Popular Android Anti-Virus Software Fooled By Trivial Techniques

wiredmikey writes "A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques. In a paper (PDF), the researchers said they tested AV software from several well-know security vendors. In order to evaluate the mobile security software, the researchers developed a tool called DroidChameleon, which applies transformation techniques to Android applications. Known malware samples were transformed to generate new variants that contain the exact malicious functions as before. These new variants were then passed to the AV products, and much to the surprise of the paper's authors, they were rarely flagged — if at all. According to the research, 43% of the signatures used by the AV products are based on file names, checksums or information obtained by the PackageManager API. This means that, as mentioned, common transformations will render their protection useless for the most part. For example, the researchers transformed the Android rootkit Droid Dream for their test. DroidDream is a widely-known and highly dangerous application. Yet, when it was transformed, every AV program failed to catch at least two variants."

This just in!

AV products suck!

The whole premise of trying to match a virus 'signature' is simply stupid and useless.

Re:This just in!

[hamjudo]

Virus 'signatures" are an ideal technology for dealing with common threats from the late 1990s.

Re:This just in!

The ideal technology for dealing with common threats from the late 1990s are patches to fix the gaping security holes exploited by a virus.

Instead computer users have been conditioned to believe that anti virus products are the solution.

But there's no money in making a monopoly OS secure.

Re:This just in!

[cbhacking]

Oh, hardly even then. I wrote my first polymorphic program when I was 16, and I was late to the game for that. Making a completely trivial change to the binary - have a meaningless 32-bit constant that you add (modulo 0xFFFFFFFF) with the current time in miliseconds on each run, for example - will completely bypass typical types of checksum/hash checks unless you want to store 4 billion signatures. Slightly more complex signature schemes are nonetheless equally easy to defeat. Filename checks are even easier to defeat; there's lots of ways to indicate the next file to run which can use dynamic file names. It's a game of cat and mouse, but the cats are too dumb to do anything but watch known mouseholes, while the mice can make new holes whenever they please and it only takes a mouse getting out once for the cats to lose the game.

Re:This just in!

[ozmanjusri]

FUD sucks too.

DroidDream is NOT "a widely-known and highly dangerous application". It was a malware variant identified early in 2011 and removed from both the Android Market (now Play Store) and from the infected devices. The vulnerability it exploited has been fixed in all Android versions newer than 2.2 (Froyo).

AV vendors are terrified of Windows' plunging market share, and are desperate to find another host to leech off. This is the despairing screech of a buggy-whip maker watching their buggy-OS host vanish over a cliff.

Re:This just in!

[UltraZelda64]

You just took the words right out of my mouth.

Re:This just in!

[DrXym]

In fairness, there is malware on Android however I expect the risk for most people of catching it is pretty minimal. The Play market is proactively scanned and acts reactively to threats up to and including a remote kill capability. And in many cases those that do get infected have their own lack of sense to thank - installing pirated APKs, or dubious apps from untrusted sources and reaping the rewards.

Re:This just in!

[oldlurker]

In fairness, there is malware on Android however I expect the risk for most people of catching it is pretty minimal. The Play market is proactively scanned and acts reactively to threats up to and including a remote kill capability. And in many cases those that do get infected have their own lack of sense to thank - installing pirated APKs, or dubious apps from untrusted sources and reaping the rewards.

Apps are not the only way in though. Web and email coupled with vulnerability exploits are obvious vectors, Bluetooth and NFC exploits have been demonstrated. I'm using an Android phone myself, but I think we are doing ourselves the same disservice Mac users did (and ended up with the biggest malware epidemic in modern times in terms of percentage of user base affected with Flashback) if we discount the malware threat to be just AV vendor marketing and not a potential real threat. Especially since such a large portion of the Android user base is on old vulnerable versions long after Google has patched vulnerabilities and improved security.

Re:This just in!

[Hentes]

But at least they only have access to what you allow them.

Re:This just in!

Uhh, ignorant asshole is ignorant. There are huge areas were your "Play Store" isn't available, like China.

Re:This just in!

[cbhacking]

A lot of the world does not heavily use the Play market and prefers to use alternatives. Studies have estimated that around 40% of Android devices in Russia are infected, for example, mostly due to installing apps from third-party sources.

Re:This just in!

[DrXym]

I very much doubt 40% of Android devices in Russia are infected, although I can well believe the rates of infection are much higher in countries which have a culture of piracy over those that don't.

Re:This just in!

[neokushan]

Yeah, gaping security holes like email attachments with names similar to "bigtits.exe" and "funny.exe".

Not all viruses exploit security weaknesses, some are just malicious programs that idiot users run.

Re:This just in!

