Android Fails in Mobile Malware Research - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices
10:33 AM
Larry Seltzer
Larry Seltzer
Connect Directly

Android Fails in Mobile Malware Research

There are many more malware-infected Android devices out there than you might think. It's all because the Android ecosystem and Google Play store are more friendly to malware and exploits than iOS and the Apple App Store or Windows 8, Windows Phone and the Windows Store. There's some, but not much reason, to think things will improve for Android in the near future.

Android malware appears to be more widespread than I had thought. I was alerted to that fact recently with a reference to a story in Biztech referring to research done by Dan Guido, Co-Founder and CEO of Trail of Bits. The firm is an independent information security company. (Guido's co-founders are Alex Sotirov and Dino Dai Zovi, both well-known and respected mobile security researchers.)

The stand-out number in the research has to do with the extent of malware-tainted Android devices: "Our research has determined that out of the 300 million Android devices out there, the presence of malware has been discovered on about a million of them. That's a significant number." A million? I'd call that significant.

Trail of Bits conducted the research from December, 2011 to March, 2012. The base number of devices has undoubtedly grown quite a bit since. Has the number of malware-infected systems grown proportionately? Guido says that of course it has, and there's little reason to think otherwise.

First, about the attacks themselves. On Android attacks are almost all privilege escalation attacks using malicious apps that the user has installed deliberately, lured by a web site or an app in an app store. Trail of Bits followed 100 attack campaigns, 30 of which were on the Google Play store.

Privilege Escalation, in the context of mobile technology, is better-known as a "jailbreak." The program exploits a vulnerability in the operating system to change its own privilege level, allowing it to evade restrictions on lesser-privileged programs. Exploits are generally easier to write on Android than on Apple's iOS for a variety of reasons described by Trail of Bits.

Very few specific vulnerabilities were used in the malware found by Trail of Bits, and all of them had available patches. This raises one of the major problems with vulnerability mitigation in Android as opposed to iOS or Windows: Google relies on carriers and OEMs to distribute operating system version upgrades. Google can't force these companies to distribute new versions even if those new versions carry significant security improvements.

In fact, the carriers and OEMs have a strong incentive not to upgrade phones they have already sold: It gives buyers an incentive to buy a new phone because the new phones have all the improvements in the new operating systems, even if their older devices are capable of running the newer versions.

Samsung has acknowledged a serious vulnerability in the Android kernel for their Exynos processors in many of their phones, including the Samsung Galaxy S3. Click here to read more.

Users who want to upgrade their own phones can do so by rooting (the Android term for jailbreaking) them and installing a custom ROM from many sources, such as CyanogenMOD. But not many users have the patience or skills to do this.

Google introduced several important security advances in Android version 4.0 (Ice Cream Sandwich) but, according to Google, as of December 3, 2012, only 34.2 percent of Android devices are running version 4.0 or later. Version 4 was released to the public (and handset makers) October 19, 2011, so it's been around for a while.

Distribution of Android versions in installed devices based on the number of Android devices that have accessed Google Play within a 14-day period ending on December 3, 2012.

Another important tool for mitigating vulnerabilities is Google Chrome, the alternative browser available now on Android. The standard Android browser is not as advanced or secure as Chrome and, as of Version 4.1 (Jelly Bean), it is the default browser on Android.

These advances will make many classes of exploits much harder to execute, but not privilege escalation attacks. For now, the main way to stop them is by vetting them at the store or through reputation systems. Unfortunately, as Trail of Bits explains in depressing detail, the controls on app submissions to the Google Play store are as weak as Apple's are strong:

Next Page: Apple rules are strict, Google's lax; what about Microsoft?

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll