Android malware's dirty secret: Repackaging of legit apps

Security researchers from North Carolina State University are warning that the majority of Android malware are repackaging other legitimate (popular) apps to get past the mobile platform's rudimentary security barriers.

After analyzing more than 1,200 Android malware families, the reserachers -- Yajin Zhou and Xuxian Jiang -- found that  86.0% repackaged legitimate apps to include malicious payloads and argued that the theats can be effectively mitigated by policing existing Android Markets for repackaging detection.

The pair, working within the Android Malware Genome Project, calleed for a a joint effort involving all parties in the Android ecosystem to spot and discourage repackaged apps.  "The challenges lie in the large volume of new apps created on a daily basis as well as the accuracy needed for repackaging detection," the group said in a paper [PDF] to be delivered at the upcoming IEEE Privacy and Security Symposium, 

"Our characterization of existing Android malware and an evolution-based study of representative ones clearly reveal a serious threat we are facing today. Unfortunately, existing popular mobile security software still lag behind and it becomes imperative to explore possible solutions to make a difference," Zhou and Jiang said.

The researchers also found that more than one-third (36.7%) of Android malware enclose platform-level exploits to escalate privileges.  "Unfortunately, the open Android platform has the well-known “fragmentation” problem, which leads to a long vulnerable time window of current mobile devices before a patch can be actually deployed," according to the paper.

Worse, researchers bemoaned the fact that current Android platform still lacks many desirable security features.  Anti-exploit mitigations like Address Space Layout Randomization (ASLR) was not added until very recently in Android 4.0 and other security features such as TrustZone and eXecute-Never need to be gradually rolled out to raise the bar for exploitation.

The analysis also revealed that  the dynamic loading ability of both native code and Dalvik code are being "actively abused" by existing Android malware families.  It also found that about 45% of existing malware subscribe to premium-rate services with background SMS messages to generate spoils for cyber-criminals.

The researches recommend that the coarse-grained Android permission model be expanded to include additional context information to better facilitate users to make sound and informed decisions.

The research project also pitted Android malware against four mobile security products and found the results to be poor.

"The detection results of existing mobile security software are rather disappointing, which does raise a challenging question on the best model for mobile malware detection. Specifically, the unique runtime environments with limited resources and battery could preclude the deployment of sophisticated detection techniques. Also, the traditional content-signature-based approaches have been demonstrated not promising at all," Zhou and Jiang added.