[Sockatume]

What about heuristic analysis?

Re:This just in!

I think gaping holes such as goatse.cx can do more permanent damage ...

Re:This just in!

Has living with your family on a boat made you all incredibly strange anti social folks? Most people are busy getting pussy at 16.

Kudos with the arrogant nonsense though. I hope your ego placates your lack of professional or penis success.

Re:This just in!

[BasilBrush]

Not all viruses exploit security weaknesses, some are just malicious programs that idiot users run.

No, those would be trojan horses. Actual viruses can only work on modern OSs by exploiting security holes.

Re:This just in!

[Hizonner]

The fact that I can't easily run an arbitrary program without giving it the ability to screw up random data on my computer, let alone install a rootkit, is a gaping security hole. In fact, it's a gaping hole that programs are not restricted by default.

All of the popular general purpose operating systems have hideously weak security architectures that amount to gaping holes, and the phone operating systems are only a little better.

Re:This just in!

[neokushan]

To be honest, I don't actually disagree with you on this one. But then what are these "android viruses" if not trojans themselves?

Re:This just in!

[tlhIngan]

I very much doubt 40% of Android devices in Russia are infected, although I can well believe the rates of infection are much higher in countries which have a culture of piracy over those that don't.

Chinese Android phones as well, because the only way to get apps is third party stores, which often host said infected apps (most new discoveries of Android malware come from China). Of course, whether or not it's pirated or not is very hard to tell - the legit stores don't do a very good job themselves.

And Play isn't available in China, either.

Though, it wouldn't surprise me if a lot of stuff on Play gets pirated because it isn't available elsewhere - if there's a game you want and it's only available via Play, then one really doesn't have much choice other than to pirate it if Play isn't available.

Re:This just in!

[cbhacking]

Ahahahaha, that's a good one. I lived on a sailboat cruising tropical islands. The US - even Hawaii, which I came through on the way back from Tahiti once - is downright prudish compared to that lifestyle. Sure, holding a steady relationship wasn't really an option, but almost anything else was - not much chasing needed. As for professional success, I keep that off my profile but it's not hard to figure out who I am if you really want to. "Lack of professional success" indeed!

But sure, call me arrogant for pointing out that I also knew how to code from a relatively young age (or whatever thell you felt was arrogant about my prior post), my good Anonymous Coward. I'm sorry you both were and still are too immature to get over your bitterness at those who have had a good life.

Re:This just in!

[cbhacking]

I wasn't even trying to defeat AVs, mind you - just messing with polymorphic code because the concept sounds cool. That said, defeating heuristics is a *lot* harder - which is why any self-respecting AV scanner uses them. There's lots of techniques, of course - things like self-decrypting code, for example, where any given instance of the actual malicious code (on disk) bears no resemblance to any other one because they use random keys and/or IVs - but there still has to be a decryptor that bootstraps the process, and that can be heuristically identified. I'm waiting to see somebody write malware that lives inside a variety of completely innocuous codebases via ROP gadgets, where the payload executes by "exploiting" a vulnerability in the malicious program and using ROP to generate a completely different instruction sequence out of all that benign code. You still have the bootstrap problem, though; the the ROP stack needs to be loaded and traversed, and that means some heuristically-detectable portion of the malware.

On the other hand, you have to be careful about false positives as well when using heuristics. A number of legitimate programs, such as Skype, use self-decrypting code. The more broad a net you use to catch malware, the more non-malicious programs you'll inadvertently block. "File has the Execute permission set" is a (taken to extremes) example of a heuristic for detecting Trojans, for example... but a 100% true positive rate isn't that impressive when you also get a 100% false negative rate!

Re:This just in!

[cbhacking]

I didn't find the article positing that number in my first 10 secodns of searching, but I did find this: http://www.esecurityplanet.com/mobile-security/lookout-predicts-18-million-android-malware-infections-by-end-of-2013.html .

The likelihood that new Lookout users will encounter malware or spyware is heavily dependent on their geography and behavior, varying from 0.20 percent in Japan to 0.40 percent in the US and as high as 34.7 percent in Russia

Almost 35% will "encounter" malware in a given year. What precentage of those end up infected, I'm not sure - that would require more investigation into what "Lookout" is and how it works - but the subtitle of the article indicates that "encounter" means infection. Then there's the many devices that will already be infected. 40% doesn't sound high in that light.

Re:This just in!

[Sockatume]

Thanks, I've not really kept up with antivirus software since the '90s.

Lucky Android Users

I wish my phone needed AV software... :'(

Re:Lucky Android Users

[mlw4428]

Chances are it does. Just because you're too stupid to believe there's no possible way a virus can get onto your phone, doesn't mean that there's someone out there with the know-how and the skill to do just that. There is (and has never been) anything that is 100% secure.

