Android malware's dirty secret: Repackaging of legit apps

Summary:Security researchers at North Carolina State University believe Google should invest in repackaging detection to get a handle on malware targeting the Android platform.

android_logo_zd

Security researchers from North Carolina State University are warning that the majority of Android malware are repackaging other legitimate (popular) apps to get past the mobile platform's rudimentary security barriers.

After analyzing more than 1,200 Android malware families, the reserachers -- Yajin Zhou and Xuxian Jiang -- found that  86.0% repackaged legitimate apps to include malicious payloads and argued that the theats can be effectively mitigated by policing existing Android Markets for repackaging detection.

The pair, working within the Android Malware Genome Project, calleed for a a joint effort involving all parties in the Android ecosystem to spot and discourage repackaged apps.  "The challenges lie in the large volume of new apps created on a daily basis as well as the accuracy needed for repackaging detection," the group said in a paper [PDF] to be delivered at the upcoming IEEE Privacy and Security Symposium, 

"Our characterization of existing Android malware and an evolution-based study of representative ones clearly reveal a serious threat we are facing today. Unfortunately, existing popular mobile security software still lag behind and it becomes imperative to explore possible solutions to make a difference," Zhou and Jiang said.

follow Ryan Naraine on twitter

The researchers also found that more than one-third (36.7%) of Android malware enclose platform-level exploits to escalate privileges.  "Unfortunately, the open Android platform has the well-known “fragmentation” problem, which leads to a long vulnerable time window of current mobile devices before a patch can be actually deployed," according to the paper.

Worse, researchers bemoaned the fact that current Android platform still lacks many desirable security features.  Anti-exploit mitigations like Address Space Layout Randomization (ASLR) was not added until very recently in Android 4.0 and other security features such as TrustZone and eXecute-Never need to be gradually rolled out to raise the bar for exploitation.

The analysis also revealed that  the dynamic loading ability of both native code and Dalvik code are being "actively abused" by existing Android malware families.  It also found that about 45% of existing malware subscribe to premium-rate services with background SMS messages to generate spoils for cyber-criminals.

The researches recommend that the coarse-grained Android permission model be expanded to include additional context information to better facilitate users to make sound and informed decisions.

The research project also pitted Android malware against four mobile security products and found the results to be poor.

"The detection results of existing mobile security software are rather disappointing, which does raise a challenging question on the best model for mobile malware detection. Specifically, the unique runtime environments with limited resources and battery could preclude the deployment of sophisticated detection techniques. Also, the traditional content-signature-based approaches have been demonstrated not promising at all," Zhou and Jiang added.

Topics: Security, Android, Apps, Malware, Mobile OS

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.