Smartphones

Android security apps playing catch-up to malcode

There are numerous reviews about Android security apps. But, Michael Kassner does not remember any mention of actual testing. Why is that?

It's been my good fortune to have TechRepublic writer and software engineer William Francis collaborate with me on several articles about Android security -- our latest, "Does Android's permission system really work?"

I mention this for a reason. In the comment section of each article, more than a few members questioned whether the malware-scanning portion of their Android security app was actually working -- not one example of any captured malcode.

That did not sit well. Security pundits -- I include myself -- have been stressing the need for security apps on all Internet-capable devices, including smartphones. I surely do not want to be yelling fire when there is none.

After a bit of head-scratching, I came up with several hypotheses:

  • There is no malware.
  • The bad guys aren't up to speed yet.
  • Phone technology is good enough without security apps.
  • Security apps are not catching malware.

It was easy to resolve the first two:

What about the last two? I decided to test my hypotheses, just like the pros. To that end, I dug out my university book on testing methodology. For a split second, I wondered about it being written in 1970. Nah, it couldn't have changed that much.

After some page-flipping, it all came back -- including how complicated accurate testing really is. Do not fear, I have a plan.

The plan

I called William -- damn good plan if you ask me. I explained my foray into "testing methodology" and why I needed his help. His comment stopped me cold. "I'd love to run your tests Michael, just as soon as you get me the Android malcode."

For some weird reason, I immediately envisioned myself as this cloak and dagger spy whose mission was to purloin contraband from the "digital underworld". Rudely, William interrupted my moment with, "Well?"

‘I'll figure something out."

Thinking clearer the next day, I decided to leave my James Bond kit in the closet, where it was safe. An even smarter decision was to contact Adrienne Porter Felt, an extremely-talented Ph.D. candidate at Berkeley. She understands everything Android. In fact, Adrienne has helped William and me on past articles.

I called Adrienne. She said no problem -- but... Knowing where this was going, I interrupted: "Don't worry, William will be handling the malware. And, I will let you know what we find." I swear I heard a sigh of relief.

That problem solved, I was ready to test. Or, so I thought.

Android's many faces

I quickly learned how many different Android platform versions and different Android phones exist today. That begs the question: Which phones and, more importantly, which versions of Android do we test? I went back to my book on testing methodology for the answer. Do not fear, I have another plan.

I called William. After a few minutes I hinted at my shrewd proposition by asking "What phones do you normally test with?"

"I have two, a HTC Hero running Android 2.1 and a Nexus One running Android 2.3.4."

I suggested, "Let's use those two."

William saw where I was going and agreed. We know it's not what NIST would do, but that's not what we're about. On a good note, William explained why it's a good choice -- in particular, the Nexus One:

"The Nexus One is a ‘developer' device created by HTC in partnership with Google. It's unlocked and carrier-independent. One of several devices created with developers in mind. It's immune to OS fragmentation, mfg/carrier-added bloatware, and on a short list of devices that app developers should use to create a test baseline. All said and done, the Nexus One is generic as an Android phone can get, making it the ideal choice when it comes to any sort of testing."

I knew that.

First test

William and I decided to answer my third conjecture as to whether "phone technology is good enough without security apps" first.

I'd like to introduce you to Android.DogoWar:

"A trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third-party market and must be manually installed."

William thought this would be a good choice because it is a fairly new piece of malcode -- discovered August 15, 2011 --  and one that is least likely to permanently damage his phones.

William set about his task. All I could do was wait. Finally, William emailed me:

"I installed the infected software and shortly thereafter the Rabies service (malware package) began wreaking havoc on my phones."

Scratch my third hypothesis -- the technology is vulnerable. Now onto the last hypothesis, "Security apps are not catching malware."

Which security apps?

William and I went back and forth about which security apps to test. And, to be honest, I'm still not sure why we picked the ones we did, but here they are along with their respective sales pitch.

AVG Antivirus for Smartphones & Tablets: Detects harmful SMS and apps automatically. Anti-Virus Free is a security suite which protects your phone from viruses, malware, and exploits in real-time.

Lookout Mobile Security: Protect your phone with award-winning security & antivirus from Lookout. Get Lookout for free. Antivirus, Phone Locator, Data Backup and more.