Re:Lucky Android Users

[DaHat]

Chances are it does. Just because you're too stupid to believe there's no possible way a virus can get onto your phone, doesn't mean that there's someone out there with the know-how and the skill to do just that. There is (and has never been) anything that is 100% secure.

Really? I've got an HTC 8X on a wireless charger right in front of me (hence the Verizon version)... care to point to a virus or three (or just malware) that targets Window Phones?

Don't worry... I'll wait.

While I will admit that nothing is 100% secure... the protection model on Windows Phone does sure seem to keep malicious code away better than Android.

Re:Lucky Android Users

[multiben]

Heh heh heh. Successful troll.

Re:Lucky Android Users

[cbhacking]

It was possible on WP7, at least in the earlier patch versions. I'm not aware of any malware anybody actually created, but there were a few known vulns in most devices that could be exploited for elevation of privilege. They were routinely used for beneficial homebrew software, though.

On WP8... well, there's no malware known to exist for it yet, but there's nothing much in the way of homebrew either. Microsoft locked the OS up so tightly that it's somewhat limited in terms of actual usability and very limited for extensibility.

Re:Lucky Android Users

[DaHat]

It was possible on WP7, at least in the earlier patch versions. I'm not aware of any malware anybody actually created, but there were a few known vulns in most devices that could be exploited for elevation of privilege.

Citation please.

As I recall... the initial 'exploit' used by the ChevronWP7 folks involved running a local web server on your PC... then tricking your phone into developer unlocking against it... rather than the official Microsoft servers.

I wouldn't exactly call this a vector for virus infiltration.

Ditto when it comes to homebrew apps (which could only run on developer unlocked device (legit or not unlocked))... and required manual side-loading of the app.

Claiming malware was possible on WP7 is like claiming it's possible to infect the Pentagon with your super-l33t virus... provided you can trick someone into going into one of the secure server rooms, logging in as a local administrator, accessing your hax0red website... then clicking "Yes, I want to run configure; make; make install".

Re:Lucky Android Users

Nobody targets Windows phone because nobody cares about windows phone. Nobody uses it. Microsoft is constantly striving to be even relevant, let alone get a remarkably sized userbase.

Re:Lucky Android Users

I've got an HTC 8X on a wireless charger right in front of me

Security by obscurity works in that it'll take longer before vulns are discovered in rare devices.

Don't worry... I'll wait.

  Just be patient, those W8 things aren't exactly interesting to tech-heads.

Re:Lucky Android Users

[DaHat]

Nobody targets Windows phone because nobody cares about windows phone. Nobody uses it. Microsoft is constantly striving to be even relevant, let alone get a remarkably sized userbase.

I seem to recall that as an excuse around these parts for a decade or so regarding Linux... as well as the claim that "many eyes make bugs shallow"... and yet quite often we hear about a bug in the Linux kernel, or Bind, or some other major component that has been undiscovered for years and years.

How'd that work out? Oh right... Android (Linux based) is the most easily hackable mobile phone OS out there!

Re:Lucky Android Users

[DaHat]

Security by obscurity works in that it'll take longer before vulns are discovered in rare devices.

I remember that being said about Linux devices round the parts for so long... which are obviously still (like Oracle DBs) unhackable/unbreakable.

Just be patient, those W8 things aren't exactly interesting to tech-heads.

How much longer should I wait? My old HTC Trophy (running Windows Phone 7.x) also (as far as I am aware) never had any major exploits against it.

While it's easy to say "no one cares about targeting an OS with a .0000000002% market share"... call be silly... but I'm still kind of surprised no one wanted to make a name for themselves as the first person to hack Windows Phone.

Re:Lucky Android Users

[AJWM]

How'd that work out? Oh right... Android (Linux based) is the most easily hackable mobile phone OS out there!

You say that like it's a bad thing.

Re:Lucky Android Users

[cbhacking]

Not talking about ChevronWP7 or anything like it. The actual homebrew stuff for WP7 wasn't well publicized, partially because a lot of it was flying under the MS radar so far as possible, but it existed. The best-know "root" program is called WP7 Root Tools (http://www.wp7roottools.com) and exploits various firmware bugs in HTC, LG, and Samsung firmware (and possibly others) for WP7 to gain near-complete control over the OS, disable many of the "security" restrictions (such as the prohibitions on third-party non-"app" executables), give full access to the filesystem, registry, and certificate store, and allow running any other app as TCB (WP7's equivalent of "root" or "Admin"). Other apps before it, including things like TouchXplorer and Advanced Config, took less complete control but nonetheless had permission to do any number of nasty things had that been the intention of the developers. Additionally, once the later versions of Root Tools (with the "elevate other apps" feature) came out, a considerable number of homebrew apps that needed such permissions immediately sprung up, providing a perfectly good avenue for somebody to slip in a Trojan app. Indeed, it was a considerable concern.

