Google’s mobile platform Android has been gaining increasingly popularity in the last few years. The policy of being open in its application marketplace is undoubtedly one of the keys that help Android grow so quickly. The low entry barriers as well as the non-vetting process help Android attract a lot of developers who have brought 450,000+ applications to the Android Market in 3 years. This success comes at a price though: Android is now the leading target of mobile malware also due to the less restrictive nature of the platform and the marketplace. The official Android Market and third-party marketplaces harbour benign applications as well as nefarious ones. On this week’s Three Paper Thursday, I’d like to introduce three papers that provide insights on intelligence of Android malware in the wild.
“Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets”, Y Zhou et al., Network and Distributed System Security Symposium (NDSS) 2012.
People make fuzz whenever a new malicious application is found and pulled from the Android market. But really how contaminated are these markets?
This paper performs a large scale scanning of infected apps in the Android ecosystem, covering 150,000 apps from the official Android Market as well as 50,000 from five other third-party marketplaces. The authors employ heuristics-based static analysis to detect 10 known malware families, as well as dynamic analysis of suspicious API invocations to reveal zero-day malwares. In total they find an infection rate of 0.02% in the official market and 0.2% – 0.47% from the alternative markets, including two previously unknown malware families. It is worth noting that due to the heuristic nature of the scanning, the actual infection rate is likely to be higher, but still the Android ecosystem appears to be relatively healthy so far in terms of malware presence.
Since this paper was done before Google announced their Bouncer service last month, it will be interesting to do a follow up to see how things will change in future.
“DroidMOSS: Detecting Repackaged Smartphone Applications in Third-Party Android Marketplaces”, W Zhou et al., ACM Conference on Data and Application Security and Privacy (CODASPY) 2012.
Repackaging and redistributing of applications is an emerging phenomenon in the Android ecosystem, which has been a major vector for malware infection as well as application piracy. What do we know about repackaged applications in the wild?
In this paper the authors investigate the problem of repackaging legitimate application from the official market for illegal redistribution in 6 third-party marketplaces, based on the idea that repackaged application will have similar codebase to the existing application but with different digital signature. In the evaluation they find an alarming repackaging rate of 5% to 13% among third-party marketplaces. What is worse, the real rate could be even higher because their experiment only involves free applications from the official market, while popular paid applications are more likely to become targets of repackaging. Another interesting finding is that most repackaged applications are modified to bring/re-route in-app advertisement revenues to the repackagers, rather than to directly piggyback malicious payload.
“A Survey of Mobile Malware in the Wild”, A Felt et al., ACM workshop on Security and Privacy in Smartphones and Mobile devices (SPSM) 2011.
What does mobile malware do now and what will they do in future?
This is a general survey paper about latest state of mobile malware on the Symbian, iOS and Android platforms. By classifying 46 pieces of malware, the authors find the leading incentives of current mobile malware to be exfiltration of user information and financial gain through premium calls and SMS. Future incentives of mobiles malware may include new ways of monetizing through adverting fraud or exploiting mobile payment system, as well as the traditional bot behaviours like email spamming and DDoS service. They also look at the phenomenon of fast proliferation of smartphone root exploits which facilitates sophisticated malware families, and promote the idea of unlocked bootloaders as a way to disincentivise the development of root exploits.