McAfee Mobile Security: A powerful combination of McAfee VirusScan Mobile, McAfee WaveSecure, and McAfee SiteAdvisor for Android. The solution protects your mobile device if it's lost or stolen, backs up and restores your personal data, safeguards against mobile viruses and spyware, and lets you safely surf the mobile web.

Norton Mobile Security Lite: Protects your mobile device against loss, theft and malware. Norton lends its anti-malware, anti-virus, and security expertise to mobile. Your life and your important stuff are on your phone. Keep it safe with Norton Mobile Security Lite for Android.

Trend Micro Mobile Security-Personal Edition: The best protection for your digital mobile life. It protects your Android device from loss, malicious apps, and web threats.

All our chosen security apps had paid versions. We tested the free versions (AVG, Lookout, and Norton) and trial versions (McAfee and Trend Micro).

William's magic

William devised several tests, starting with the malcode DogoWar -- mentioned earlier. Each test was run twice on both phones. Also, only one security app was installed on each phone at any given time. We learned early on that having multiple installed apps produced inaccurate test results.

What you see below is the description of each test, followed by a graph of how each of the security apps fared.

DogoWar: When the phone is rebooted, a malicious service named com.dogbite.Doghouse is started, which starts the service com.dogbite.Rabies. This service determines all contacts that have a phone number and sends them an SMS. Then, the malcode sends a hard-coded SMS to 73822, enrolling the victim in free SMS service from People for the Ethical Treatment of Animals.

Harmless app (DogoWar package name): It is a harmless app that displays the words "Hello world!" on the phone display. The only thing in common with DogoWar is the name. When an AV flags it as infected, it should be considered a false positive.

App (Infected with Rabies): A trojan created by adding the services (com.dogbite.rabies) to the "Hello world!" program -- essentially attaching a known harmful service to an unknown legitimate application.

To catch this, security apps will have to pick out the rogue service hidden in the legitimate code. Current computer anti-virus software attempts this using heuristics. Smartphone security apps might detect this, but limited onboard resources make it doubtful.

Kept my promise

I sent Adrienne, our Android mentor, the above test results and she offered the following comment:

"It's possible that they (security apps) are not looking for the re-packaging of DogoWar because DogoWar is only known to have been distributed with 1 application; maybe they use more sophisticated techniques for malware that is known to have trojanized a large set of apps."

That was enough of a hint for William. He set up the next batch of tests using malcode called DroidDeluxe.

DroidDeluxe: A root exploit for Android-based phones. DroidDeluxe silently roots the phone to gain access to user credentials.

Harmless app (DroidDeluxe package name): This test is the exact opposite of DroidDeluxe (Repackaged). It is a harmless app that displays the words "Hello world!" on the phone display. The only thing in common with DroidDeluxe is the name. When an AV flags it as infected, it should be considered a false positive.

DroidDeluxe (Repackaged): A disassembler is used to alter the internal package name -- no code was changed. If the security app looks at anything other than the package name, it should know immediately that this is the DroidDeluxe virus.

William's thoughts

Realizing that William has become quite intimate with each of the security apps, I asked him for his take on each:

AVG:
  • The app scan process is slow compared to the others.
  • AVG does not auto-scan the SD chip when file systems are mounted.
  • AVG had false positives seemingly based on package name alone.
  • Detected malware only at installation.
  • Failed to detect re-packaged malware.
  • AVG appears to only look for malware package names
Lookout:
  • Doesn't appear to detect threats until malcode is installed.
  • Really clean user interface.
  • Had some false positives.
  • Did not rely on package-name recognition, as it also caught repackaged malware.
McAfee:
  • Invasive. Requires registration for a 7 day trial, plus SMS verification to your phone and the phone number of one or more friends.
  • No false positives caught all known viruses plus the repackaged malware.
Norton:
  • Non-intrusive setup but a little confusing.
  • Only detected one of the four real threats.
  • No false positives.
Trend Micro:
  • Recently completely re-vamped.
  • The new version is much better in terms of user experience.
  • The old version is still floating around in the market and easy to download by mistake.
  • Failed to catch a single threat.

