Popular Android Anti-Virus Software Fooled By Trivial Techniques 94
wiredmikey writes "A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques. In a paper (PDF), the researchers said they tested AV software from several well-know security vendors. In order to evaluate the mobile security software, the researchers developed a tool called DroidChameleon, which applies transformation techniques to Android applications. Known malware samples were transformed to generate new variants that contain the exact malicious functions as before. These new variants were then passed to the AV products, and much to the surprise of the paper's authors, they were rarely flagged — if at all. According to the research, 43% of the signatures used by the AV products are based on file names, checksums or information obtained by the PackageManager API. This means that, as mentioned, common transformations will render their protection useless for the most part. For example, the researchers transformed the Android rootkit Droid Dream for their test. DroidDream is a widely-known and highly dangerous application. Yet, when it was transformed, every AV program failed to catch at least two variants."
This just in! (Score:5, Insightful)
AV products suck!
The whole premise of trying to match a virus 'signature' is simply stupid and useless.
Re:This just in! (Score:5, Informative)
Re: (Score:1)
The ideal technology for dealing with common threats from the late 1990s are patches to fix the gaping security holes exploited by a virus.
Instead computer users have been conditioned to believe that anti virus products are the solution.
But there's no money in making a monopoly OS secure.
Re: (Score:2)
Yeah, gaping security holes like email attachments with names similar to "bigtits.exe" and "funny.exe".
Not all viruses exploit security weaknesses, some are just malicious programs that idiot users run.
Re: (Score:1)
I think gaping holes such as goatse.cx can do more permanent damage ...
Re: (Score:2)
Not all viruses exploit security weaknesses, some are just malicious programs that idiot users run.
No, those would be trojan horses. Actual viruses can only work on modern OSs by exploiting security holes.
Re: (Score:2)
To be honest, I don't actually disagree with you on this one. But then what are these "android viruses" if not trojans themselves?
Re: (Score:3)
The fact that I can't easily run an arbitrary program without giving it the ability to screw up random data on my computer, let alone install a rootkit, is a gaping security hole. In fact, it's a gaping hole that programs are not restricted by default.
All of the popular general purpose operating systems have hideously weak security architectures that amount to gaping holes, and the phone operating systems are only a little better.
Re:This just in! (Score:5, Interesting)
Oh, hardly even then. I wrote my first polymorphic program when I was 16, and I was late to the game for that. Making a completely trivial change to the binary - have a meaningless 32-bit constant that you add (modulo 0xFFFFFFFF) with the current time in miliseconds on each run, for example - will completely bypass typical types of checksum/hash checks unless you want to store 4 billion signatures. Slightly more complex signature schemes are nonetheless equally easy to defeat. Filename checks are even easier to defeat; there's lots of ways to indicate the next file to run which can use dynamic file names. It's a game of cat and mouse, but the cats are too dumb to do anything but watch known mouseholes, while the mice can make new holes whenever they please and it only takes a mouse getting out once for the cats to lose the game.
Re: (Score:2)
What about heuristic analysis?
Re: (Score:2)
I wasn't even trying to defeat AVs, mind you - just messing with polymorphic code because the concept sounds cool. That said, defeating heuristics is a *lot* harder - which is why any self-respecting AV scanner uses them. There's lots of techniques, of course - things like self-decrypting code, for example, where any given instance of the actual malicious code (on disk) bears no resemblance to any other one because they use random keys and/or IVs - but there still has to be a decryptor that bootstraps the p
Re: (Score:2)
Thanks, I've not really kept up with antivirus software since the '90s.
Re: (Score:2)
Ahahahaha, that's a good one. I lived on a sailboat cruising tropical islands. The US - even Hawaii, which I came through on the way back from Tahiti once - is downright prudish compared to that lifestyle. Sure, holding a steady relationship wasn't really an option, but almost anything else was - not much chasing needed. As for professional success, I keep that off my profile but it's not hard to figure out who I am if you really want to. "Lack of professional success" indeed!
But sure, call me arrogant for
Re:This just in! (Score:5, Interesting)
FUD sucks too.
DroidDream is NOT "a widely-known and highly dangerous application". It was a malware variant identified early in 2011 and removed from both the Android Market (now Play Store) and from the infected devices. The vulnerability it exploited has been fixed in all Android versions newer than 2.2 (Froyo).
