back to article Boffin: Android's on-board malware scanner utterly FAILS

Google has added new anti-malware capabilities to Android 4.2 "Jelly Bean," but relying on them to block malicious apps might not be a good idea, says a computer science boffin from North Carolina State University. The latest Android – currently only found on a select group of handsets – includes an on-device "application …

COMMENTS

This topic is closed for new posts.
  1. chipxtreme

    Having owned quite a few Andoid phones and two tablets since introduction starting with 2.0 I believe was my first device and 4.2.1 which runs on my nexus 7 I can honestly say I've not had a single bit of malware on any of my Android devices. I think all the people that claim to of been attacked by malware have probably downloaded a pirated app from a dodgy website infected with it. As i've never ran a dodgy app on any of my devices it could explain why i've never been infected.

    1. eulampios
      WTF?

      Exactly

      The whole idiocy of the MS Windows measure applied to Android is as incompetent rubbish as it is a ludicrous FUD. Once again, Antivirus Scanning is crap, it's not scientific whatever this "malware Ph.D" says.

      You design a system, so you don't scan for malware. It's too late already. How would your scanner determine if an app is malicious? Heuristics is crap.

      There is already the transparent permissions system in place. Even if your scanner says that this weather widget is totally secure with texting, calling and billing permissions, it is a no go. This is the most scientific way of securing your application (after the GNU/Linus or *BSD trusted repositories with gpg )

    2. Anonymous Coward
      Stop

      That's because...

      anyone with even half a brain understands that 99.999999999999% of all Android malware lives on the open internet, and not the Google Play store, and as long as you have the setting that prevents non Play store installs, then you have absolutely nothing to fear, it;'s no less safe than Apple app store, or Windows Phone app store (but the later is because there is no apps there..)

      However that's all pretty boring news that doesn't sell... And blogs like this (until their reporting standards rise, they are back to "blog" status in my books), and Androiod anti-malware sellers are all too keen to make mountains out of molehills.

      I wonder what company this researcher works for.

      1. Badvok

        Re: That's because...

        However, it would be nice if you could add other trusted stores, e.g. Amazon. At the moment to install anything from Amazon you have to allow any and all non-Play Store apps. As Amazon grows its store this will become more and more of a hole in Android.

        1. Anonymous Coward
          Anonymous Coward

          Re: Allow

          Yes you must allow installs of non-trusted packages. If you don't download packages from anywhere else it doesn't make any difference.

      2. Nelbert Noggins

        Re: That's because...

        Um... no... Most people with phones just want apps.

        Google have made Android so the choice is Play Store or anywhere with no ability to add other App providers require you to open the device to everyone.

        Why can't I add Amazon as a trusted provider? They have promotions which mean I don't have to pay google $X for an app and can bypass the Google cut. It doesn't make them a less trustworthy source than Google. Play Store has been shown the malware or apps with inappropriate permissions pass Google checks for submission.

        Only using Play Store doesn't mean you're safe.

    3. Anonymous Coward
      Anonymous Coward

      Genuine question

      "I can honestly say I've not had a single bit of malware on any of my Android devices."

      How do you know?

      Last I know a virus tends not to let itself known.

  2. The Alpha Klutz

    Android is malware

    I use an Android phone. it is the third worst phone ever behind iPhones and Blackberries. basically if you want to be spied on, its great. There is so much spying it is almost as bad as the iPhone but they dont even do it nicely its like being gang raped

    1. Chemist

      Re: Android is malware

      "it is the third worst phone ever behind iPhones and Blackberries."

      Your conclusion ?

    2. Anonymous Coward
      Anonymous Coward

      Re: Android is malware

      "I use an Android phone" ... "its like being gang raped"

      I'm a little confused as to why you're still using an Android phone? On a more serious note, care to provide some examples of this spying?

  3. JeffyPooh
    Pint

    Compare and contrast

    Virus - maybe stealthily hiding on your device, trying its best to evade detection, may occasionally try to run off with your credit card number (yeah, good luck with that...).

    Anti-virus Software - being generally annoying, constantly demanding updates, constantly demanding scans, blocking access to the Internet, bug-infested junk software, and eventually demanding actual money.

    The cure sounds much worse than the disease. One of the reasons we like tablets (as opposed to PCs) is to get away from Anti-virus software as much as getting away from the risk of virus.

    1. Anonymous Coward
      Anonymous Coward

      Using a tablet to get away from AV software?