Adrienne's critique

Both William and I were anxious to learn what Adrienne thought of the results:

"Android malware is rare compared to desktop viruses, but it's beginning to appear. Users who download applications from unofficial markets should consider extra-security measures, like learning about what permissions mean and installing anti-virus software.

The results of your tests reflect the fact that Android malware detection is a new space, and not all anti-virus companies have caught up to the newest threats.

One challenge, from a technical perspective, is recognizing known malware that's been re-packaged with a legitimate application. We've seen mobile malware in the wild that uses this approach, so it's important to detect.

However, this is difficult because security applications need to avoid false positives; users would be unhappy if their security app flagged non-malicious applications because of a similarity heuristic. I'm aware of ongoing work being done by others in this area, so hopefully we'll see improvements over the next few months."

Final thoughts

First, I want to mention my new-found appreciation for Android security-app developers. Between what Adrienne pointed out and all the variables surrounding Android phones and firmware, I now have an idea what they're up against.

That said, William and I feel an obligation to those who use security apps. That's why we have thrown a marker down where there was none.

Special thanks

This piece would not have been possible without a great deal of help from William and Adrienne, to whom I extend my heartfelt thanks.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

34 comments
ESchlangen
ESchlangen

The table shows all 5 failing to catch the repackaged Dogowar malware but the summary says that McAfee "caught all known viruses plus the repackaged malware". Am I missing something?

kdpawson
kdpawson

So I see Nokia are coming out with a MeeGo powered device, out of interest how would this stack up against Android security wise? Due to it's low current low market share it's probably a safer option or would Android malware run on it as well? Sorry this is not in-line with this article that much, but I can't find much about MeeGo security anywhere. Thanks

andrew.kaczmarek
andrew.kaczmarek

Anybody have any thoughts/insights on Kaspersky? I use it for my PC and it works pretty well, so I figured checking out their mobile software wouldn't be a bad route either.

sgriffithsnz
sgriffithsnz

And thanks for continuing to poke at this area. Would you consider checking out F-Secure's mobile AV please? It came preloaded on my LG Optimus 2x with a free paid subscription (I still have 261 days left) and I'd like to know how it stacks up, or if I should change to something like Lookout.

Matt Henderson
Matt Henderson

If none these security apps detect on manual scans, then adding them after infection would provide no value... How did you test?

BLeeLA
BLeeLA

So, does this mean that allowing corporate users access via exchange 2010 creates additional gateways into your secure system? I would venture to say that IT really likes Research In Motion right now. Does anyone have any knowlege of Blackberrys getting infected via 3rd party apps and introducing a new vulnerability to a local system? Thanks!

pgit
pgit

So... using these apps basically makes you a beta tester? A guinea pig? Are the developers at least gleaning important feedback from their apps doing battle out here 'in the wild?' If so... does the end user know, or have control over what information their security apps might be sending back to the developers?

seanferd
seanferd

this is difficult because security applications need to avoid false positives; users would be unhappy if their security app flagged non-malicious applications because of a similarity heuristic. This happens all the time, and users, as usual, should know that a security app or a utility would be flagged correctly as being able to perform in a manner that could be a security threat if misused in a similar manner to the way malcode operates. "Warning: This program can act as a keylogger." Well, no kidding, I'm installing an application which could necessarily track keystrokes. "This program can track and control network activity." No kidding, its a firewall. or port checker, or packet sniffer. I'll allow these. Now, for the apps that seem to be identifying malware by name, they are complete failures from the start regardless of false positive identification. This is known by the high technical term "bad software". Get your money back and advise others not to purchase it. There should also be an easy method of submitting the falsely flagged application to the vendor for better identification in the future. (OA, for example, was very good about this, at least when Tall Emu was the vendor.) If the malware security apps don't allow for exceptions, then they are junk as well. If they can't tell you what about an app is raising the red flag, they are junk. If the vendor simply hasn't had time to "catch up", they shouldn't be releasing a security app (or whatever), but we all know how

Michael Kassner
Michael Kassner

Check out the article if you use an Android security app.