AV vendors are terrified of Windows' plunging market share, and are desperate to find another host to leech off. This is the despairing screech of a buggy-whip maker watching their buggy-OS host vanish over a cliff.
Re: (Score:2)
Re:This just in! (Score:5, Insightful)
In fairness, there is malware on Android however I expect the risk for most people of catching it is pretty minimal. The Play market is proactively scanned and acts reactively to threats up to and including a remote kill capability. And in many cases those that do get infected have their own lack of sense to thank - installing pirated APKs, or dubious apps from untrusted sources and reaping the rewards.
Apps are not the only way in though. Web and email coupled with vulnerability exploits are obvious vectors, Bluetooth and NFC exploits have been demonstrated. I'm using an Android phone myself, but I think we are doing ourselves the same disservice Mac users did (and ended up with the biggest malware epidemic in modern times in terms of percentage of user base affected with Flashback) if we discount the malware threat to be just AV vendor marketing and not a potential real threat. Especially since such a large portion of the Android user base is on old vulnerable versions long after Google has patched vulnerabilities and improved security.
Re: (Score:2)
But at least they only have access to what you allow them.
Re: (Score:3)
A lot of the world does not heavily use the Play market and prefers to use alternatives. Studies have estimated that around 40% of Android devices in Russia are infected, for example, mostly due to installing apps from third-party sources.
Re: (Score:2)
Re: (Score:3)
Chinese Android phones as well, because the only way to get apps is third party stores, which often host said infected apps (most new discoveries of Android malware come from China). Of course, whether or not it's pirated or not is very hard to tell - the legit stores don't do a very good job themselves.
And Play
Re: (Score:2)
I didn't find the article positing that number in my first 10 secodns of searching, but I did find this: http://www.esecurityplanet.com/mobile-security/lookout-predicts-18-million-android-malware-infections-by-end-of-2013.html [esecurityplanet.com] .
Almost 35% will "encounter" malware in a given year. What pr
Re: (Score:2)
You just took the words right out of my mouth.
Publish signatures of clean files (Score:1)
Why can't the major software vendors publish sha265sum signatures (hashes) of all their files?
Why can't the major software vendors cooperate on a dns-like service where you look up the signature of a file you have on your disk in order to know if it is unaltered?
Why can't we crowd-source a new service where people and everybody can submit the signatures of files they have and believe to be OK...
- because the bad guy or his first victim would register the signature of the infected file?
- Well, let's take som
Re: (Score:2)
Re: (Score:2)
Really? I've got an HTC 8X on a wireless charger right in front of me (hence the Verizon version)... care to point to a virus or three (or just malware) that targets Window Phones?
Don't worry... I'll wait.
While I will admit that nothing is
Re: (Score:2)
It was possible on WP7, at least in the earlier patch versions. I'm not aware of any malware anybody actually created, but there were a few known vulns in most devices that could be exploited for elevation of privilege. They were routinely used for beneficial homebrew software, though.
On WP8... well, there's no malware known to exist for it yet, but there's nothing much in the way of homebrew either. Microsoft locked the OS up so tightly that it's somewhat limited in terms of actual usability and very limit
Re: (Score:3)
Citation please.
As I recall... the initial 'exploit' used by the ChevronWP7 folks involved running a local web server on your PC... then tricking your phone into developer unlocking against it... rather than the official Microsoft servers.
I wouldn't exactly call this a vector for virus infilt
Re: (Score:3)
Not talking about ChevronWP7 or anything like it. The actual homebrew stuff for WP7 wasn't well publicized, partially because a lot of it was flying under the MS radar so far as possible, but it existed. The best-know "root" program is called WP7 Root Tools (http://www.wp7roottools.com) and exploits various firmware bugs in HTC, LG, and Samsung firmware (and possibly others) for WP7 to gain near-complete control over the OS, disable many of the "security" restrictions (such as the prohibitions on third-part
Re: (Score:1)
Nobody targets Windows phone because nobody cares about windows phone. Nobody uses it. Microsoft is constantly striving to be even relevant, let alone get a remarkably sized userbase.
Re: (Score:2)
I seem to recall that as an excuse around these parts for a decade or so regarding Linux... as well as the claim that "many eyes make bugs shallow"... and yet quite often we hear about a bug in the Linux kernel, or Bind, or some other major component that has been undiscovered for years and years.
How'd that work out? Oh right..
Re: (Score:3)
How'd that work out? Oh right... Android (Linux based) is the most easily hackable mobile phone OS out there!