      How does that make any sense at all? We have several tablets around the house, but we all have the common sense to realise that they're the least-secure bits of computing kit we own.

      The only tablet with curated apps is the iPad, and even that has its share of malware. Otherwise, unlike PCs, where you have a choice of mature malware-free alternative OSes, with a tablet you're pretty well stuck running the factory-installed OS and becoming part of a homogeneous ecosystem that is very attractive to attackers.

      To add insult to injury, their "user-friendly" UIs do their damnedest to hide any information about an app that might help you to determine if it's malicious or not, let alone giving you the tools to monitor its behaviour once installed.

      No, the only personal computing device more susceptible to malware than a tablet (currently Android, of course, but inevitably eventually Win8, if they end up selling any of them) is a PC running Windows. But at least in that case you know exactly what you're getting.

      1. JeffyPooh
        Pint

        Re: Using a tablet to get away from AV software?

        F.U.D.

        1. Ceiling Cat
          Thumb Down

          Re: Using a tablet to get away from AV software?

          Micro$hill?

      2. Dr. Mouse

        Re: Using a tablet to get away from AV software?

        "We have several tablets around the house, but we all have the common sense to realise that they're the least-secure bits of computing kit we own."

        To a point I agree.

        I treat phones and tablets on my home network as potentially dangerous. However, I do the same with all machines. Even a Linux box could be infected with malware, or machines could be hacked, or any number of possibilities. As an old colleague used to say, "The only real security is a 6-inch air gap". Although this is a little outdated due to the prevalence of wireless networks, the principal holds: The only way to ensure a computer is not vulnerable is to have no network attached (and no physical access either, really). Beyond that, you are taking a chance, no matter what security methods you employ.

        Even on a Windows PC, the best security method is user vigilance. This applies even more so to Android. When you install an app, ensure it is coming from a trusted source, and study the permissions it requests. Keep an eye on what your phone is doing, periodically clear out unused apps, and never grant root access to any app you are not sure about.

        I don't use a "virus scanner" on my Android devices, but I keep them under a great amount of control. I take the risk of my device being compromised, but I don't keep any sensitive info on it, and I accept the risk. Just as I used to do with my Windows PC when I had complete control over it and resources were stretched by virus scanners.

        Of course, not everyone thinks about security when they get an email containing "The most realistic fart app yet!"

    2. fajensen
      Mushroom

      Re: Compare and contrast

      Why would people trust the antivirus software? On wifeys PC I have Avast Anti Virus, what does that do: It runs with full priority so it can touch all files, it proxies itself into all data traffic (even arcane stuff like "nntp"), it also checks urls for "typos" so it knows what you are trying to browse.

      What if "Dr Evil" or CIA is the real owner of this company? You just send them all your stuff, installed total surveillance on your system - and installed a gateway for "them" to install more stuff when the occasion demands it - say someone needs to stick you with some kiddie-porn charges?!

  4. Andrew Jones 2
    FAIL

    Have been an Android user for 3 years, have yet to see Malware - it's really very simple.

    1) Don't download dodgy apps from dodgy websites.

    2) if the app has a bad rating or poor reviews or purports to be free version of a popular game but by a developer other than you would expect - don't install it.

    3) if you think the permissions the app requires are more than you can logically justify - don't download it.

    I suppose I am just constantly surprised that people get viruses on Phones / Tablets / PC's - I have never run Anti Virus software on a computer since about 2003 and I still have yet to have a virus - perhaps people who are constantly getting viruses should modify their online behaviour.......

    1. Chris Miller

      I agree with you and share your experiences (though I do run AV on my Windows systems). But, in respect of your final paragraph, staying away from 'dodgy' web sites is no longer enough. You're relying on the skill and good judgement of the web masters of the 'reputable' sites you visit to ensure that their malware defences are sufficient to prevent an attacker inserting their own code and infecting your systems. If you don't run at least an occasional scan, how do you know that you haven't been infected in this way?

    2. nuked
      Facepalm

      "Have been an Android user for 3 years, have yet to see Malware"

      Therefore, you have never been infected???

      Only the very worst malware pops its head up to say hello.

      1. JeffyPooh
        Pint

        "Only the very worst malware pops its head up to say hello."

        "Only the very worst malware pops its head up to say hello."

        So perfectly hidden that we don't even know it's there... As opposed to commercial anti-malware "solutions" that will be so intrusive that they become a complete and utter nuisance?

