing. I look around, find a whole family of those apps. For each app, at least half of all Virustotal vendors mark it as an SMS trojan, and so does Lookout.

So we contact well-meaning people who might be interested in hearing about those apps. They tell us it’s a false positive. I go back saying there is no way this could be a false positive, these apps send paid SMS messages and are recognized by top vendors as an SMS trojan. They argue back and still claim it’s an FP. So I run one of the apps in a sandbox, it’s basically a bunch of porn, but the first thing that shows up is a warning saying if the user continues with this app, it will charge X dollars via paid SMS for each video viewed. So I guess if they warn the user upfront about this, then they are legit?

So it seems, in this particular industry, it’s one way to bill the users. So going back to the
definition of mobile malware, how on Earth were the AV scanners supposed to read that initial warning to the user? By all characteristics available to machines, this app looked and acted exactly like an SMS trojan. That’s more bad news for mobile antivirus: since a large part of apps’ functionality is hidden on the server side, unavailable for signature matching, you end up over-analyzing whatever is left accessible to you on the device and detection starts to fall apart.

So what is mobile #malware exactly?

Sifting through endless Virustotal scans, you realize that it’s not easy at all to define what exactly mobile malware is. Literally 90% of antivirus-reported malware APKs are nothing but trivial or repackaged apps with some annoying adware library slapped on top of it that doesn’t even do anything really bad. Why exactly is mobile malware so elusive and not as clear-cut as the good old desktop viruses? A couple of things come to mind:

  • The juicy parts often stay remote: unlike the classic desktop viruses and rootkits, a lot of mobile functionality remains on the server. So an app collects your banking password and sends it to server, that’s bad, right? Not if it’s a Bank of America server. What if it’s an Akamai or an EC2 server? What if it’s a Mint finance app server? This gets blurry really fast. Same with location apps – when an app constantly sends your location to a server, it’s cool if it’s your own account, and it’s suddenly not cool at all when someone else has access to that information on the server. Hard to automatically tell that just by looking at the mobile app tip of that iceberg. That’s why AV vendors came up with a euphemistic label “surveillanceware”, which means, “I have no idea if this app is bad or not, you have to look at it in your own context”.
  • No need to get sophisticated: most of what’s labeled as mobile malware are small-time scams. In the mobile world, there is no such thing as a multi-million dollar botnet industry commercially used for:
    • running spam
    • staging DOS attacks
    • collecting and laundering information

    I guess mobile can be useful only for the last point right now, we’ve yet to see the first two on mobile. So no need to build autonomous sophisticated botnet clients that pack tons of revealing functionality and patterns with them. Consequently, a lot of mobile scams look rather plain and not very different from regular apps.

  • No silent infections: it’s pointless to do port scanning and hard to use drive-by browser exploits on mobile. Combined with no incentive to make things complicated, the main vectors to get into someone’s phone are social engineering and brand abuse. Both of those are difficult to detect automatically, leaving a huge gray zone. Even the SMS scams: lots of legitimate apps have “share via SMS” functionality, good luck telling that from malware propagating itself via SMS, or sending messages to paid numbers that only become plaintext right before the message is sent.

So this leaves the traditional antivirus vendors especially helpless on mobile, best they can do so far is to report noisy adware or a few true malicious outliers that get outside the gray zone.

Brand-stealing apps

With Google Play tightening the security side with Virustotal and Bouncer (when the latter doesn’t crash, that is), you don’t see as much outright malware in that store anymore. However, one type of scammy apps that I still run into every week or so on Play are the ones that wrap some popular service, trying to get a cent or two from Admob.

Basically, it takes about 15 minutes to wrap any popular bank’s or web service’s mobile version in a WebView, stuff it with official-looking keywords, logos and descriptions, and publish on Play. Google can’t really do anything about it short of manual review of every single app. So anyone in the world (including some really not-so-well-off countries) who can write “hello world” for Android and subscribe to Admob, can then whip up a fully functional wrapper of a bank’s website, publish it in the US on Play, get a few hundred downloads from searches, and start collecting the Admob revenue.
For an extra bonus, they can also resell their install base to the real bad guys who can push a small update to the app and start stealing the actual credentials of the bank’s users. I don’t see an easy solution to this except the brands monitoring popular stores, and also trying to limit access to their services via WebView-like clients to at least raise the bar a bit for scammy developers. Because right now publishing a legit-looking service clone is ridiculously easy.

