Popular Android Anti-Virus Software Fooled By Trivial Techniques

wiredmikey writes "A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques. In a paper (PDF), the researchers said they tested AV software from several well-know security vendors. In order to evaluate the mobile security software, the researchers developed a tool called DroidChameleon, which applies transformation techniques to Android applications. Known malware samples were transformed to generate new variants that contain the exact malicious functions as before. These new variants were then passed to the AV products, and much to the surprise of the paper's authors, they were rarely flagged — if at all. According to the research, 43% of the signatures used by the AV products are based on file names, checksums or information obtained by the PackageManager API. This means that, as mentioned, common transformations will render their protection useless for the most part. For example, the researchers transformed the Android rootkit Droid Dream for their test. DroidDream is a widely-known and highly dangerous application. Yet, when it was transformed, every AV program failed to catch at least two variants."

This just in!

AV products suck!

The whole premise of trying to match a virus 'signature' is simply stupid and useless.

Re:This just in!

[hamjudo]

Virus 'signatures" are an ideal technology for dealing with common threats from the late 1990s.

Re:This just in!

[cbhacking]

Oh, hardly even then. I wrote my first polymorphic program when I was 16, and I was late to the game for that. Making a completely trivial change to the binary - have a meaningless 32-bit constant that you add (modulo 0xFFFFFFFF) with the current time in miliseconds on each run, for example - will completely bypass typical types of checksum/hash checks unless you want to store 4 billion signatures. Slightly more complex signature schemes are nonetheless equally easy to defeat. Filename checks are even easier to defeat; there's lots of ways to indicate the next file to run which can use dynamic file names. It's a game of cat and mouse, but the cats are too dumb to do anything but watch known mouseholes, while the mice can make new holes whenever they please and it only takes a mouse getting out once for the cats to lose the game.

Re:This just in!

[ozmanjusri]

FUD sucks too.

DroidDream is NOT "a widely-known and highly dangerous application". It was a malware variant identified early in 2011 and removed from both the Android Market (now Play Store) and from the infected devices. The vulnerability it exploited has been fixed in all Android versions newer than 2.2 (Froyo).

AV vendors are terrified of Windows' plunging market share, and are desperate to find another host to leech off. This is the despairing screech of a buggy-whip maker watching their buggy-OS host vanish over a cliff.

Re:This just in!

[oldlurker]

In fairness, there is malware on Android however I expect the risk for most people of catching it is pretty minimal. The Play market is proactively scanned and acts reactively to threats up to and including a remote kill capability. And in many cases those that do get infected have their own lack of sense to thank - installing pirated APKs, or dubious apps from untrusted sources and reaping the rewards.

Apps are not the only way in though. Web and email coupled with vulnerability exploits are obvious vectors, Bluetooth and NFC exploits have been demonstrated. I'm using an Android phone myself, but I think we are doing ourselves the same disservice Mac users did (and ended up with the biggest malware epidemic in modern times in terms of percentage of user base affected with Flashback) if we discount the malware threat to be just AV vendor marketing and not a potential real threat. Especially since such a large portion of the Android user base is on old vulnerable versions long after Google has patched vulnerabilities and improved security.

Re:This just in!

[cbhacking]

A lot of the world does not heavily use the Play market and prefers to use alternatives. Studies have estimated that around 40% of Android devices in Russia are infected, for example, mostly due to installing apps from third-party sources.

Re:This just in!

[Hizonner]

The fact that I can't easily run an arbitrary program without giving it the ability to screw up random data on my computer, let alone install a rootkit, is a gaping security hole. In fact, it's a gaping hole that programs are not restricted by default.

All of the popular general purpose operating systems have hideously weak security architectures that amount to gaping holes, and the phone operating systems are only a little better.

Re:This just in!

[tlhIngan]

I very much doubt 40% of Android devices in Russia are infected, although I can well believe the rates of infection are much higher in countries which have a culture of piracy over those that don't.

