Droppers Is How Android Malware Keeps Sneaking Into the Play Store

Catalin Cimpanu, writing for BleepingComputer: For the past year, Android malware authors have been increasingly relying on a solid trick for bypassing Google's security scans and sneaking malicious apps into the official Play Store. The trick relies on the use of a technique that's quite common in desktop-based malware, but which in the last year is also becoming popular on the Android market. The technique involves the usage of "droppers," a term denoting a dual or multiple-stage infection process in which the first stage malware is often a simplistic threat with limited capabilities, and its main role is to gain a foothold on a device in order to download more potent threats. But while on desktop environments droppers aren't particularly efficient, as the widespread use of antivirus software detects them and their second-stage payloads, the technique is quite effective on the mobile scene.

Why is self-modifying code allowed?

[mysidia]

Shouldn't the executables be digitally signed by the author And signed in some matter specific to the device, and the platform should be designed so an app running in a sandbox can't launch an executable if it is unsigned or the signature doesn't match Or if the executable wasn't installed during an app installation?

Re:I run Antivirus in/on my android...

[Monster_user]

AC isn't entirely off base, though perhaps a bit crude... Chrome OS doesn't quite yet have the sizeable user base, and the history of not being able to install anything has rendered the primary exploits largely invalid on Chrome OS.

As far as Solaris, BSD, and Linux, most AV scanners for those operating systems are for Windows accessible machines like file servers or mail servers. AVG ventured into the real-time antivirus monitoring arena for a little while back in the 00's. There wasn't any money in it like on the Windows side, and the AVG implementation was not a simple APT-GET or YUM install. Any nerds who would have simplified the process didn't see a need for it on the Linux desktop. An anti-virus isn't a preventative measure, its reactionary, its remediation, which means the virus already got through.

Android, and especially Apple iOS, lack most of the preventative and verification measures of a desktop OS. There are simply no good ways to keep malware from infecting the device and still participate in the market at large and get the full benefits of the device.

Windows is simply the weapon of choice by the unwashed masses, the illiterates, and nobody can afford to babysit them. That combined with Windows' dominate user base unfortunately means that if there is a vulnerability there is a statistically high potential for success, which means that there if there is a zero-day vulnerability, there is a statistically high probability that an attack will breach your network and infect your machine. Which makes an anti-virus almost a necessity on Windows, as it is a constant and ongoing threat condition.

Whereas on Linux any vulnerability which breaches the primary vulnerabilities, such as email, will have already evaded detection. An antivirus won't perform any better than an expert, and you'd first have to identify the malware and submit it to your antivirus vendor. At which point you're just going to clean the malware immediately, before the AV vendor can provide definitions. If you have multiple servers you will either deploy a script to detect and remediate the virus, or simply redeploy your servers from backups, safeguarding them against the malware before putting them into production. Any serious vulnerability is going to be patched out upstream, so an antivirus won't need to detect older threats. So there is no advantage to running an antivirus on 90% of the Linux boxes. It chews up CPU cycles and IOPS, and gives a false sense of security.