What if malware was designed to pass inspection, then download the bad stuff? It appears "what if" is here and now.
The rumor mill appears to have it right. For the past year, Google has been running a service codenamed Bouncer. The service scans new apps, apps already in Android Market, and developer accounts for malware. Here's Google's take on how Bouncer works:
"Once an application is uploaded, the service immediately starts analyzing it for known malware, spyware, and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags.
We actually run every application on Google's cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior."
That's good news.
It won't work
No more than thirty seconds after I finished reading the press release, my friend -- an Apple-enthusiast -- called. "You know, it won't work," he snapped, no hello, no how's it going. "They have the nerve to say malware in Android Market has been decreasing. That's just wrong."
I then realized he was referring to this part of the news bulletin:
"The service has been looking for malicious apps in Market for a while now, and between the first and second halves of 2011, we saw a 40 percent decrease in the number of potentially-malicious downloads from Android Market.
This drop occurred at the same time that companies who market and sell anti-malware and security software have been reporting that malicious applications are on the rise. While it's not possible to prevent bad people from building malware, the most important measurement is whether those bad applications are being installed from Android Market and we know the rate is declining significantly."
Fast forward four days
My friend calls again. I'm really hoping for a hello this time. Nope. "Did you read Andy Greenberg's latest article?" he asked. "Bouncer is so screwed. Your Android bug hunter, Professor Jiang has found a workaround."
That got my attention. Dr. Xuxian Jiang, Assistant Professor at North Carolina State, is not one to ignore. I have relied on his expertise time and time again.
Google Bouncer and RootSmart
I read Andy's article and started to get excited -- alarmed would be more accurate. It seems Dr. Jiang and his research team discovered RootSmart, a malware variant that initially appears to be benign, allowing it to sail through scanner and permission checks. After it's settled, RootSmart attempts to download the nasty malware from remote servers.
This must be what my friend was referring to -- RootSmart could potentially fool Bouncer.
Then I read Andy's update to the article. It appears Google has patched the hole exploited by RootSmart. Still, scrupulous bad guys could find another exploit vector. I thought I should check things out, then get the word out. So I contacted Dr. Jiang to get the details. Here's what he had to say.Kassner: Your latest Android malware trophy is RootSmart. There is significant buzz about this malcode. Why is that? Jiang: RootSmart is an interesting piece of Android malware that can dynamically fetch code from a remote command and control (C&C) server for execution. The downloaded code contains a root exploit that -- if successful -- can bypass the built-in security mechanism in Android. Kassner: I've read on your blog that RootSmart is similar to Gingermaster -- the first root exploit to target Android version 2.3 -- with one exception. Would you explain what that is? Jiang: Very good question. The difference is that in RootSmart, the root exploit is dynamically fetched from a remote server while GingerMaster encloses the root exploit in itself. In other words, RootSmart will be much stealthier by not containing the root exploit. Kassner: Your blog mentions that GingerBreak is the malware RootSmart downloads to obtain root access. I've heard that Google patched the vulnerability GingerBreak attacks. To be sure, I contacted Google and one of their spokespersons offered the following:
"Every Android device updated after May 2011 has had GingerBreak patched. We explicitly test for it in our Compatibility Test Suite, and we won't approve a device that has the exploit present.
The corollary here is that there are other methods to protect users beyond a malware scanner. This speaks to Android's defense in depth approach, not a reliance on any specific user-protection measure."
That said, Dr. Jiang, is GingerBreak a requirement?Jiang: Not necessarily, the malware could download other types of root exploits. Meanwhile, I have to say even though the GingerBreak exploit is patched, there are Android devices that run old and vulnerable versions of Android. Kassner: I wasn't real clear on what happens when RootSmart phones home. So I asked Android expert and fellow TechRepublic writer, William Francis for his help. Francis: To answer your question, saying an app “phones home” is just that, a saying. By that I mean it’s not really using the phone to dial home but a TCP/IP socket. That means no root privilege is required. In fact, any app that has the INTERNET privilege could theoretically “phone home”.
What does require root access is installing and executing arbitrary code. So while an app could phone home without root privileges and even download malware to the device (if the app also had local SD write permissions), without the root exploit the app could not install or run that malicious code.Kassner: Now to the question everyone is asking. Google has just released information about their new service Bouncer. It supposedly will locate and remove apps containing malware from Android Market. Will exploits like RootSmart fool Bouncer? Jiang: It is an arms race. I won't say RootSmart will fool Bouncer, but it will certainly pose some challenges for its detection. Kassner: I'm curious if mobile antivirus apps will recognize RootSmart when it's first installed on the phone? And, is the answer different if RootSmart downloads the actual malware payload? Jiang: You can see the current detection rate of RootSmart at this link. Basically, among 43 anti-virus engines hosted at VirusTotal, eight of them are now able to detect this piece of malware. If the malware downloads the actual malware package, I suspect more anti-virus engines will detect the downloaded malware package, but not necessarily RootSmart itself. Kassner: Do you have any suggestions/precautions we should be following to avoid RootSmart? Jiang: Please see my blog on possible mitigation. Basically follow common-sense guidelines for smartphone security. For example:
- Download apps from reputable app stores that you trust; and always check reviews, ratings, as well as developer information before downloading.
- Check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing.
- Be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.
Would they be willing to help this writer and his inbox out?Jiang: They are wonderful Ph.D. students to work with -- motivated about learning and passionate on identifying mobile threats. This is why they work on very advanced research projects dealing with smartphone and virtualization security. The entire team is dedicated to monitoring and identifying emerging Android malware and threats.
The Google spokesperson wanted me to make it clear that RootSmart was not found in Android Market:
"Bouncer is not relevant to this discussion, because Bouncer is focused on malware in Android Market. Dr. Jiang's findings do not concern any apps in Market."
For the moment that is true. The cat and mouse game continues.
A special thanks to Dr. Jiang, his research team, and William Francis.