Android Fails in Mobile Malware Research
Category: Tablets, Smartphones
Android malware appears to be more widespread than I had thought. I was alerted to that fact recently with a reference to a story in Biztech referring to research done by Dan Guido, Co-Founder and CEO of Trail of Bits. The firm is an independent information security company. (Guido's co-founders are Alex Sotirov and Dino Dai Zovi, both well-known and respected mobile security researchers.)
The stand-out number in the research has to do with the extent of malware-tainted Android devices: "Our research has determined that out of the 300 million Android devices out there, the presence of malware has been discovered on about a million of them. That's a significant number." A million? I'd call that significant.
Trail of Bits conducted the research from December, 2011 to March, 2012. The base number of devices has undoubtedly grown quite a bit since. Has the number of malware-infected systems grown proportionately? Guido says that of course it has, and there's little reason to think otherwise.
First, about the attacks themselves. On Android attacks are almost all privilege escalation attacks using malicious apps that the user has installed deliberately, lured by a web site or an app in an app store. Trail of Bits followed 100 attack campaigns, 30 of which were on the Google Play store.
Privilege Escalation, in the context of mobile technology, is better-known as a "jailbreak." The program exploits a vulnerability in the operating system to change its own privilege level, allowing it to evade restrictions on lesser-privileged programs. Exploits are generally easier to write on Android than on Apple's iOS for a variety of reasons described by Trail of Bits.
Very few specific vulnerabilities were used in the malware found by Trail of Bits, and all of them had available patches. This raises one of the major problems with vulnerability mitigation in Android as opposed to iOS or Windows: Google relies on carriers and OEMs to distribute operating system version upgrades. Google can't force these companies to distribute new versions even if those new versions carry significant security improvements.
In fact, the carriers and OEMs have a strong incentive not to upgrade phones they have already sold: It gives buyers an incentive to buy a new phone because the new phones have all the improvements in the new operating systems, even if their older devices are capable of running the newer versions.
Samsung has acknowledged a serious vulnerability in the Android kernel for their Exynos processors in many of their phones, including the Samsung Galaxy S3. Click here to read more.
Users who want to upgrade their own phones can do so by rooting (the Android term for jailbreaking) them and installing a custom ROM from many sources, such as CyanogenMOD. But not many users have the patience or skills to do this.
Google introduced several important security advances in Android version 4.0 (Ice Cream Sandwich) but, according to Google, as of December 3, 2012, only 34.2 percent of Android devices are running version 4.0 or later. Version 4 was released to the public (and handset makers) October 19, 2011, so it's been around for a while.
Another important tool for mitigating vulnerabilities is Google Chrome, the alternative browser available now on Android. The standard Android browser is not as advanced or secure as Chrome and, as of Version 4.1 (Jelly Bean), it is the default browser on Android.
These advances will make many classes of exploits much harder to execute, but not privilege escalation attacks. For now, the main way to stop them is by vetting them at the store or through reputation systems. Unfortunately, as Trail of Bits explains in depressing detail, the controls on app submissions to the Google Play store are as weak as Apple's are strong: