Popular Android Anti-Virus Software Fooled By Trivial Techniques

wiredmikey writes "A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques. In a paper (PDF), the researchers said they tested AV software from several well-know security vendors. In order to evaluate the mobile security software, the researchers developed a tool called DroidChameleon, which applies transformation techniques to Android applications. Known malware samples were transformed to generate new variants that contain the exact malicious functions as before. These new variants were then passed to the AV products, and much to the surprise of the paper's authors, they were rarely flagged — if at all. According to the research, 43% of the signatures used by the AV products are based on file names, checksums or information obtained by the PackageManager API. This means that, as mentioned, common transformations will render their protection useless for the most part. For example, the researchers transformed the Android rootkit Droid Dream for their test. DroidDream is a widely-known and highly dangerous application. Yet, when it was transformed, every AV program failed to catch at least two variants."

This just in!

AV products suck!

The whole premise of trying to match a virus 'signature' is simply stupid and useless.

Re:This just in!

[oldlurker]

In fairness, there is malware on Android however I expect the risk for most people of catching it is pretty minimal. The Play market is proactively scanned and acts reactively to threats up to and including a remote kill capability. And in many cases those that do get infected have their own lack of sense to thank - installing pirated APKs, or dubious apps from untrusted sources and reaping the rewards.

Apps are not the only way in though. Web and email coupled with vulnerability exploits are obvious vectors, Bluetooth and NFC exploits have been demonstrated. I'm using an Android phone myself, but I think we are doing ourselves the same disservice Mac users did (and ended up with the biggest malware epidemic in modern times in terms of percentage of user base affected with Flashback) if we discount the malware threat to be just AV vendor marketing and not a potential real threat. Especially since such a large portion of the Android user base is on old vulnerable versions long after Google has patched vulnerabilities and improved security.

Bye-bye smartphone virus cleaning software writers

[knorthern+knight]

Tell the guys writing the smartphone virus cleaning software that our world is in danger of obliteration by a large asteroid, and we're building a series of Ark ships to get everybody off the planet to safety. The smartphone virus cleaning software writers will depart on the "B" Ark, along with hairdressers and middle-managers.

Then the rest of us will laugh our asses off.

Re:Lucky Android Users

[crutchy]

yet quite often we hear about a bug in the Linux kernel, or Bind, or some other major component that has been undiscovered for years and years

i seem to recall that as an excuse around these parts for a decade (continuing today) regarding linux... and yet those bugs aren't exploited, even when the potential target is driving much of the consumer embedded world, servers (including probably majority of web servers and many large corporate intranets), and now smartphones.

Android (Linux based) is the most easily hackable mobile phone OS out there!

calm down a bit there sunshine... android is really a userland running on a virtual machine (dalvik). if you find an android vulnerability that affects the underlying linux kernel, then you'll have a major story. yes android is probably pathetically insecure (it would be nice if it were as secure as linux), but the linux kernel underneath dalvik is as tight and tested as the numerous datacenters around the world require it to be.

some slashdotters like to pick on how linux fans claim android = linux when it suits and not when it doesn't. android is an application layer running inside a virtual machine (so it is separated from the linux kernel), but there is still linux underneath (so every android deployment is also a linux deployment). linux and android are usually lumped together when arguing about market share, and separated when arguing about security, but there's nothing contradictory if you take the context of the argument into account.