The point about requiring manual sideloading is valid (in fact, installing WP7 Root Tools would have been a lot easier if Microsoft would have signed it and put it in the store, since otherwise it could be difficult to install on some devices after Mango introduced the interop-lock). However, I fail to see the important difference between installing an app you think is safe because it's on the store, and an app you think is safe because it comes out of the developer community that has been adding such cool features to your phone. Either way, it's a manual action on your part to install the app, and most people aren't going to decompile it and examine it for malicious code even if they had the know-how to do so. As for whether Trojans in general constitute "real" malware, that's all that the Android apps in question are, or the malicious iOS apps for jailbroken phones, or similar.

To address your little analogy, social engineering is one of the best ways to bypass security there is; the weakest link in computer security usually sits between the user's ears. Also, your analogy seriously falls flat on its face when you consider that it wasn't supposed to be *possible* to "[log] in as a local administrator" on WP7. A seriously locked-down system wouldn't allow your scenario either.

Then there's the minor, but really easy, attacks which were possible against WP7 without requiring firmware access or bypassing interop-lock or any such thing. For example, the XAP files that would let you access other device or operator marketplaces could just have easily crippled your phone's marketplace functionality, overwritten your personal documents, broken your installed apps, and other things. Those were just carefully crafted ZIP archives with a .XAP extension and some XML files to make the installer recognize them; the same attack was actually possible using .ZIP files as well and wouldn't have been that hard to socially engineer somebody to try, or could have been bundled into an otherwise-legit XAP on the store.

Re:Lucky Android Users

I remember that being said about Linux devices round the parts for so long.

Call me when WP7/8/* variants have been around as long as Linux without being exploited. Call me when WP7/8/* is being used in high-value tasks like Linux is, and has been for decades.

Linux is anything but obscure, except on desktops.

Re:Lucky Android Users

[cbhacking]

Do you have WP7 Root Tools installed on your Trophy? If so, at least three different exploits were used: the ZIP path traversal that made the interop-unlock "app" work (all the work was actually done by the installer), the Connection Setup hack that achieved interop-unlock by hijacking the network database using some debug code to inject a script that modified the registry, and the exploit that Root Tools itself used in the HTC drivers to gain arbitrary code execution in the kernel.

Just because Heathclif74 was not, so far as anybody knows, embedding any malware in his software doesn't mean he couldn't have been, or one of the many other authors posting their work on XDA-Devs and WPCentral.

Re:Lucky Android Users

[mtb_ogre]

How much longer should I wait? My old HTC Trophy (running Windows Phone 7.x) also (as far as I am aware) never had any major exploits against it.

Maybe another 5 million users or so? Oh wait...

Re:Lucky Android Users

That IS the protection model dammit.

Re:Lucky Android Users

[crutchy]

yet quite often we hear about a bug in the Linux kernel, or Bind, or some other major component that has been undiscovered for years and years

i seem to recall that as an excuse around these parts for a decade (continuing today) regarding linux... and yet those bugs aren't exploited, even when the potential target is driving much of the consumer embedded world, servers (including probably majority of web servers and many large corporate intranets), and now smartphones.

Android (Linux based) is the most easily hackable mobile phone OS out there!

calm down a bit there sunshine... android is really a userland running on a virtual machine (dalvik). if you find an android vulnerability that affects the underlying linux kernel, then you'll have a major story. yes android is probably pathetically insecure (it would be nice if it were as secure as linux), but the linux kernel underneath dalvik is as tight and tested as the numerous datacenters around the world require it to be.

some slashdotters like to pick on how linux fans claim android = linux when it suits and not when it doesn't. android is an application layer running inside a virtual machine (so it is separated from the linux kernel), but there is still linux underneath (so every android deployment is also a linux deployment). linux and android are usually lumped together when arguing about market share, and separated when arguing about security, but there's nothing contradictory if you take the context of the argument into account.

Re:Lucky Android Users

I am waiting you to point to kernel vulnerability that resulted in Android infestation.

Re:Lucky Android Users

"Make name" and "hack Windows Phone" in single sentence sound ridiculous. It's like overclocking clock's CPU(or whatever it's called there) in wrist watch. Who cares? What purpose?

Re:Lucky Android Users

[Nerdfest]

Malware that targets your phone? You realize that the software comes from Microsoft, right?

