Forgot your password?
typodupeerror
Android Security

Popular Android Anti-Virus Software Fooled By Trivial Techniques 94

Posted by Unknown Lamer
from the never-trust-malware dept.
wiredmikey writes "A group of researchers from Northwestern University and North Carolina State University tested ten of the most popular AV products on Android, and discovered that they were easily fooled by common obfuscation techniques. In a paper (PDF), the researchers said they tested AV software from several well-know security vendors. In order to evaluate the mobile security software, the researchers developed a tool called DroidChameleon, which applies transformation techniques to Android applications. Known malware samples were transformed to generate new variants that contain the exact malicious functions as before. These new variants were then passed to the AV products, and much to the surprise of the paper's authors, they were rarely flagged — if at all. According to the research, 43% of the signatures used by the AV products are based on file names, checksums or information obtained by the PackageManager API. This means that, as mentioned, common transformations will render their protection useless for the most part. For example, the researchers transformed the Android rootkit Droid Dream for their test. DroidDream is a widely-known and highly dangerous application. Yet, when it was transformed, every AV program failed to catch at least two variants."
This discussion has been archived. No new comments can be posted.

Popular Android Anti-Virus Software Fooled By Trivial Techniques

Comments Filter:
  • This just in! (Score:5, Insightful)

    by Anonymous Coward on Monday May 06, 2013 @11:09PM (#43650353)

    AV products suck!

    The whole premise of trying to match a virus 'signature' is simply stupid and useless.

    • Re:This just in! (Score:5, Informative)

      by hamjudo (64140) on Monday May 06, 2013 @11:16PM (#43650393) Homepage Journal
      Virus 'signatures" are an ideal technology for dealing with common threats from the late 1990s.
      • by Anonymous Coward

        The ideal technology for dealing with common threats from the late 1990s are patches to fix the gaping security holes exploited by a virus.

        Instead computer users have been conditioned to believe that anti virus products are the solution.

        But there's no money in making a monopoly OS secure.

        • by neokushan (932374)

          Yeah, gaping security holes like email attachments with names similar to "bigtits.exe" and "funny.exe".

          Not all viruses exploit security weaknesses, some are just malicious programs that idiot users run.

          • by Anonymous Coward

            I think gaping holes such as goatse.cx can do more permanent damage ...

          • Not all viruses exploit security weaknesses, some are just malicious programs that idiot users run.

            No, those would be trojan horses. Actual viruses can only work on modern OSs by exploiting security holes.

            • by neokushan (932374)

              To be honest, I don't actually disagree with you on this one. But then what are these "android viruses" if not trojans themselves?

          • by Hizonner (38491)

            The fact that I can't easily run an arbitrary program without giving it the ability to screw up random data on my computer, let alone install a rootkit, is a gaping security hole. In fact, it's a gaping hole that programs are not restricted by default.

            All of the popular general purpose operating systems have hideously weak security architectures that amount to gaping holes, and the phone operating systems are only a little better.

      • Re:This just in! (Score:5, Interesting)

        by cbhacking (979169) <been_out_cruisin ... nOSPam.yahoo.com> on Tuesday May 07, 2013 @12:00AM (#43650575) Homepage Journal

        Oh, hardly even then. I wrote my first polymorphic program when I was 16, and I was late to the game for that. Making a completely trivial change to the binary - have a meaningless 32-bit constant that you add (modulo 0xFFFFFFFF) with the current time in miliseconds on each run, for example - will completely bypass typical types of checksum/hash checks unless you want to store 4 billion signatures. Slightly more complex signature schemes are nonetheless equally easy to defeat. Filename checks are even easier to defeat; there's lots of ways to indicate the next file to run which can use dynamic file names. It's a game of cat and mouse, but the cats are too dumb to do anything but watch known mouseholes, while the mice can make new holes whenever they please and it only takes a mouse getting out once for the cats to lose the game.

        • by Sockatume (732728)

          What about heuristic analysis?