        Similar to the financial analysis. Pay your favourite "Security SW" $25 per year to avoid the one-in-10,000 chance that we might have to PAY MILLIONS? No, that we might have to phone Amex (*) to explain that the credit card data has apparently been stolen. Bad trade off - malware is cheaper overall.

        (* Actually, I recently used my Amex to pay Western Union to send money to relatives halfway around the world. My home telephone rang within 30s. It was Amex checking before allowing the transaction.)

        Your comment quoted above confirms that AV SW is worse even if the odds of malware was 100%. Given that the odds are well below 1%, it's a complete no brainer - installing AV SW would be daft.

    3. Sean Timarco Baggaley
      FAIL

      "Have been an Android user for 3 years, have yet to see Malware - it's really very simple."

      Unfortunately, so are most smartphone users.

      1) Define "dodgy app" and "dodgy websites". In terms an IT-illiterate will understand.

      2) "a developer other than you would expect"? Seriously? How many users do you think remember the names of all these developers? Again: think IT-illiterate.

      3) How the hell is an IT-illiterate going to know what is "too much"? The vast majority of IT device users haven't a clue about even basic privacy precautions: how else do you explain Facebook? Even so, these devices are supposed to be simple appliances, not virtual LEGO sets.

      Judging by some of the posts here, most developers and IT gadget fans wouldn't know "logic" if it poked them very hard in the eye with a Steinway Grand. Which explains why hardly anyone will even stand by their code and warrant it as fit for purpose.

      For the vast majority of people out there – myself included – iPhones and Macs are merely the least worst platform of choice, not the "best". The state of this industry is a sick, sick joke to anyone who doesn't work in it.

      You FOSSers are the worst of the lot: A bunch of feckless, bickering schoolchildren, wanking forth over tiresome, irrelevant faux-philosophical issues of "freedom", while refusing to write anything of sufficient quality as to be worth guaranteeing that it'll do what it says on the damned tin.

      Get over yourselves. This is by far the most unethical, hypocritical industry I've ever worked in. And I've worked in PR and marketing, as well as the games industry.

      1. Anonymous Coward
        Stop

        1) Define "dodgy app" and "dodgy websites". In terms an IT-illiterate will understand.

        Well for starters, you can't download them by default, so any IT-illiterate user will also be too dumb to find the setting that enables it.

        Secondly, the warning is VERY clearly worded, that even the dumbest person can work out...

        “Your phone and personal data are more vulnerable to attack by applications from unknown sources. You agree that you are solely responsible for any damage to your phone or loss of data that may result from using these applications.”

        It's such a shame too many idiots in the press can't work it out...

    4. Anonymous Coward
      Pint

      If you haven't run AV software since 2003, than how do you know you don't have a virus?

      Kind of a oxymoron statement.

      1. What of IT?
        Coat

        i'm picturing that as an XP machine, pre SP1 with Blaster/Welchia on it ;)

  5. Comments are attributed to your handle

    Maybe these researchers should spend more time improving Android's malware detection, as opposed to just proving what we could have guessed.

    1. Anonymous Coward
      Anonymous Coward

      I suppose bank robbers should help banks tighten security?

      Oh and if you leave your front door open the burglars should phone you up and let you know?

      1. Comments are attributed to your handle
        FAIL

        Derp

        There's a pretty significant difference between the three that you (conveniently) overlooked. While security researchers are supposedly working to improve the product they analyze, bank robbers and burglars have a malicious motive. Doesn't take an AC to understand that.

        I'm saying that researchers might make more of a difference in the long term by helping repair broken security, as opposed to the more easy (and rewarding in the short term) task of poking holes in the work of others. If you are a researcher solely dedicated to discovering vulnerabilities, then good, your work is much appreciated.

        But I do think we need more people interested in proactive security.

  6. Anonymous Coward
    Anonymous Coward

    Not quite a Darwin award

    but getting a virus in one's gadget as a result of using it carelessly does have biological parallels.

  7. Anonymous Coward
    Anonymous Coward

    Like Windows, Android fans have gone mad for gimmicks and features. All these features piled up with no thought for security. It's too late to fix all of these problems now with anti-virus software and malware detectors. You have to go back to the drawing board and start again.