You say that like it's a bad thing.
Re:Lucky Android Users (Score:5, Insightful)
yet quite often we hear about a bug in the Linux kernel, or Bind, or some other major component that has been undiscovered for years and years
i seem to recall that as an excuse around these parts for a decade (continuing today) regarding linux... and yet those bugs aren't exploited, even when the potential target is driving much of the consumer embedded world, servers (including probably majority of web servers and many large corporate intranets), and now smartphones.
Android (Linux based) is the most easily hackable mobile phone OS out there!
calm down a bit there sunshine... android is really a userland running on a virtual machine (dalvik). if you find an android vulnerability that affects the underlying linux kernel, then you'll have a major story. yes android is probably pathetically insecure (it would be nice if it were as secure as linux), but the linux kernel underneath dalvik is as tight and tested as the numerous datacenters around the world require it to be.
some slashdotters like to pick on how linux fans claim android = linux when it suits and not when it doesn't. android is an application layer running inside a virtual machine (so it is separated from the linux kernel), but there is still linux underneath (so every android deployment is also a linux deployment). linux and android are usually lumped together when arguing about market share, and separated when arguing about security, but there's nothing contradictory if you take the context of the argument into account.
Re: (Score:1)
Android does not run on a virtual machine, it uses the Dalvik VM to execute apps written in Java
err... you do realize what the "VM" bit stands for right?
i know "android" is the collective term for the kernel, vm and wm, libs, etc, but the insecure bit that TFA is probably talking about (who actually reads TFA anyway) is the app layer, not the kernel... if a virus were able to breach the kernel it would make front page news around the world because there are huge interests at stake (including corporate and government).
from http://en.wikipedia.org/wiki/Dalvik_(software) [wikipedia.org] ... "Dalvik is the process virtua
Re: (Score:1)
err..yeah, I do. It's what "Android doesn't run on".
i realize we're just talking across each other, but part of android does run inside dalvik (which is a virtual machine). in the context of this thread and TFA, the part of android in question is the part running inside the VM, which the post that i was originally replying to was conflating with the linux part (outside the VM).
A recent Samsung kernel exploit was found in any phones that used the Exynos 4412 and 4210 CPU's. It did make the news, but not exactly around the world
i guess if its not an inherent vulnerability that would make sense, and the vulnerability would have to be exploited for it to make front page news. vulnerabilities that can't really b
Re: (Score:1)
yes android is probably pathetically insecure ...but the linux kernel underneath dalvik is as tight and tested as the numerous datacenters around the world require it to be.
Even if true, how exactly does this distinction matter to the millions of Android users out there?
"My phone was so infected that it was unusable, all my accounts were hacked, and my porn stash was stolen, but at least it was just the vm and my linux kernel held up! (at least I think.. i can't really tell...)"
Re: (Score:1)
how exactly does this distinction matter to the millions of Android users out there
1) i wasn't addressing the millions of Android users out there
2) it was part of my argument with the parent comment (which was trying to conflate the insecure bit of android with linux)
"My phone was so infected that it was unusable, all my accounts were hacked, and my porn stash was stolen, but at least it was just the vm and my linux kernel held up! (at least I think.. i can't really tell...)"
that same kernel (well, mostly same) is shared by more than just android...if dalvik is corrupted to the point of destruction but the kernel holds up, that will probably matter more to the world that all the embedded and datacenter applications are still secure
Re: (Score:1)
Point me to a few viruses for BeOS, OS/2 / eComStation, SolarOS, or Menuet.
Android is the most hackable mobile phone OS out there? Sure, but if you're going to argue that that discredits the security of the kernel like you seem to be saying, go ahead and point out how much of that is due to kernel bugs. (As far as I can tell, the main kernel bug was Samsung's ugo+rwx access to system memory--which would only be an issue for those who haven't updated).
The real issue is twofold:
First, many eyes won't do a th
Re: (Score:2)
I remember that being said about Linux devices round the parts for so long... which are obviously still (like Oracle DBs) unhackable/unbreakable.
How much longer should I wait? My old HTC Trophy (running Windows Phone 7.x) also (as far as I am aware) never had any major exploits against it.
While it's easy to say "no one cares about targeti
Re:Lucky Android Users (Score:5, Interesting)
Do you have WP7 Root Tools installed on your Trophy? If so, at least three different exploits were used: the ZIP path traversal that made the interop-unlock "app" work (all the work was actually done by the installer), the Connection Setup hack that achieved interop-unlock by hijacking the network database using some debug code to inject a script that modified the registry, and the exploit that Root Tools itself used in the HTC drivers to gain arbitrary code execution in the kernel.
