Google's built-in Android app scanner fails 85% of the time

For instance, with the latest Android 4.2 (Jelly Bean) release, launched in November, the search giant has built in an "application verification service" to protect against harmful Android applications. Unfortunately, a security researcher has discovered that the function is “still nascent and there exists room for improvement.”

Using Jelly Bean-based Nexus 10 tablets, Xuxian Jiang, a professor of computer science at North Carolina University, subjected the new function to a battery of malware—1,260 samples in all. And in fact found that the app scanner has a low 15% rate of detection for the 49 most popular malware families--meaning of course that it fails to see threats in a staggering 85% of cases. Significantly, it also demonstrated a paltry detection ability when compared to third-party antivirus apps from companies like Avast, Symantec, Google-owned VirusTotal and Kaspersky Lab. After being exposed to a random code sample from each of the malware families, the AV software notched a 51% to 100% rate of detection, compared to just 20% for Google’s homegrown fix.

The new service is implemented inside the official Google Play app, but is designed to work with apps from all app stores, including ones. A user can turn the service on or off via the Settings tab, but “we note that this app verification service is…turned on by default,” Jiang wrote. “The first time an app is side-loaded, a popup window will ask whether to ‘Allow Google to check all apps installed to this device for harmful behavior?’"

The service collects and sends information about the app being installed (e.g., the app name, size, SHA1 value, version and the URL associated with it) as well as the device ID and IP address back to the Google cloud for evaluation. If the app is not safe, the user is then shown a warning popup flagging the app as either dangerous or potentially dangerous. Dangerous apps are blocked from being installed, while potentially dangerous ones instead alert users and provide an option to either continue or abort the installation.

Jiang found that the weakness of the security measure stems from the fact that the app verification service mainly uses an app's SHA1 value and the package name to determine whether it is dangerous or potentially dangerous.

“This mechanism is fragile and can be easily bypassed,” he said. “It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it). To be more effective, additional information about the app may need to be collected. However, how to determine the extra information for collection is still largely unknown -- especially given user privacy concerns.”

In addition, the new app verification service largely relies on the server component in the Google cloud to determine whether an app is malicious or not. “Unfortunately, it is not realistic to assume that the server side has all existing malware samples,” Jiang said. “From another perspective, the client side in the current implementation does not have any detection capability, which suggests possible opportunity for enhancement. However, due to the limited processing and communication power on mobile devices, we need to strike a delicate balance on how much detection capability can and should be offloaded.”

He added that VirusTotal, which Google acquired in September, has not been integrated into the app verification service. “From our measurement results, VirusTotal performs much better than this standalone service,” he noted. “For improved detection results, we expect such integration in the future will be helpful.”

What’s Hot on Infosecurity Magazine?