Re:Lucky Android Users

>I remember that being said about Linux devices round the parts for so long... which are obviously still (like Oracle DBs) unhackable/unbreakable.

If you really believe that Linux is unhackable/unbreakable, I have a bridge to sell to you, gullible idiot.

Re:Lucky Android Users

http://www.worsetech.com/security/high-risk-vulnerabilities-android-kernel-1105679.html

http://www.androidcentral.com/samsung-exynos-kernel-exploit-what-you-need-know

NEXT

Edit : captcha : unbiased....

Re:Lucky Android Users

Chances are it does. Just because you're too stupid to believe there's no possible way a virus can get onto your phone, doesn't mean that there's someone out there with the know-how and the skill to do just that. There is (and has never been) anything that is 100% secure.

Really? I've got an HTC 8X on a wireless charger right in front of me (hence the Verizon version)... care to point to a virus or three (or just malware) that targets Window Phones?

Don't worry... I'll wait.

While I will admit that nothing is 100% secure... the protection model on Windows Phone does sure seem to keep malicious code away better than Android.

How smug of you to wait. Unfortunately, no one really writes apps for windows phone and with it's pathetic install base why would anyone even bother targeting it.

Re:Lucky Android Users

I really don't think you understand what Android is or how it works. You should try googling the Android framework to get a better perspective on what Android encompasses. Additionally, Android does not run on a virtual machine, it uses the Dalvik VM to execute apps written in Java. It's also perfectly capable of exerting native apps that bypass the VM. As for Android security, JB has full ASLR, PIE and a host of other security enhancements

Re:Lucky Android Users

[dano.obrien6682]

yes android is probably pathetically insecure ...but the linux kernel underneath dalvik is as tight and tested as the numerous datacenters around the world require it to be.

Even if true, how exactly does this distinction matter to the millions of Android users out there?

"My phone was so infected that it was unusable, all my accounts were hacked, and my porn stash was stolen, but at least it was just the vm and my linux kernel held up! (at least I think.. i can't really tell...)"

Re:Lucky Android Users

[idunham]

Point me to a few viruses for BeOS, OS/2 / eComStation, SolarOS, or Menuet.

Android is the most hackable mobile phone OS out there? Sure, but if you're going to argue that that discredits the security of the kernel like you seem to be saying, go ahead and point out how much of that is due to kernel bugs. (As far as I can tell, the main kernel bug was Samsung's ugo+rwx access to system memory--which would only be an issue for those who haven't updated).

The real issue is twofold:
First, many eyes won't do a thing to help if half the phones never get a single update after source code goes public. If you can find and fix every single bug within a month of the source drop, it will not change security for a device that's stuck with a rom from just after the code drop.

Second, notice that term "code drop". To quote Rob Landley, "Android isn't open source, it's regularly updated abandonware." "Many eyes" cannot work when there's no source before release; when you look at Honeycomb, applying it to Android becomes even more absurd.

Re:Lucky Android Users

[crutchy]

Android does not run on a virtual machine, it uses the Dalvik VM to execute apps written in Java

err... you do realize what the "VM" bit stands for right?

i know "android" is the collective term for the kernel, vm and wm, libs, etc, but the insecure bit that TFA is probably talking about (who actually reads TFA anyway) is the app layer, not the kernel... if a virus were able to breach the kernel it would make front page news around the world because there are huge interests at stake (including corporate and government).

from http://en.wikipedia.org/wiki/Dalvik_(software) ... "Dalvik is the process virtual machine (VM) in Google's Android operating system".

It's also perfectly capable of exerting native apps that bypass the VM

i would be interested to know what native apps can bypass the vm without first gaining root access at least (with root of course you can do anything and so could a virus).

Re:Lucky Android Users

[crutchy]

how exactly does this distinction matter to the millions of Android users out there

1) i wasn't addressing the millions of Android users out there
2) it was part of my argument with the parent comment (which was trying to conflate the insecure bit of android with linux)

"My phone was so infected that it was unusable, all my accounts were hacked, and my porn stash was stolen, but at least it was just the vm and my linux kernel held up! (at least I think.. i can't really tell...)"

that same kernel (well, mostly same) is shared by more than just android...if dalvik is corrupted to the point of destruction but the kernel holds up, that will probably matter more to the world that all the embedded and datacenter applications are still secure

Re:Lucky Android Users

err... you do realize what the "VM" bit stands for right?

err..yeah, I do. It's what "Android doesn't run on". The Virtual Machine is a component of the Android Framework. Once again, please consult the many Android framework diagrams to gain a better understanding of what Android is and what it emcompasses.

i know "android" is the collective term for the kernel, vm and wm, libs, etc, but the insecure bit that TFA is probably talking about (who actually reads TFA anyway) is the app layer, not the kernel... if a virus were able to breach the kernel it would make front page news around the world because there are huge interests at stake (including corporate and government).

from http://en.wikipedia.org/wiki/Dalvik_(software)

Not really. Since OEM's like to fuck around with the Android/Linux kernel some exploits do arise. A recent Samsung kernel exploit was found in any phones that used the Exynos 4412 and 4210 CPU's. It did make the news, but not exactly around the world.

i would be interested to know what native apps can bypass the vm without first gaining root access at least (with root of course you can do anything and so could a virus).

