Android app verification service misses 85% of sideloaded malware
Xuxian Jiang, an associate professor from NCSU's department of computer science, revealed that Android's new built-in application verification service is failing to stand up to its task, missing a large portion of malware that is already known to be malicious.
While Google's Bouncer service sits on the Google Play store and scans for malware, not all applications can find their way on to a device via official channels. Users can opt to "sideload" applications, bypassing any protection offered by Bouncer. To address this, Google introduced its application verification service in Android 4.2, which allows users to send information about the app to Google to determine if it is safe.
However, Jiang's research, which pitted the service against 1260 samples of known, malicious apps, found that only 193 of them were identified as being dangerous — a detection rate of only 15.32 percent.
The samples come from the Android Malware Genome Project, an initiative by Jiang and his colleague Yajin Zhou to collect and characterise Android malware for the benefit of researchers and the IT security industry. The project makes its datasets available to those that request them, presumably meaning that vendors that have the information should be able to detect all samples. So far, the majority of organisations that have requested the information come from universities and some security vendors, but there are some other noteworthy listings, such as Nokia, Samsung, AT&T, T-Mobile, GSM Association and Qualcomm.
Jiang also took a random samples of malware and ran them through VirusTotal to compare Google's service against the following antivirus engines:
Avast
AVG
TrendMicro
Symantec
BitDefender
ClamAV
F-Secure
Fortinet
Kaspersky
Kingsoft
Google and each of these companies had requested the Genome Project's datasets, with the exception of ClamAV, Fortinet, Kaspersky and Kingsoft. Jiang's research doesn't name which vendors received what score, except for Google, but seven companies had detection rates of above 90 percent (with two receiving complete detection rates). Of the remaining vendors, two companies scored 77.5 percent and the final one, 51.02 percent. Google's own result was 20.41 percent.
Jiang's research in November 2011 found that when looking at four vendors, detection rates ranged from 20.2 percent to 79.6 percent, indicating that the majority of vendors have significantly picked up their game.
While Jiang said that the application verification service is a step in the right direction, he also had further criticisms for Google beyond its poor detection rates.
"Our study indicates that the app verification service mainly uses an app's SHA1 value and the package name to determine whether it is dangerous or potentially dangerous. This mechanism is fragile and can be easily bypassed. It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it). To be more effective, additional information about the app may need to be collected."
He also believed that Google could be leveraging its own assets in a better manner. Aside from having the datasets that Jiang has made available to it, Google is also a hardware donor for the project and owns VirusTotal. Jiang raised the question of why Google hadn't taken advantage of the fact that it could, potentially, use VirusTotal to provide better scanning of malware instead of relying solely on its own verification service.
"From our measurement results, VirusTotal performs much better than [Google's] standalone service. For improved detection results, we expect such integration in the future will be helpful."
ZDNet invited Google to comment, but had not received a response at the time of writing.