Just because Heathclif74 was not, so far as anybody knows, embedding any malware in his software doesn't mean he couldn't have been, or one of the many other authors posting their work on XDA-Devs and WPCentral.
Re: (Score:1)
How much longer should I wait? My old HTC Trophy (running Windows Phone 7.x) also (as far as I am aware) never had any major exploits against it.
Maybe another 5 million users or so? Oh wait...
Re: (Score:2)
Malware that targets your phone? You realize that the software comes from Microsoft, right?
Re: (Score:2)
Compare to recognizing people (Score:5, Funny)
"Well, my son was wearing a hat, so no."
Re: (Score:1)
Slashdot readers cannot relate to this. Do you have a computer, caffeine and basement analogy?
Re: (Score:2)
Your computer has been stolen.
The police call you into the station and show you your computer and ask: "Is this your computer?"
You respond with: "No, it can't be, this isn't in my basement"
You all laugh and have coffee and doughnuts.
Re: (Score:3)
That's closer to how it works when trying to recognize people you don't know well, though. Police sketch-artists sometimes make a few different versions of a sketch, e.g. one with and one without a hat, one with short and one with long hair, etc., because it's not necessarily easy for people to recognize one as the other if it's a stranger.
Re: (Score:2, Funny)
Fuck me, Steve. Get over it already. RIP.
Re: (Score:1)
what about the worst virus of all: ANDROID?!?!? that entire OS is a virus masquerading as a useful product. it needs to obliterated
regards,
steve ballmer
Re: (Score:1)
in all fairness to apple (i'm a linux fanboi, not an isheep)... users don't go looking for viruses to infect their system (windows and mac), but because mac has heritage in the multi-user unix platform it has some inherent security advantages over windows, which seems to get infected even without user intervention.
windows has a virus problem not only because it is so easily infected by its design, but because it is so easily infected makes it even more of a target
ballmer really hates the gpl because it prev
So would it be safe to conclude... (Score:3)
...that AV apps not tested (such as avast!) are immune from this problem, and the authors only chose to report on those AV programs that failed their tests?
Not specific to android (Score:2)
Anti Virus software is a scam (Score:1)
Anti-virus software is a scam anyway, the OS should be secure enough not to let a program damage your device or corrupt stuff anyway. As anti-trojan detectton it's completely useless too. Any trojan than can make off with your data and sell it anyone and everyone is a bad thing, and yet not a single Facebook app is ever flagged as malware!
Re: (Score:2)
I don't know about mobile platforms, but certainly on the PC arena, judging by the features and tricks in recent AV-suite releases, vendors have to been running out of oxygen in their world. Lately I have been repairing more consumer machines due to AV suites going rogue than I have for actual viruses ( AFP/randsom-ware had a burst of popularity recently ).
These days I just go with Microsoft Security Essentials and leave it at that. The clients still feel protected, they're not out of pocket, and at least
Bye-bye smartphone virus cleaning software writers (Score:5, Insightful)
Tell the guys writing the smartphone virus cleaning software that our world is in danger of obliteration by a large asteroid, and we're building a series of Ark ships to get everybody off the planet to safety. The smartphone virus cleaning software writers will depart on the "B" Ark, along with hairdressers and middle-managers.
Then the rest of us will laugh our asses off.
Copy protection prevents scanning (Score:5, Informative)
This doesn't surprise me at all. The so-called virus scanners can't actually scan for viruses (i.e. examine the code of third-party apps) because that would break the copy protection. The paper mentions this at the beginning.
Amazing, new variants of malware go undetected.... (Score:2)
Re: (Score:2)
Re: (Score:2)
"Deep inspection" would only be needed the first time an executable is run. It's easy and quick to check a file hasn't changed since last time.
Trivial Obfuscation (Score:2)
Because..there are so many Linux viruses? (Score:3)
I don't practice particularly careful practices with my phone AT ALL, installing and uninstalling things all the time, etc etc and at most, at the absolute most, I've seen one chunk of malware. The real problem is not malware it's the permissions you grant the legitimate stuff you put on. WHY, does such and such game or widget need my phone book, email address book, call log browser history and location db? That's the problem right there.
Googles Bouncer (Score:2)