Well, they're not exactly bypassing the VM, but apps written using the NDK are coded in C/C++ with light Java wrappers that do nothing but call the code.

Re:Lucky Android Users

[crutchy]

err..yeah, I do. It's what "Android doesn't run on".

i realize we're just talking across each other, but part of android does run inside dalvik (which is a virtual machine). in the context of this thread and TFA, the part of android in question is the part running inside the VM, which the post that i was originally replying to was conflating with the linux part (outside the VM).

A recent Samsung kernel exploit was found in any phones that used the Exynos 4412 and 4210 CPU's. It did make the news, but not exactly around the world

i guess if its not an inherent vulnerability that would make sense, and the vulnerability would have to be exploited for it to make front page news. vulnerabilities that can't really be exploited aren't as sensational. i'm not familiar with the samsung thing, but i'm guessing it wasn't a serious threat.

apps written using the NDK are coded in C/C++ with light Java wrappers that do nothing but call the code

native windows programs still run the same way when run on windows inside a virtualbox vm too, but they are still constrained by the limits of the virtual machine. dalvik is a process virtual machine, but i'm assuming even the c/c++ programs you mention are constrained by the limitations of the dalvik process. is it even possible to run a process outside dalvik from within dalvik? i wouldn't have thought so but i could be wrong. maybe if you had root access you could run malicious code on the next boot, or maybe create a cron job, but it would still require root filesystem permission. i'm still (even after reading a little bit about it) not really familiar with how you can gain root filesystem permissions from within dalvik given that i would assume dalvik would itself be running as a separate user with restricted filesystem permissions (kind of like apache). a wikipedia page on the topic talks about "exploiting security bug(s) in the firmware" but that would then be device-specific (like a bug in any device driver). if anyone has any experience in rooting an android device i would be interested to hear how it is done (practically speaking). there is a "su" app, but i imagine there is more to it than just installing the app. i'm not interested in rooting my android phone, but it might help my understanding of how android in general works (because abstract android framework diagrams don't really tell me a whole lot).

Re:Lucky Android Users

i guess if its not an inherent vulnerability that would make sense, and the vulnerability would have to be exploited for it to make front page news. vulnerabilities that can't really be exploited aren't as sensational. i'm not familiar with the samsung thing, but i'm guessing it wasn't a serious threat.

The exploit was used, but in a good way - to gain instant root on a wide range of Samsung Galaxy phones and tablets (as well as all of the other phones that used their CPU's. The exploit details how incompetent Samsung is as a kernel/OS developer.

http://www.phonearena.com/news/Major-exploit-found-in-Samsung-models-using-Exynos-4210-and-Exynos-4412-processors_id37738

native windows programs still run the same way when run on windows inside a virtualbox vm too, but they are still constrained by the limits of the virtual machine. dalvik is a process virtual machine, but i'm assuming even the c/c++ programs you mention are constrained by the limitations of the dalvik process. is it even possible to run a process outside dalvik from within dalvik? i wouldn't have thought so but i could be wrong. maybe if you had root access you could run malicious code on the next boot, or maybe create a cron job, but it would still require root filesystem permission. i'm still (even after reading a little bit about it) not really familiar with how you can gain root filesystem permissions from within dalvik given that i would assume dalvik would itself be running as a separate user with restricted filesystem permissions (kind of like apache). a wikipedia page on the topic talks about "exploiting security bug(s) in the firmware" but that would then be device-specific (like a bug in any device driver). if anyone has any experience in rooting an android device i would be interested to hear how it is done (practically speaking). there is a "su" app, but i imagine there is more to it than just installing the app. i'm not interested in rooting my android phone, but it might help my understanding of how android in general works (because abstract android framework diagrams don't really tell me a whole lot).

Native apps aren't really constrained by the VM. Native apps are executed in the same process that contains the VM. Once the VM hands over control they can pretty much do whatever they want given their user based permissions - each app is basically treated as a user, incidentally.

Compare to recognizing people

[rebelwarlock]

"Ma'am, is this your son?"

"Well, my son was wearing a hat, so no."

