While the Google solution is aimed at apps in the Android Market and uses traditional scanning and behavior analysis to locate malware, the Trend Micro solution is aimed at all apps (including third-party app stores, and ultimately all platforms) and uses Trend’s own cloud-based reputation system.
Mobile App Reputation system taps into Trend’s existing Smart Protection Network, a global network of sensors that continuously updates cloud-based reputation databases. The basic principle is that if any of these sensors detects malware, details are noted to the reputation databases and all other users immediately protected. This broad principle is now applied to the mobile app malware problem.
The problem is huge. Trend Micro recognized more than 1000 malicious Android apps in 2011; but with a growth rate of more than 60% per month, it expects the number to reach 120,000 by the end of 2012. “We currently track and monitor over 250,000 applications,” said Raimund Genes, Trend’s CTO, “and have the capacity to add another 5,000+ per day as new apps and app updates are released. Our intent is to be able to provide the largest and fastest source of critical information to secure and enhance the mobile ecosystem. Obviously other application platforms are important to this goal.”
The Trend system analyses the app’s behavior, and uses its reputation database to understand the nature of any servers with which it communicates. Since criminals have started to manipulate ‘reputations’ by allowing time for a good reputation to be established (a ploy frequently used in malvertising cons), Trend has built further safeguards into its system. “If the behavior of the application is benign, downloading non-malicious content from a server with no bad reputation and doing exactly as the app itself advertises in terms of functionality, then it will be very hard to pick up on a behavioral level,” Trend’s director of security research Rik Ferguson told Infosecurity.
However, he adds, the technology in the backend of App Reputation is able to distinguish between an app capable of downloading data updates and an app capable of downloading executable content. “Reputation,” he says “is not based solely on the origin of the file but also its functionality and resource use.” Android’s own sandbox mechanism reinforces this. “If an app tries any kind of exploit to bypass permissions, it would immediately be classified as bad,” added Ferguson.