Android “antivirus” scam – still on Yahoo ad-running sites #malware

This year-old scam has resurfaced very prominently, and I’ve run into it on various websites that show Yahoo ads, indicating pretty massive malicious advertisement volume. A browser pop-up says the following:

Virus Affecting your Android? Turn on Virus Scanner NOW!

If you click “OK”, you can be taken to a variety of destinations, including:

  • a spammy but legit-looking dating app on Google Play with 50mil(!) downloads – I’d imagine malicious ads are partly responsible for that number, maybe via an affiliate?
  • a selection of some shady dating/porn sites
  • and best of all, a step-by-step guide for you to enable app install from unknown sources on your phone, and download a modified version of “Android Armour” APK binary with God knows what added functionality:


Very impressive, considering these friendly folks are basically talking people into opening up their phones to every other kind of evil garbage that comes up next.

I ran into this a bunch of times over the last few weeks, as recently as this weekend on Tumblr. I know Yahoo is trying to squash these as fast as humanly possible, but until then, beware. And again, in US, it’s a good idea to never install anything on Android from anywhere other than Play.

Malware writers take AppsGeyser for a ride #android #malware

So there is this cheesy-looking but nevertheless apparently semi-legit quick app building toolkit called AppsGeyser. By an outfit with a spammy name of BestToolbars, hailing from Virginia. Or Novosibirsk, depends on how you look at it.

Anyway, it’s gained some prominence with tens of thousands of apps out there bundling their library. The problem is, from what I see, every third app that is based on AppsGeyser is blacklisted. It’s gotten so bad that some AV companies seem to blacklist apps just for their use of that library. So the question is, is AppsGeyser in on all that malware action, or is it simply preferred by hackers?

How mobile viruses and scams spread around

So apps are secure, because everyone gets them from the store, right? Um, no. That’s kind of the case for Apple’s platform, where you have to go out of your way to find malware, but with the Android shipments outnumbering iOS device shipments 6 to 1, the real fun for bad guys and researchers happens in the Androidland.

  • Third-party stores – you’d be surprised to find out that besides Play there are 500 app stores out there, of varying degrees of shadiness and security practices
  • “Review” forums and blogs – e.g., even a legit-looking site Androidpolice.com, who really should know better, instead of getting people into habit of only using Play, encourages them to directly download APKs from a weird-looking Androidfilehost.com “mirror”
  • Sending download links via SMS spam
  • Email spam – “email from dad” that passed all Gmail filters and let me download a malicious app binary on the phone
  • Twitter – as a bad guy, you get some followers, then start spraying links like download skype for mobile, and you got yourself a nice little install base for your scammy app
  • Ads on web and mobile, links on websites that redirect you to an app binary download
  • More bizarre ways like infecting via Bluetooth apparently

Just by watching and scraping some of these you can build yourself a sizable library of some pretty nasty stuff. Just watching the Twitter feed for some of those scams is pretty fascinating.

Making automatic calls from Android

Screen Shot 2013-10-24 at 11.52.01 PMSo apparently Android lets your app make outbound phone calls in multiple ways (as always), the most basic ones are either via activity with android.intent.action.CALL intent, which pulls up the dialer and fires off a phone call, or via ITelephony.call() library call. Both normally require android.permission.CALL_PHONE, unless you figure out a way to dodge the permission checks, but the former is harder to detect. While you can simply grep for the ITelephony case, the other one – action called with an intent – requires some control flow tracing, which gets messy fast. Of course, both can be obfuscated, but that is a different can of worms for another day.

Bottom line – every piece of information extracted from an Android APK carries some value – intents, activities, library calls, anything – because only the careful juxtaposition of all these types of facts lets us judge one way or another about an app.

fun new Android security tools and stats #VB2013

This is a great mix of research because it’s not just academic but a good half is coming from people who make a living off of helping their customers fight off malware:

Google and Apple markets: are their applications really secure?!