Re:Compare to recognizing people

Slashdot readers cannot relate to this. Do you have a computer, caffeine and basement analogy?

Re:Compare to recognizing people

[Trepidity]

That's closer to how it works when trying to recognize people you don't know well, though. Police sketch-artists sometimes make a few different versions of a sketch, e.g. one with and one without a hat, one with short and one with long hair, etc., because it's not necessarily easy for people to recognize one as the other if it's a stranger.

Re:Compare to recognizing people

[Canazza]

Your computer has been stolen.

The police call you into the station and show you your computer and ask: "Is this your computer?"

You respond with: "No, it can't be, this isn't in my basement"

You all laugh and have coffee and doughnuts.

Call that security, guys?

This is f**** 2013, not f**** 1995 when *maybe* there would have been an excuse to rely on such lame techniques like a database of known signatures as the main (rather than backup) defense.

The coding and mathematical geniuses at these security firms at our service, yeah right!

So would it be safe to conclude...

[pongo000]

...that AV apps not tested (such as avast!) are immune from this problem, and the authors only chose to report on those AV programs that failed their tests?

Not specific to android

[detain]

The same can be said for most any AV software , especially ones on mobile platforms.

Anti Virus software is a scam

Anti-virus software is a scam anyway, the OS should be secure enough not to let a program damage your device or corrupt stuff anyway. As anti-trojan detectton it's completely useless too. Any trojan than can make off with your data and sell it anyone and everyone is a bad thing, and yet not a single Facebook app is ever flagged as malware!

Re:Anti Virus software is a scam

[inflex]

I don't know about mobile platforms, but certainly on the PC arena, judging by the features and tricks in recent AV-suite releases, vendors have to been running out of oxygen in their world. Lately I have been repairing more consumer machines due to AV suites going rogue than I have for actual viruses ( AFP/randsom-ware had a burst of popularity recently ).

These days I just go with Microsoft Security Essentials and leave it at that. The clients still feel protected, they're not out of pocket, and at least it's not as likely to go utterly insane and take out the system and then refuse to be uninstalled cleanly.

Re: Anti Virus software is a scam

Agreed. This is why I have an iPhone.

It's a tiny, battery powered computer

AV scanning is bad enough on a desktop, it requires a huge database of signatures, may require processing multiply nested archive files, and often you have to use heuristics to guess at the signature. And, as the article suggests, it's standard for desktop software to scan the entire file.

This kind of intensive processing just can't be done on mobile devices without serious slowdowns and a lot of battery.

Bye-bye smartphone virus cleaning software writers

[knorthern+knight]

Tell the guys writing the smartphone virus cleaning software that our world is in danger of obliteration by a large asteroid, and we're building a series of Ark ships to get everybody off the planet to safety. The smartphone virus cleaning software writers will depart on the "B" Ark, along with hairdressers and middle-managers.

Then the rest of us will laugh our asses off.

Re:what about the worst virus of all: ANDROID?!?!?

[Zaelath]

Fuck me, Steve. Get over it already. RIP.

Trojans

Agreed, I have AVG (the free version) for trojan detection, but its never detected squat since 4 years now and just annoys me by telling me how much faster my computer boots these days. Since I know that AVG isn't why it boots faster, it's Windows 7 fast boot optimizer, I find it sort of scamming that it phrases it like AVG did the speedup, and less trustworthy as a result.

It my be deleted in the near future.

Copy protection prevents scanning

[ensignyu]

This doesn't surprise me at all. The so-called virus scanners can't actually scan for viruses (i.e. examine the code of third-party apps) because that would break the copy protection. The paper mentions this at the beginning.

Re:Copy protection prevents scanning

It's fun to play with the DMCA
It's fun to play with the DMCA
They have everything for young men to enjoy
You can hang out with all the boys

Amazing, new variants of malware go undetected....

[Dr+Black+Adder]

Modifications of the binaries creates a new variant of a virus, which may go undetected. I'm shocked! If you'd like an AV solution that performs a deep inspection on every binary, each time they are executed on your device, it's going to be a sloooooow ride.

Re:Could it be... God?

[crutchy]

38:14 And God created the first ever Hosts file...

205.186.175.153 goatse.cx

Re:what about the worst virus of all: ANDROID?!?!?

[crutchy]

what about the worst virus of all: ANDROID?!?!? that entire OS is a virus masquerading as a useful product. it needs to obliterated

regards,

steve ballmer

2 of how many please ?

Yet, when it was transformed, every AV program failed to catch at least two variants.

Without more information -- like 2 outof how many -- thats simply FUD.

2 outof 2 ? 100% failure.
2 outof 100 ? 2% failure.

I would love to see an AV product coming down to that latter score ....

