Editor’s Note: Welcome to our weekly Reality Check column. We’ve gathered a group of visionaries and veterans in the mobile industry to give their insights into the marketplace.
Android devices are clearly the target of mobile malware with a 400% increase in Android infections in the latter part of 2011. So why is the Android platform so vulnerable?
–It’s easy for a malicious app to get permission to do serious damage, such as stealing contacts and sending out SMS spam.
–App verification and distribution controls are lax, providing easy distribution channels for malware.
–It is incredibly easy to inject malware into existing Android apps and redistribute them.
Permissions security model is flawed
The Android platform uses permissions to control what an application can do. When an application is being installed, the user is shown a list of the permissions that the application has requested. They are then asked to choose whether or not to install the application. It is an all or nothing proposition. In almost all cases the user will simply press the install button, regardless of the list of permissions presented. For example, the “Internet” permission allows an application to access the Internet. Any application that is funded by advertising needs this permission to download ads, but this permission can also allow malware to be part of a botnet. Should the user allow the “Internet” permission? The answer in most cases is yes, but be careful as this permission is also requested by 99% of malware.
“READ_SMS” and “SEND_SMS” allow applications to read and send SMS messages. There are legitimate reasons that some applications may have for requesting these privilages, but they also allow malware to monitor all incoming SMS messages you receive and send SMS messages to any phone number. So should you allow an application that asks for these permissions? Probably not, unless you know why it wants to read all your SMS messages or send some from your device. As it turns out, 71% of the malware we looked at requested the “SEND_SMS” permission compared to less than 3% of legitimate apps.
The table above by Kindsight Security Labs compares the permissions requested by malware with permissions requested by regular applications. It clearly shows that malware asks for many more permissions that will likely be granted. Many of these, such as SMS permissions, are highly specific to malware.
On other mobile platforms, such as the iPhone and BlackBerry, applications are not allowed any special permissions, but must operate within a very restictive environment. Although not as flexible as the Android environment, they are certainly more secure because of this restriction.
Lax control of application markets
Unlike the iPhone App Store and BlackBerry App World, the Android Market makes little effort to control the quality or ownership of applications that are submitted for distribution. Android apps can also bypass the Android Market completely and be distributed from any Web server on the Internet, which has led to the creation of a large number of “alternative” markets, often hosting pirated applications and malware. These lax controls provide excellent distribution channels for malware.
By comparison, to publish an iPhone app, a developer must sign it with the digital certificate assigned by Apple when they registered as a developer. They must then submit the app to Apple for certification before it is posted on the App Store. Finally, iPhone apps can only be installed from Apple’s App Store.
Android apps must also be signed by the developer, but the signing certificate is not provided by Google and it is not checked by the system in any way. The developer gets to make up their own certificate and they can include any information they want, including a bogus company name and location information.
Apps submitted to the Android Market are not checked for quality or ownership but are simply posted to the site. Anyone who pays the $25 registration fee can do this. In February 2012, Google announced Bouncer, which automatically scans the Android Market for malicious software. This apparently reduced the number of malicious downloads from their site by 40%, which is an improvement, but it’s certainly not a complete solution, particularly when you consider that much of the malware is distributed through third party sites.
Trivial to inject malware Into apps
Even with these weaknesses, Android malware must still compete with legitimate apps for attention. It greatly assists malware distribution, if the malware comes bundled inside a popular app that people want to download. Android development tools make this almost trivial to accomplish.
The first step is to get a copy of the “APK” file containing the app that you want to exploit. The “APK” file is a single file that contains all the components of the app. If you use the Android Market, these files are not directly accessible, but many of the “alternative” markets allow you to download these directly to a development computer. If you can’t find the APK file, you can install the app to a jail-broken phone and extract the file from the phone in a matter of minutes. Once you have the file, you just need to unpack it using a development tool called “apktool” which breaks the app into its components. We added the malware code as a new component and then rebuilt the file using the same tool. The final step is to sign the new app. We did this using a certificate that we made up to look like it was from a legitimate app company. The total elapsed time to do all of this was about 15 minutes. We now had a “new” version of the app with our malware embedded in it, ready for distribution on one of the “alternative” markets.
Conclusion
The popularity of smartphones have made them the next major target for cyber-criminals. As they have done with personal computers, cyber-criminals will find ways to make money through variations on identity theft, banking and credit fraud, extortion, spam and aggressive spyware. And as with personal computers, they will focus on the most popular and most vulnerable platform. With personal computers, that was the Windows platform. With smartphones it will be Android.
Kevin McNamee is security architect and director of Kindsight Security Labs. With over 30 years of security and networking experience, Kevin was director of security research at Bell Labs and also held security development and design roles at TimeStep, Milkyway Networks, Newbridge Networks and Alcatel-Lucent.