Chinese Android phones as well, because the only way to get apps is third party stores, which often host said infected apps (most new discoveries of Android malware come from China). Of course, whether or not it's pirated or not is very hard to tell - the legit stores don't do a very good job themselves.

And Play isn't available in China, either.

Though, it wouldn't surprise me if a lot of stuff on Play gets pirated because it isn't available elsewhere - if there's a game you want and it's only available via Play, then one really doesn't have much choice other than to pirate it if Play isn't available.

Compare to recognizing people

[rebelwarlock]

"Ma'am, is this your son?"

"Well, my son was wearing a hat, so no."

Re:Compare to recognizing people

[Trepidity]

That's closer to how it works when trying to recognize people you don't know well, though. Police sketch-artists sometimes make a few different versions of a sketch, e.g. one with and one without a hat, one with short and one with long hair, etc., because it's not necessarily easy for people to recognize one as the other if it's a stranger.

Re:Lucky Android Users

[mlw4428]

Chances are it does. Just because you're too stupid to believe there's no possible way a virus can get onto your phone, doesn't mean that there's someone out there with the know-how and the skill to do just that. There is (and has never been) anything that is 100% secure.

So would it be safe to conclude...

[pongo000]

...that AV apps not tested (such as avast!) are immune from this problem, and the authors only chose to report on those AV programs that failed their tests?

Re:Lucky Android Users

[DaHat]

It was possible on WP7, at least in the earlier patch versions. I'm not aware of any malware anybody actually created, but there were a few known vulns in most devices that could be exploited for elevation of privilege.

Citation please.

As I recall... the initial 'exploit' used by the ChevronWP7 folks involved running a local web server on your PC... then tricking your phone into developer unlocking against it... rather than the official Microsoft servers.

I wouldn't exactly call this a vector for virus infiltration.

Ditto when it comes to homebrew apps (which could only run on developer unlocked device (legit or not unlocked))... and required manual side-loading of the app.

Claiming malware was possible on WP7 is like claiming it's possible to infect the Pentagon with your super-l33t virus... provided you can trick someone into going into one of the secure server rooms, logging in as a local administrator, accessing your hax0red website... then clicking "Yes, I want to run configure; make; make install".

Re:Lucky Android Users

[AJWM]

How'd that work out? Oh right... Android (Linux based) is the most easily hackable mobile phone OS out there!

You say that like it's a bad thing.

Bye-bye smartphone virus cleaning software writers

[knorthern+knight]

Tell the guys writing the smartphone virus cleaning software that our world is in danger of obliteration by a large asteroid, and we're building a series of Ark ships to get everybody off the planet to safety. The smartphone virus cleaning software writers will depart on the "B" Ark, along with hairdressers and middle-managers.

Then the rest of us will laugh our asses off.

Re:Lucky Android Users

[cbhacking]

Not talking about ChevronWP7 or anything like it. The actual homebrew stuff for WP7 wasn't well publicized, partially because a lot of it was flying under the MS radar so far as possible, but it existed. The best-know "root" program is called WP7 Root Tools (http://www.wp7roottools.com) and exploits various firmware bugs in HTC, LG, and Samsung firmware (and possibly others) for WP7 to gain near-complete control over the OS, disable many of the "security" restrictions (such as the prohibitions on third-party non-"app" executables), give full access to the filesystem, registry, and certificate store, and allow running any other app as TCB (WP7's equivalent of "root" or "Admin"). Other apps before it, including things like TouchXplorer and Advanced Config, took less complete control but nonetheless had permission to do any number of nasty things had that been the intention of the developers. Additionally, once the later versions of Root Tools (with the "elevate other apps" feature) came out, a considerable number of homebrew apps that needed such permissions immediately sprung up, providing a perfectly good avenue for somebody to slip in a Trojan app. Indeed, it was a considerable concern.