This one looks like yet another combing of the stores, mostly for privacy?

By analysing over 120,000 applications from the Google market and over 160,000 from the Apple market, we discovered a lot of security issues that can be found on an everyday app. Many popular applications from these markets hide a lot of security breaches, from sending data over an unsecured connection (such as user accounts or passwords) to GPS tracking or uploading highly sensitive data like contact lists or phone numbers. This behaviour may be intended or may result from the use of a third-party advertising framework employed by the author in order to increase the revenue of the application. This paper draws attention to the security flaws of applications in both the Android and Apple markets by providing statistics and well documented examples, as well as the methods used to extract this information.

Analysis of Android in-app advertisement kits

In this paper, we focus on the security risks and inefficiencies posed by ad-kits. And more particularly those embedded into malware. To this end, we study the Android platform, and 90,000 malware samples. We identify 10 representative ad-kits. We further develop a system called Droidlysis to examine potential risks, ranging from uploading sensitive information to remote servers, to downloading and executing untrusted code. We analyse ad traffic and identify sensitive data transmitted over the air.

Our results show that most ad-kits not only collect private information, but probe for data and permissions beyond the ones listed in their documentation. We discover how users can be tracked by an ad provider across applications, and by a network sniffer across ad providers. Finally, we discuss the financial implications for developers and ad providers.

The Droid Knight: a silent guardian for the Android kernel, hunting for rogue smartphone malware applications

Some very intense claims! Wonder if it works:

real-time malware detection framework for the Android platform that performs dynamic analysis of smartphone applications and detects the malicious activities through in-execution monitoring of process control blocks (PCB) in the Android kernel. We employ a novel scheme to mine the hidden execution patterns – from time-series PCB logs of Android applications – by using information theoretic measures, frequency component analysis and statistical analysis techniques. With the help of this novel scheme, this framework sits in the Android kernel as a loadable kernel module and is able to detect real-world malware applications for Android with very few false alarms. We have validated the framework using real-world Android malware (from well-known malware repositories) and popular benign applications taken from Google’s official app store for Android (i.e. Google Play Store). By carefully designing a series of experiments, we evaluate the detection and runtime performance of our framework. Our framework is able to detect zero-day (previously unseen) malicious applications with over 98% accuracy, while keeping the false positive rate below 1%. It has a runtime processing overhead below 4% on a low-end smartphone.

‘I am not the D’r.0,1d you are looking for’: an analysis of Android malware obfuscation

legitimate obfuscation tool ProGuard from android.com currently obscures class and method names in Android apps.

Nevertheless, it is code obfuscation which would complicate the detection strategy for Android malware, especially given memory footprint limitations. Code obfuscation in malicious apps or PUAs is not only possible, it is inevitable, GooglePlay restrictions notwithstanding. The Dalvik executable (.dex) byte-code instruction set supports registers, arithmetic operators, and even nops, thus providing scope for the insertion of junk polymorphic instructions and metamorphism.

This paper analyses the methods of obfuscation currently used by Android malware authors, and presents examples of .dex byte-code and data obfuscation techniques which are likely to be abused in the future.

GinMaster : a case study in Android malware

Android – practical security from the ground up
Some more info about this one here

The Android Security Team will discuss its approach for securing the Android platform against malware. … We will also give our view into the security of the Android ecosystem, based in part on worldwide data from our Verify Apps tool.


Treasure trove of malware on Twitter

A month after Lookout’s report on SMS malware industry, these scams are alive and well on Twitter. A casual 10-minute search produces at least a dozen of shady stores and many fake, unauthorized or re-packaged APKs. The malware assembly website mentioned in that report, complete with templates of fake Skype and Google Play apps and their “conversion rates”, is still up and running. For the time being, queries like these a still great source of malware to study. And will probably remain so, since Twitter is a huge distribution opportunity – unlike the search engines, tweets are quickly indexed, harder to ban, and the scammers desperately need clicks and distribution, so this stream of garbage will not dry up anytime soon.