A team of researchers from the US and China has released a study which finds that Goole's Android Play Store is awash in low-quality malicious apps. The authors have developed a new technique for detecting this malicious code. They claim their MassVet software scanner is simpler, more efficient and more accurate than those offered by well-known antivirus companies.
"We developed a novel mass vetting approach that detects new threats using nothing but the code of the apps already on a market," says the study, entitled "Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale." The group's MassVet software compares apps to known malware, looking for "the unique features" exhibited by common techniques used to package malicious code.
The group includes researchers from Indiana University, Penn State University and the Chinese Academy of Sciences. It notes that existing anti-malware scanning software tracks "information flows" within apps, and looks for apparent malicious behavior on a device. This approach is not always successful. Malicious behaviors are often "less clear," and avoiding false positives requires "heavyweight" techniques.
The report cites a study showing that 86% of Android malware consists of "repackaged apps:" legitimate well-known apps like Angry Birds, for example, that have been wrapped with extra code for the purposes of gaining ad revenue, or distributing Trojan malware. Software tools exist to automate this process, allowing dodgy apps to easily ride the coattails of legitimately popular ones.
The researchers have created an alternative tool, called MassVet. It looks mainly for repackaging techniques, and ignores malicious payloads that may be "an inseparable part" of the apps, which are difficult to create and therefore relatively rare. MassVet can handle typical ‘obfuscation' techniques, used in many legitimate apps to make them more difficult to reverse engineer. However, MassVet does not worry about code that's obfuscated to the ultimate degree, noting that most existing scanning approaches will fail at this point.
In other words, MassVet is looking for known malicious or repackaging code that's shared among numerous apps in the marketplace. The study notes that this amounts to only about 100GB of suspect code to search for among all Android apps.
There's some sophisticated math involved in identifying similarities and differences in the code, especially at high speed. But the basic strategy is simple. MassVet first looks for matches in code, especially the app's user interface, in order to identify apps that are likely to be repackaged versions of each other. Matches between apps originating from a single publisher are obviously not a concern. And MassVet also ignores matches based on stock software components, used by many legitimate publishers.
The study's authors tested MassVet on about 1.2 million apps. About 400,000 apps were collected from Google Play, the rest coming from third-party stores in Euroipe, China and the US. Suspicious apps were then submitted to the VirusTotal cloud service, which combines 54 top anti-malware products. The group did some slick statistical analysis, ending up with a solid base of code samples that were virtually certain to be malware.
Based on all this work, MassVet found 127,429 suspicious apps, or about 11% of those tested. The good news is that only 30,552 were from Google Play, the rest from the third-party markets. The bad news is that even among apps downloaded from Google Play, about 7.6% were found to be malicious. (The team's samples were chosen to include both popular apps and lesser-known ones, spanning various app categories.)
The researchers found that a few of the most popular malware apps had been installed over a million times, and that about 5,000 malware apps had been installed over 10,000 times each. Most of the suspicious apps had solid Google Play ratings of 3.6 to 4.6. The total impact, say the researchers, reaches to "hundreds of millions of mobile devices."
The study found that Google is constantly removing significant numbers of malicious apps, but not really keeping up with the incoming tide. Many apps that were removed were found to be resubmitted and approved, some with nothing but their name changed. Many of the same publishers submitted new apps using the same malicious code as in previous ones.
Of course, as with any single study, this one needs to be taken with at least a small grain of salt. The work looks solid, but other researchers may refine the results, or find flaws that are not apparent at this point.
Furthermore, the takeaway from this particular study doesn't seem to be that Google is failing to do a good job, or that Android is particularly malware-prone. Rather, what it's telling us is that the tide of quick-and-dirty malware has grown so large that Google needs to adopt faster bulk methods of vetting new apps, perhaps along the lines of MassVet. Most of the malicious apps don't seem to be particularly sophisticated, and shouldn't be too difficult to eliminate.
For users, the warning is two-fold. First, stick with Google Play and beware of third-party markets. Second, do a quick search to confirm that the app you're downloading is the original, from the original publisher, and not some sort of knock-off.