Michael Kassner
Michael Kassner

I checked with William and here is what he said: "McAffee caught a straight repackage of the Dogowar virus, i.e. I took the Dogowar right from the virus vault and simply changed the package identifier, (similar to just renaming the file on Windows). However, when the viral service was extracted from the Dogowar program and injected into a previously safe app, McAffee failed to recognize the newly infected app as harmful even though code analysis would find a chunk of code (the viral portion) line for line identical." I hope that helps.

authorwjf
authorwjf

I try to follow this space pretty closely and to my knowledge Nokia has recently severed ties with Meego entirely. Intel claims they are still committed to the mobile OS but it was Nokia, not Intel actually doing the majority of the development work. So unless Intel picks up the slack or finds a new partner you don't have to worry about Meego too much. That said, I really don't know how extensive the Meego security model is or if its even fully fleshed out considering the beta state of the project. I know Nokia has a Meego based phone in its line up but as the following article states it was really more of an experiment. http://news.cnet.com/8301-1035_3-20103854-94/samsung-were-not-buying-meego/

JCitizen
JCitizen

I had problems with Kaspersky when I tested it, but that was years ago. I have a client that did a trial, but it didn't keep the computer from being taken over by remote control. I'm not ready to blame Kaspersky for that - this client has a very complicated issue, in that the individual is being targeted for industrial espionage. The miscreants may have inside access to some of the client's accounts. Probably no AV would help in those cases. My client uninstalled the trial without my advice, and ended up re-installing to use their remove tool. Not sure that was done right either. The end results were an unwanted new partition in the root of the hard drive. This may be something about the attackers that was inadvertently exposed, and was previously hidden. This case is above my head, but the client has no money, so we will just have to wing it. (edited) - Off topic from mobile discussion - sorry!

JCitizen
JCitizen

Kaspersky's is too expensive, and ESET is always rated just as well by independent testers. Of course I could be wrong on the mobile versions; but ESET has always been cheaper, and just as good if not better. I've seen client's PCs hosed by Kaspersky in the near past - not that it isn't probably pretty good now. If Avast had a mobile version, I'd jump on it first - I've NEVER been let down by AVAST.

Michael Kassner
Michael Kassner

We will add it to our list. Do you have any security on your phone currently?

Michael Kassner
Michael Kassner

I can not be sure when, but William and I are actively pursuing the subject.

authorwjf
authorwjf

In my experience, when an app detected a virus at installation, it could later detect it again when a manual scan was run. The difference being that with a few exceptions, the anti-virus solutions for mobile couldn't detect a virus sitting out on the phone's SD card. So something about the detection process needed the virus to be installed, vs. just having the infected file on the phone itself. Does that make sense? Though I agree it might be interesting to run the tests in the reverse order, installing the infected app first, then installing AV.

Michael Kassner
Michael Kassner

The security app vendors are cognizant of two things, battery reserve and processor load. I am finding that developers opted to worry about installed malware--not downloaded--because of those concerns. As to why our malware samples were still missed after installation, that is another story. I am not sure if that is what you are alluding to though, if not please let me know.

authorwjf
authorwjf

Actually in my experience, adding devices like iPhone and Android to your Enterprise ecosystem don't really increase security concerns at a corporate level simply b/c the current threats for PC and phones can't cross pollinate. Meaning threats targeted at PC's currently aren't contagious to the phones and threats designed for the phones currently are inert on a PC. This of course can and probably will change as the bad guys get more sophisticated with their attacks. Hopefully by the time we reach that point the AV solutions will be just as sophisticated.

Michael Kassner
Michael Kassner

Could you clarify what you mean? Since malware and security apps are all relatively new, there is precious little information available. That's why we felt it important to start the ball rolling. We need to know what security apps are doing and if they indeed work.

Michael Kassner
Michael Kassner

This is new ground. I dare say they are coming at it with more experience. Street cred is at stake and the security app developers know it. As for what is being sent back, we are looking into that.

Michael Kassner
Michael Kassner

Security app developers are well aware of this. I am working on an article about the "philosophy of security apps" and there is much more going on than we realize.

JCitizen
JCitizen

I've been waiting for this for some time. Thanks Michael! I wished I could find your articles sooner! I've tried all the settings, but am apparently still clueless.

ESchlangen
ESchlangen

I appreciate the clarification. Thanks for the excellent article - I wish more articles contained useful information like this!