          • by cbhacking (979169)

            I wasn't even trying to defeat AVs, mind you - just messing with polymorphic code because the concept sounds cool. That said, defeating heuristics is a *lot* harder - which is why any self-respecting AV scanner uses them. There's lots of techniques, of course - things like self-decrypting code, for example, where any given instance of the actual malicious code (on disk) bears no resemblance to any other one because they use random keys and/or IVs - but there still has to be a decryptor that bootstraps the p

    • Re:This just in! (Score:5, Interesting)

      by ozmanjusri (601766) <aussie_bob@hotmail.cOPENBSDom minus bsd> on Tuesday May 07, 2013 @12:08AM (#43650597) Journal

      FUD sucks too.

      DroidDream is NOT "a widely-known and highly dangerous application". It was a malware variant identified early in 2011 and removed from both the Android Market (now Play Store) and from the infected devices. The vulnerability it exploited has been fixed in all Android versions newer than 2.2 (Froyo).

      AV vendors are terrified of Windows' plunging market share, and are desperate to find another host to leech off. This is the despairing screech of a buggy-whip maker watching their buggy-OS host vanish over a cliff.

      • by DrXym (126579)
        In fairness, there is malware on Android however I expect the risk for most people of catching it is pretty minimal. The Play market is proactively scanned and acts reactively to threats up to and including a remote kill capability. And in many cases those that do get infected have their own lack of sense to thank - installing pirated APKs, or dubious apps from untrusted sources and reaping the rewards.
        • Re:This just in! (Score:5, Insightful)

          by oldlurker (2502506) on Tuesday May 07, 2013 @03:49AM (#43651235)

          In fairness, there is malware on Android however I expect the risk for most people of catching it is pretty minimal. The Play market is proactively scanned and acts reactively to threats up to and including a remote kill capability. And in many cases those that do get infected have their own lack of sense to thank - installing pirated APKs, or dubious apps from untrusted sources and reaping the rewards.

          Apps are not the only way in though. Web and email coupled with vulnerability exploits are obvious vectors, Bluetooth and NFC exploits have been demonstrated. I'm using an Android phone myself, but I think we are doing ourselves the same disservice Mac users did (and ended up with the biggest malware epidemic in modern times in terms of percentage of user base affected with Flashback) if we discount the malware threat to be just AV vendor marketing and not a potential real threat. Especially since such a large portion of the Android user base is on old vulnerable versions long after Google has patched vulnerabilities and improved security.

        • by Hentes (2461350)

          But at least they only have access to what you allow them.

        • by cbhacking (979169)

          A lot of the world does not heavily use the Play market and prefers to use alternatives. Studies have estimated that around 40% of Android devices in Russia are infected, for example, mostly due to installing apps from third-party sources.

          • by DrXym (126579)
            I very much doubt 40% of Android devices in Russia are infected, although I can well believe the rates of infection are much higher in countries which have a culture of piracy over those that don't.
            • by tlhIngan (30335)

              I very much doubt 40% of Android devices in Russia are infected, although I can well believe the rates of infection are much higher in countries which have a culture of piracy over those that don't.

              Chinese Android phones as well, because the only way to get apps is third party stores, which often host said infected apps (most new discoveries of Android malware come from China). Of course, whether or not it's pirated or not is very hard to tell - the legit stores don't do a very good job themselves.

              And Play

            • by cbhacking (979169)

              I didn't find the article positing that number in my first 10 secodns of searching, but I did find this: http://www.esecurityplanet.com/mobile-security/lookout-predicts-18-million-android-malware-infections-by-end-of-2013.html [esecurityplanet.com] .

              The likelihood that new Lookout users will encounter malware or spyware is heavily dependent on their geography and behavior, varying from 0.20 percent in Japan to 0.40 percent in the US and as high as 34.7 percent in Russia

              Almost 35% will "encounter" malware in a given year. What pr

    • You just took the words right out of my mouth.