    Honestly, it's amazing how a generally secure base OS using a Linux kernel can be screwed up so massively with a lousy swiss cheese topping. Android releases named after puddings? how about named after pizzas? they have a solid base and cheese (not always swiss) on top.

    1. Anonymous Coward
      Anonymous Coward

      "Honestly, it's amazing how a generally secure base OS using a Linux kernel can be screwed up so massively with a lousy swiss cheese topping"

      Android is no less secure than Linux. Each app runs as a separate Linux user. All these malware infections are users installing the malware themselves in an attempt to get a free game or two. The only difference here is that the games are available for Android.

      Even the report linked to in the MS twitter article as "evidence" of malware says exactly that, but the media skip over that point because how else are they going to get you all riled up?

    2. Ian Yates
      WTF?

      "Like Windows, Android fans have gone mad for gimmicks and features."

      I can only assume that you're singling Apple or BB users out as not going "mad for gimmicks and features"... So what would you call BBM, Siri, Facetime, etc.?

      The rest of your post was equally bizarre...

  8. Anonymous Coward
    Anonymous Coward

    Wrong assumptions?

    I see a lot of advice that states "don't visit bad sites" - the problem is that the average non tech user has no way to distinguish between a good and a bad site. It's not like malware will advertise itself with a URL like "infect.me", so this is where the trouble starts.

    That recent bank heist instructed people to disable the "buy only from a reputable shop" bypass, and blam, problems.

    You can use any brick you want to build this app jail, it doesn't matter. You presently start with a merengue foundation, and only Google can address that..

    1. JeffyPooh
      Pint

      Re: Wrong assumptions?

      Actually the first clue is a toss-away URL. A valuable URL (e.g. www.sex.com) isn't going to be wasted on cheap and cheerful malware. A valueless URL (e.g. www.sexychicz887766.cn) is far more likely to be disposable and thus might be a more risky choice.

      This singular rule is probably about 60% of it.

      1. Anonymous Coward
        FAIL

        Re: Wrong assumptions?

        So now big name DNS have been hijacked recently and no big sites have had XSS flaws or SQL injection attacks.

        Phew so glad I'm safe with them.

  9. toadwarrior

    Android is all about being open..,open to everything including malware that is. A lot of their problems could be resolved with real permission management rather than their current half baked effort.

    1. Ian Yates
      Thumb Up

      While not a solution for the average Joe user, LBE Privacy Guard can do exactly that

      https://play.google.com/store/apps/details?id=com.lbe.security.lite&hl=en

  10. The Alpha Klutz
    Megaphone

    What does a scanner see?

    Into the head? Down into the heart? Does it see into me, into us? Clearly or darkly? I hope it sees clearly, because I can't any longer see into myself. I see only murk. I hope for everyone's sake the scanners do better. Because if the scanner sees only darkly, the way I do, then I'm cursed and cursed again. I'll only wind up dead this way, knowing very little, and getting that little fragment wrong too.

    1. Anonymous Coward
      Anonymous Coward

      Re: What does a scanner see?

      "I saw Substance D. I saw death rising from the earth itself, in one blue field."

  11. Wang N Staines

    Any PC AVs out there that scan the tablets/phones connected to it?

  12. darkly does it

    don't be a D1ck

  13. Mark #255
    Unhappy

    Don't forget false positives

    I saw that warning pop up as I was installing games from the Humble Indie Android Bundle. Reasonably certain none of those are malware.

    1. The Alpha Klutz

      Re: Don't forget false positives

      do they give out the source code in that bundle? because any Linux boff will tell you you have to audit it yourself for security ;);)

  14. Great Bu

    Dog Wars - Beta

    Sounds cool, is it a dog fighting game ?

  15. John Tserkezis

    I don't care about malware.

    No really, based on numbers, malware is the least of my concern.

    What I DO want, is a scanner that'll tell me when an app grabs my calendar and/or contacts and/or notes and/or anything else and send the entire lot out to a site that collects and counts that data.

    Because malware scanners NEVER(*) count back to base for advertising data apps.

    (*) Well, almost never, because datamining is considered kosher for some stupid reason.

  16. silent_count

    It's kinda funny

    For my money, the best security software on android are Titanium Backup and DroidWall... both of which require root. So, from where I'm sitting, securing a droid phone involves rooting it which in turn means invalidating the warranty. Seems ass-backwards if you ask me. "Sure you can keep your warranty... if you're willing to browse the interwebs without your data backed-up and without a firewall. What could possibly go wrong?"