JCitizen
JCitizen

will do this in the near future. I say they are behind the times. Sometimes I wonder about their methods too.

sgriffithsnz
sgriffithsnz

And if I can be of assistance let me know

Matt Henderson
Matt Henderson

1. An Android device can only be infected via installation. Wrong! Any device with non volatile storage can be "infected" if the executable software or it's data can be altered. An rogue installation script can do this, provided a user is prompted to run the script. But, all that is really required is access to any function that allows alteration of that same storage space. 2. Users assume that malware prevention software only protects them from installation AFTER they have installed protection. Maybe. Perhaps those with low expectations. But many Windows users will expect that that software can "clean up" a system after it is infected. 3. Malware prevention vendors know about all malware before it can affect your system. False. Any vulnerability discovered by attackers first can be used before any effective prevention measures exist. This is another reason why scans will pick up infections after the initial installation occurs. Smart phones and tablets are real computers. Any infection scenario that has worked before on other systems can potentially work. All that is required is one or more vulnerabilities that are known by attackers.

seanferd
seanferd

The ones that "developed" an app that "recognizes" malware by file name, I'm sure they know who they are, and that all they are doing, assuming they plan to release an actual security app at some point, is throwing a placeholder app into the market and advertising it as being an aid to security. This is more than dishonest. And for every shade in between these devs or vendors, and those who produce an actually functional application, they should clearly advertise what their app actually does (or, you know, provide a finished product in the first place) without having consumers finding out later because a group of smart people went ahead and tested the applications. While maybe other sorts of software may be released feature-incomplete or slightly buggy - as long as the fixes are forthcoming and free - it is tolerable. Essentially lying to you that your system is now secure is not. You'd be better off with no "protection", and knowing it. I'll be interested to see what you will say about the philosophy of security apps. I rather think, though, that the philosophy of business trumps this always, and many business philosophies practices are very poor. If security app developers are aware of this, then what the heck are they doing? Or is it other security types, or security app developers not involved with these poor excuses for released, even paid-for, software? Or are we to consider developers "being aware" as separate from what their overlords do - releasing joke software over the objections of the devs? Again, I'll just have to wait to see what your further investigation yields.

Michael Kassner
Michael Kassner

My posts are in the IT Security news letter and I tweet each release, if that is of any help.

JCitizen
JCitizen

I'm seeing a shift to strictly behavior based security solutions now; with the difficulties of unrecognizable zero day threats; a rundown on this paradigm shift would be nice. Of course your previous articles on application updates and some of the attending utilities that help along that line have been covered already. Your favorite company Emisoft, who developed On-Line Armor is one of these; their anti-malware has a product that typifies what I'm hinting at.

Michael Kassner
Michael Kassner

We are working on a few right now. If you want, TR has a newsletter or you can follow my twitter account. I tweet each new article. Are there any topics that you would like to see covered?

Matt Henderson
Matt Henderson

There are not many known vulnerabilities for Android systems, when compared to a Windows system, so Android users might feel justified in skipping AV because of the lower risk. In fact, it might make more sense to just keep software patched frequently and avoid installing software from untrusted sources to mitigate the theoretical possibility of a attack. Still, there are real risks. Maybe the Chrome browser will execute a script when accessing a rogue web site that takes advantage of a flaw in the "sandbox" access controls. Maybe a document sent via email will have a script in it that will exploit the flaw mentioned in a previous article. AV software seldom fix problems, but they do help users know what is wrong and prevent further damage. Lacking a scan feature limits the usefulness, IMHO, because problems will not be limited to running the installer. Still, if you can't resist software from places other than the Android Market, this AV software might help. And maybe in the future, it will provide more protection...

authorwjf
authorwjf

Again speaking only from my experiences with the apps mentioned in this article, but "clean up" of an infected system really only means that the AV removes, or suggests you remove, the infected app. There is no "undoing" of any damage the rogue app did. However, unlike traditional desktop systems most mobile OS offerings have a much stricter sandbox model. This means its unlikely (at least I've yet to hear of it), that a mobile-based threat would infect / spread to another application on the same device. What I have heard of is mobile threats that download and install more infected apps on the device without the users knowledge. In those cases I've no idea (and hope I never have to find out first hand!) how the AV products respond.

JCitizen
JCitizen

I need to remember to check there more often! Thanks! :)

Editor's Picks