Unreal

Literally every major piece of software used by hundreds of millions or even billions of people around the world, suffers from being vulnerable to or having been to thousands of flaws. Software actually can damage your life beyond repair. And they get away with it, millions of times a day as people lose their identities, their money, their privacy. And these companies are never prosecuted. Don't we have a consumer protection agency, anywhere in the world, willing to defend us?
Just once?

This just in!

Android products sucks!

The whole premise of an open desktop like OS with lax security and slow updates on a mobile device is simply stupid and useless.

Re:Bye-bye smartphone virus cleaning software writ

But then later on our civilization will be wiped out by an infected phone and they will go on to become the dominate race on the planet.

Trivial Obfuscation

[puddingebola]

Landshark. Candygram.

Point is Moot

AV companies run honeypot networks to catch cantagious viruses spreading across the Interwebs. Essentially, they setup machines which browse the Internet and are open to malicious attacks. Once one of these honeypot machines gets infected, they record the site & signature of the exe generated for inclusion in the latest AV definition update.

AVs are useful because they stop common/known viruses from spreading across and infecting machines across the Internet. Targeted attacks cannot easily be stopped by AVs because theres far too many complicated variables at play. If I write a malicious program and send it to you, your AV is unlikely to mark it as a virus because my program hasn't been previously identified as a virus.

Even if a virus is Polymorphic (as in the article) there is always a primary point of entry... Basically, if you secruity is comprimised and an exe is generated and allowed to run on your machine without authorization from you, you're fucked regardless whether the virus was polymorphic or not!

Re:Amazing, new variants of malware go undetected.

[CastrTroy]

Besides. Android does a pretty good job of controlling what each and every app can access. There's a sandbox around each app. As long as you are careful which apps you install, and look closely at the permissions they require, you should be relatively safe from most malware. If you're at all unsure about an app, it's probably better just to not install it. Sure there are problems, but I think Android is one of the better platforms out there. Not too many others I'm aware of have such fine grained control of what exactly each application may do on your system.

Re:Amazing, new variants of malware go undetected.

[BasilBrush]

"Deep inspection" would only be needed the first time an executable is run. It's easy and quick to check a file hasn't changed since last time.

Whew

I really hope someone writes iPhone av software soon, all these iOS viruses at overwhelming!

Because..there are so many Linux viruses?

[gelfling]

I don't practice particularly careful practices with my phone AT ALL, installing and uninstalling things all the time, etc etc and at most, at the absolute most, I've seen one chunk of malware. The real problem is not malware it's the permissions you grant the legitimate stuff you put on. WHY, does such and such game or widget need my phone book, email address book, call log browser history and location db? That's the problem right there.

Publish signatures of clean files

[Cacadril]

Why can't the major software vendors publish sha265sum signatures (hashes) of all their files?
Why can't the major software vendors cooperate on a dns-like service where you look up the signature of a file you have on your disk in order to know if it is unaltered?
Why can't we crowd-source a new service where people and everybody can submit the signatures of files they have and believe to be OK...
- because the bad guy or his first victim would register the signature of the infected file?
- Well, let's take some measures... The submitters need to have had a pgp/gpg key registered with a keyserver for at least two years,
and the service response includes a field telling how many distinct submitters have submitted this same signature.
All right, I come to think about more problems with this idea faster than I can write about them... But many of them have fairly obvious solutions, and some may not completely invalidate the benefits... Who would like to contribute to a discussion about such a concept?

Re: what about the worst virus of all: APPLE?!?!?

I read the fine print: Research funded by Apple.

In all fairness, Where is the similar report / Study on the iPhone?

Oh .. snap .. I forgot; Apple is not susceptible to viruses. if you believe that, then you yourself are infected.

Re: what about the worst virus of all: ANDROID?!?!

I just noticed the fine print: Research funded by Apple.

In all fairness, Where is the similar report / Study on the iPhone?

Oh .. snap .. I forgot; Apple is not susceptible to viruses. if you believe that, then you yourself are infected.

Re: what about the worst virus of all: ANDROID?!?!

[crutchy]

in all fairness to apple (i'm a linux fanboi, not an isheep)... users don't go looking for viruses to infect their system (windows and mac), but because mac has heritage in the multi-user unix platform it has some inherent security advantages over windows, which seems to get infected even without user intervention.

windows has a virus problem not only because it is so easily infected by its design, but because it is so easily infected makes it even more of a target

ballmer really hates the gpl because it prevents him from building the secure bits of linux into windows and solving all his virus woes... well maybe

Googles Bouncer

[PuZZleDucK]

Does Bouncer detect the origional? I'd be (possibly more) curious to know if Bouncer could detect the variants too.