    • Why can't the major software vendors publish sha265sum signatures (hashes) of all their files?
      Why can't the major software vendors cooperate on a dns-like service where you look up the signature of a file you have on your disk in order to know if it is unaltered?
      Why can't we crowd-source a new service where people and everybody can submit the signatures of files they have and believe to be OK...
      - because the bad guy or his first victim would register the signature of the infected file?
      - Well, let's take som

  • by rebelwarlock (1319465) on Monday May 06, 2013 @11:15PM (#43650391)
    "Ma'am, is this your son?"

    "Well, my son was wearing a hat, so no."
    • by Anonymous Coward

      Slashdot readers cannot relate to this. Do you have a computer, caffeine and basement analogy?

      • by Canazza (1428553)

        Your computer has been stolen.

        The police call you into the station and show you your computer and ask: "Is this your computer?"

        You respond with: "No, it can't be, this isn't in my basement"

        You all laugh and have coffee and doughnuts.

    • by Trepidity (597)

      That's closer to how it works when trying to recognize people you don't know well, though. Police sketch-artists sometimes make a few different versions of a sketch, e.g. one with and one without a hat, one with short and one with long hair, etc., because it's not necessarily easy for people to recognize one as the other if it's a stranger.

  • by pongo000 (97357) on Tuesday May 07, 2013 @12:00AM (#43650577)

    ...that AV apps not tested (such as avast!) are immune from this problem, and the authors only chose to report on those AV programs that failed their tests?

  • The same can be said for most any AV software , especially ones on mobile platforms.
  • by Anonymous Coward

    Anti-virus software is a scam anyway, the OS should be secure enough not to let a program damage your device or corrupt stuff anyway. As anti-trojan detectton it's completely useless too. Any trojan than can make off with your data and sell it anyone and everyone is a bad thing, and yet not a single Facebook app is ever flagged as malware!

    • by inflex (123318)

      I don't know about mobile platforms, but certainly on the PC arena, judging by the features and tricks in recent AV-suite releases, vendors have to been running out of oxygen in their world. Lately I have been repairing more consumer machines due to AV suites going rogue than I have for actual viruses ( AFP/randsom-ware had a burst of popularity recently ).

      These days I just go with Microsoft Security Essentials and leave it at that. The clients still feel protected, they're not out of pocket, and at least

  • by knorthern knight (513660) on Tuesday May 07, 2013 @12:49AM (#43650739)

    Tell the guys writing the smartphone virus cleaning software that our world is in danger of obliteration by a large asteroid, and we're building a series of Ark ships to get everybody off the planet to safety. The smartphone virus cleaning software writers will depart on the "B" Ark, along with hairdressers and middle-managers.

    Then the rest of us will laugh our asses off.

  • by ensignyu (417022) on Tuesday May 07, 2013 @01:03AM (#43650777)

    This doesn't surprise me at all. The so-called virus scanners can't actually scan for viruses (i.e. examine the code of third-party apps) because that would break the copy protection. The paper mentions this at the beginning.

  • Modifications of the binaries creates a new variant of a virus, which may go undetected. I'm shocked! If you'd like an AV solution that performs a deep inspection on every binary, each time they are executed on your device, it's going to be a sloooooow ride.
    • by CastrTroy (595695)
      Besides. Android does a pretty good job of controlling what each and every app can access. There's a sandbox around each app. As long as you are careful which apps you install, and look closely at the permissions they require, you should be relatively safe from most malware. If you're at all unsure about an app, it's probably better just to not install it. Sure there are problems, but I think Android is one of the better platforms out there. Not too many others I'm aware of have such fine grained control
    • "Deep inspection" would only be needed the first time an executable is run. It's easy and quick to check a file hasn't changed since last time.

  • Landshark. Candygram.
  • I don't practice particularly careful practices with my phone AT ALL, installing and uninstalling things all the time, etc etc and at most, at the absolute most, I've seen one chunk of malware. The real problem is not malware it's the permissions you grant the legitimate stuff you put on. WHY, does such and such game or widget need my phone book, email address book, call log browser history and location db? That's the problem right there.

  • Does Bouncer detect the origional? I'd be (possibly more) curious to know if Bouncer could detect the variants too.

This file will self-destruct in five minutes.

Working...