    And before you call me an apple shill, my previous phone was a desire-z and this is posted from a galaxy s3.

  17. dssf

    Kinda painful because...

    I have a wincing and twitching going on recalling all number of downthumbs hits I took for demanding that Android have much, much better onboard security and contact list vaults, per-app blocking, traffic reporting, and more. I was shredded, assailed, mauled.

    I feel as if the recollection of those hits against me make me want to go over to the table and share drinks I had been resisting the last two hours because I am thinking of down-thumbed stuff over past two weeks that make me want to have a few drinks..

  18. Nelbert Noggins

    "don't visit bad sites" seriously.... wtf?!?!

    Who decides what's a bad site? I suspect my list of bad sites is different to yours...

    Does that mean don't use the official App stores as well? They have been shown that malware apps are distributed through the official source of Apps. App stores like AV companies are always 2 steps behind. Until the new methods are found and known they can't detect it...

    Does that include don't visit any site that has adverts from an ad provider? There have been multiple instances of malware injection on high profile "trusted sites" due to the ad provider being compromised.

    You may as well say don't use the Internet...

    Even user education won't fix the problem, because people don't talk "english" when explaining boring malware stuff they talk "techno babble"...

    Non-IT people don't care, they like the sound of the app and want it. Warning boxes are like the nuisance license screens everyone gets when installing software... just click ok...

    For Google they need a secure way to add other app stores without sticking the phone into accept all other sources mode, a bit like adding a new repository to Linux distros. I expect the reality is most people will just click accept to any box that says "are you sure", followed by "are you really, really sure" if means they get something they think they need or is for free.

  19. Dr. Vesselin Bontchev
    Boffin

    Clarifications

    The article lists a bunch of links to other El Reg articles. Why not to the original article by Prof. Jiang, from where the information was taken? Not nice, El Reg! Here is the link:

    http://www.cs.ncsu.edu/faculty/jiang/appverify/

    If you read the original article, you'll be able to spot another inaccuracy. The statement "without naming any of the products involved" is false. He quite clearly names them: Avast, AVG, TrendMicro, Symantec, BitDefender, ClamAV, F-Secure, Fortinet, Kaspersky, and Kingsoft; those are the products used by VirusTotal.

    Now, regarding Google's approach. Scanning for known malware is acceptable for an anti-virus product that can be updated fast enough as new variants appear. A huge company like Google who is not in the AV business, to begin with, simply cannot be that agile. They should have opted for a more generic approach. Fact is that they have such a ludicrously low detection rate, despite that they have had all the samples used in the test for quite some time.

    However, even if you opt for such an approach, identifying the known malware by the hash of the APK file is utter idiocy! There are many known server-side polymorphic Android Trojans (there are no viruses for the Android platform yet). This means that each time you download a copy from the server that hosts them, you get a different APK file - because some random data files inside are changed every time. At the very least Google should have used a hash of the classes.dex file inside the APK file (which is the file containing the actual code; APK files are just ZIP archives).

    Even that is unreliable, of course. The proper way to do it is to parse the structure of the classes.dex file and identify properly the code inside. I have written a Perl script that does this and it's freely available. Perhaps Google should have consulted an anti-virus expert before putting firmly their foot into their mouth. I know that many people think that AV stuff is easy, but the truth is that there are a lot of pitfalls and you need a lot of experience in this area, if you want to have a prayer of designing a reasonably good product....

    As a general note, Android's approach to security is just plain stupid. Each application requests, at install time, a bunch of rights which few users really understand. The only choice is to grant them all - or not to install the app. The proper way to do it is to allow the user to select which rights to grant, and make it possible to revoke some of them or grant additional ones at any time after installing the app. This way you could refrain from granting any rights you feel suspicious about and later grant them if the app really needs them. (Perhaps I want to play this great game but don't want it to connect to the internet, even at the price of not being able to post my best score to my Facebook page.) Or, revoke some of the rights, if you get a suspicion that the app is doing something dodgy.

    But this is a fundamental design flaw. It cannot be fixed without making all the existing apps incompatible - which means that Google isn't going to do it. So, we'll have to live with a fundamentally badly designed security, just like with the Windows platform. Not because the platform itself is inherently insecure (Windows isn't, either), but because idiotic design decisions make it way too easy for the user to screw up and install malware on it.

This topic is closed for new posts.

Other stories you might like