Android malware's dirty secret: Repackaging of legit apps

Android malware's dirty secret: Repackaging of legit apps

Summary: Security researchers at North Carolina State University believe Google should invest in repackaging detection to get a handle on malware targeting the Android platform.



Security researchers from North Carolina State University are warning that the majority of Android malware are repackaging other legitimate (popular) apps to get past the mobile platform's rudimentary security barriers.

After analyzing more than 1,200 Android malware families, the reserachers -- Yajin Zhou and Xuxian Jiang -- found that  86.0% repackaged legitimate apps to include malicious payloads and argued that the theats can be effectively mitigated by policing existing Android Markets for repackaging detection.

The pair, working within the Android Malware Genome Project, calleed for a a joint effort involving all parties in the Android ecosystem to spot and discourage repackaged apps.  "The challenges lie in the large volume of new apps created on a daily basis as well as the accuracy needed for repackaging detection," the group said in a paper [PDF] to be delivered at the upcoming IEEE Privacy and Security Symposium, 

"Our characterization of existing Android malware and an evolution-based study of representative ones clearly reveal a serious threat we are facing today. Unfortunately, existing popular mobile security software still lag behind and it becomes imperative to explore possible solutions to make a difference," Zhou and Jiang said.

follow Ryan Naraine on twitter

The researchers also found that more than one-third (36.7%) of Android malware enclose platform-level exploits to escalate privileges.  "Unfortunately, the open Android platform has the well-known “fragmentation” problem, which leads to a long vulnerable time window of current mobile devices before a patch can be actually deployed," according to the paper.

Worse, researchers bemoaned the fact that current Android platform still lacks many desirable security features.  Anti-exploit mitigations like Address Space Layout Randomization (ASLR) was not added until very recently in Android 4.0 and other security features such as TrustZone and eXecute-Never need to be gradually rolled out to raise the bar for exploitation.

The analysis also revealed that  the dynamic loading ability of both native code and Dalvik code are being "actively abused" by existing Android malware families.  It also found that about 45% of existing malware subscribe to premium-rate services with background SMS messages to generate spoils for cyber-criminals.

The researches recommend that the coarse-grained Android permission model be expanded to include additional context information to better facilitate users to make sound and informed decisions.

The research project also pitted Android malware against four mobile security products and found the results to be poor.

"The detection results of existing mobile security software are rather disappointing, which does raise a challenging question on the best model for mobile malware detection. Specifically, the unique runtime environments with limited resources and battery could preclude the deployment of sophisticated detection techniques. Also, the traditional content-signature-based approaches have been demonstrated not promising at all," Zhou and Jiang added.

Topics: Security, Android, Apps, Malware, Mobile OS

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Yawn

    And still most agree that less than a fraction of a percent comes from Google Play!

    The Moral of the story is to stick to the default store and don't use unknown sources. The same issue has been known to occur with iOS as well.
    • ;)

      I am a single biker woman. My friend told me about___seekingbikers.com___she told me it is the best place for bikers to find Friendship, Love, and Romance! I have tried, it is fantastic, hundreds of thousands of hot biker men and biker babes are there. Come in and give it a shot, you will find your biker match to share the passion for motorbikes! :)
  • Detecting repackaging?

    "Security researchers at North Carolina State University believe Google should invest in repackaging detection to get a handle on malware targeting the Android platform."

    Detecting repackaging?

    That's a hard problem. A really, REALLY hard problem. Something AV vendors have been struggling with for years. Malware writers already know how to fool such systems.

    Hate to say it, but the only real solution is to wall up the garden. Make it harder to get approved. As much as there's plenty of reasons to hate the "walled garden" approach, it's effective.

    Not perfect. Some stuff may get through. But IMO it is effective - there's a lot less malware for iOS than for Android.
    • Not that hard to address

      A simple release of the checksum of each file would do the trick without spending any extra money.
      • Do it like they do it in Linux-desktop distros...

        ...and the result is - no malware, no worms, no trojans, no viruses...99,9999999% security.
        • Not only Linux

          A lot of projects (open and close source) publish the checksum for the files they provide for download. I have seen plenty of checksums for Windows and Mac downloads.

          It is a simple hash number .... a number that can be easily auto-generated in the build process and distributed to security companies with little to no real cost to them.
      • Umm, you just repackage before they take the checksum.

        Umm, you just repackage before they take the checksum. Easily circumvented.
        • Apparently you don't have a single clue of what a checksum is

          Otherwise you would not say that it can be "easily" circumvented before it is taken out.

          Explain how the hell you can "repackage" before a binary image is built? Because a checksum value can be automatically CALCULATED a microsecond (or less) after the image is compiled by the developer.
          • A checksum just tells you the end result is intact.

            "Explain how the hell you can 'repackage' before a binary image is built?"

            Why the hell can you NOT repackage before a binary image is built? Before you build the final image, you can do whatever the hell you want with it!

            A checksum just tells you that whatever you had when the checksum was built is intact. It doesn't say you didn't do anything BEFORE you took the checksum.

            "Because a checksum value can be automatically CALCULATED a microsecond (or less) after the image is compiled by the developer."

            Or it can be delayed as long as the developer likes. The developer just uses his/her own modified compiler.
  • Check The Public Key

    All Android apps have to be signed with a developer key. It would be easy enough for developers to offer up their public keys somewhere, and packages with their name can be checked that they really are signed with this key, and not some other one.
    • Google gives away keys like candy

      And stolen keys are sold in the black market on a daily basis.
      • Google Cannot Give Away My Private Key ...

        ... because Google does not have it. Nor that of any other Android developer.
  • Coming public lawsuits because of Android apps?

    The question has to be, when will the huge and growing malware, botnet, trojans problems Android is having in it's apps lead to customers firing back at sellers of Androids for not warning them about these problems with lawsuits? This is like selling bad tires on Ford SUV's, customer in the dark. A security company claims an Android malware pandemic is coming by year end.
  • TRUTH:

    Only MS has good software!
    • Then explain ....

      IE 1-8
      • Please don't feed trolls

        Ram U
  • Android security

    Android security weakness is one reason that I will never buy an andriod device, the fact that any app can steal information or do things without user permission is utterly creapy...