The point about requiring manual sideloading is valid (in fact, installing WP7 Root Tools would have been a lot easier if Microsoft would have signed it and put it in the store, since otherwise it could be difficult to install on some devices after Mango introduced the interop-lock). However, I fail to see the important difference between installing an app you think is safe because it's on the store, and an app you think is safe because it comes out of the developer community that has been adding such cool features to your phone. Either way, it's a manual action on your part to install the app, and most people aren't going to decompile it and examine it for malicious code even if they had the know-how to do so. As for whether Trojans in general constitute "real" malware, that's all that the Android apps in question are, or the malicious iOS apps for jailbroken phones, or similar.

To address your little analogy, social engineering is one of the best ways to bypass security there is; the weakest link in computer security usually sits between the user's ears. Also, your analogy seriously falls flat on its face when you consider that it wasn't supposed to be *possible* to "[log] in as a local administrator" on WP7. A seriously locked-down system wouldn't allow your scenario either.

Then there's the minor, but really easy, attacks which were possible against WP7 without requiring firmware access or bypassing interop-lock or any such thing. For example, the XAP files that would let you access other device or operator marketplaces could just have easily crippled your phone's marketplace functionality, overwritten your personal documents, broken your installed apps, and other things. Those were just carefully crafted ZIP archives with a .XAP extension and some XML files to make the installer recognize them; the same attack was actually possible using .ZIP files as well and wouldn't have been that hard to socially engineer somebody to try, or could have been bundled into an otherwise-legit XAP on the store.

Copy protection prevents scanning

[ensignyu]

This doesn't surprise me at all. The so-called virus scanners can't actually scan for viruses (i.e. examine the code of third-party apps) because that would break the copy protection. The paper mentions this at the beginning.

Re:Lucky Android Users

[cbhacking]

Do you have WP7 Root Tools installed on your Trophy? If so, at least three different exploits were used: the ZIP path traversal that made the interop-unlock "app" work (all the work was actually done by the installer), the Connection Setup hack that achieved interop-unlock by hijacking the network database using some debug code to inject a script that modified the registry, and the exploit that Root Tools itself used in the HTC drivers to gain arbitrary code execution in the kernel.

Just because Heathclif74 was not, so far as anybody knows, embedding any malware in his software doesn't mean he couldn't have been, or one of the many other authors posting their work on XDA-Devs and WPCentral.

Amazing, new variants of malware go undetected....

[Dr+Black+Adder]

Modifications of the binaries creates a new variant of a virus, which may go undetected. I'm shocked! If you'd like an AV solution that performs a deep inspection on every binary, each time they are executed on your device, it's going to be a sloooooow ride.

Re:Lucky Android Users

[crutchy]

yet quite often we hear about a bug in the Linux kernel, or Bind, or some other major component that has been undiscovered for years and years

i seem to recall that as an excuse around these parts for a decade (continuing today) regarding linux... and yet those bugs aren't exploited, even when the potential target is driving much of the consumer embedded world, servers (including probably majority of web servers and many large corporate intranets), and now smartphones.

Android (Linux based) is the most easily hackable mobile phone OS out there!

calm down a bit there sunshine... android is really a userland running on a virtual machine (dalvik). if you find an android vulnerability that affects the underlying linux kernel, then you'll have a major story. yes android is probably pathetically insecure (it would be nice if it were as secure as linux), but the linux kernel underneath dalvik is as tight and tested as the numerous datacenters around the world require it to be.

some slashdotters like to pick on how linux fans claim android = linux when it suits and not when it doesn't. android is an application layer running inside a virtual machine (so it is separated from the linux kernel), but there is still linux underneath (so every android deployment is also a linux deployment). linux and android are usually lumped together when arguing about market share, and separated when arguing about security, but there's nothing contradictory if you take the context of the argument into account.

Because..there are so many Linux viruses?

[gelfling]

I don't practice particularly careful practices with my phone AT ALL, installing and uninstalling things all the time, etc etc and at most, at the absolute most, I've seen one chunk of malware. The real problem is not malware it's the permissions you grant the legitimate stuff you put on. WHY, does such and such game or widget need my phone book, email address book, call log browser history and location db? That's the problem right there.