This is the fourth chapter of our five-part series on Android security, a huge topic now that Android is the new mass operating system. Tag along to explore the wild tales, past crimes and current, steadily improving state of Android security. If you’d like to find out more about our previous topics, please click the links below.

 

Security updates

Device encryption

Data leakage

Malware

Network threats

 

Introduction

 

Malware means software written with malicious intent. Such software includes computer viruses, self-replicating programs which can use a device’s resources or corrupt data without user knowledge, spyware which spy on a device’s users, and ransomware, which encrypt a device’s contents and demand a ransom for the release of the data. A famous example of malware is The Stuxnet worm, which apparently targeted the Iranian nuclear program.

This definition of malware is sometimes stuck in a grey area, since e.g. network scanners can be used for diagnostic purposes, remote control is commonly used in user support, and monitoring software can be used to maintain computer systems. That said, they can also be abused. There has also been accusations of western companies knowingly selling surveillance capabilities to oppressive regimes.

Some companies, notably Apple, have taken a harsh public stance on crafting any kinds of covert means of access to devices, or backdoors. Apple’s CEO has stated that it’d be the “software equivalent of cancer” to craft a custom iOS update to unlock a phone even in a high-profile criminal case.

Crafting malware has grown to a business with financial incentives. Starting with botnets for taking down internet infrastructure through denial of service attacks, infected machines are quite commonly used tools.

Malware and cybercrime are not just security and privacy threats. These activities have a direct business cost associated with them, which has been in the order of hundreds of billions of dollars for years already, and it seems to be growing.

Schematics of smartphone sensors

Simplified schematics of smartphone board with sensors. The potential for eavesdropping using smartphone malware is huge. Image by Intel

 

Malware on Mobile

 

Modern mobile platforms, with integrated app stores, can do a lot of good by vetting the entire software library available to users. This is a good thing, since in theory it removes the need for users to evaluate the software they install. The process is still not perfect, though.

On Android, the most used malware types are ad-clicking scams. Ad clicks on the internet create revenue, and impersonating a legitimate user can generate large sums of money, as is the case with the relatively recent Judy and Copycat adware strains.

Android phones offer the flexibility to install APK application packages from sources other than Google Play or any other store that a typically non-Western Android configuration might use. When third party APK packages are allowed in, all bets are largely off, with users being able to download apps from anywhere on the internet.

 

How’s Google doing?

 

Google’s Play Store is relatively lax in its policies as to what kinds of apps it allows. Android apps are free to open network ports and act as servers accepting remote connections, without the user knowing. Some apps are just simple scams.

Both Google and Apple have had malicious apps slip through to their stores. Recently, Google removed a bunch of apps involved in denial of service attacks, and last year, popular Asian iOS apps were contaminated by modified copies of Apple’s Xcode development tools.

To improve the quality of apps in the Play store, Google’s latest method of app evaluation is machine learning. On modern versions of Android, apps run with limited user privileges, using sandboxing techniques to limit the access apps have to the rest of the system like phonebooks, the camera or location data. This allows for higher security.

Sites on the open web, bittorrent trackers or other places where one could download Android software packages (APK) outside an app store are high risk sources. Malicious apps often come from alternative app stores, forums, and file hosting sites, and may be spiked with added surprises.

Android Security 2016 In Review presents promising developments in reducing the total number of malicious software installs.

Android Security 2016 In Review presents promising developments in reducing the total number of malicious software installs.

 

Mitigation

 

Even if Google’s app store policies might not yet detect all bad apps, the first step towards app hygiene on Android is to block users from using non-Play Store apps. This keeps the shadiest stuff out. Better yet, Android Enterprise allows limiting your users to a restricted set of apps even from the Play store.

In some scenarios, taking a whitelisting approach to apps on corporate phones would be counterproductive. Our EMM suite, Miradore Online, offers options in this regard, starting with the Android Enterprise solution. Beginning with our free MDM plan, inventory of apps installed on phones is included. This becomes useful if harmful behavior in apps comes to light, and the damage needs to be assessed.

Android also supports several anti-malware tools. Much like their desktop counterparts, this class of software can offer a secondary defense for users who have to download lots of documents and apps. Tom’s Guide offers a checkup on good anti-virus tools for Android, most of which are free or affordable.

In any case, anti-malware is like a bulletproof vest: it’s clunky and it shouldn’t be your only defense. There’s no way around the fact that the most important factors impacting malware infection rates are related to user behavior. As with PCs, it really matters what the users installs and from which sources, and whether their devices are security patched or not.

 

 

Screenshot of search for anti-malware tools on Android, October 2017

Anti-virus on Android diminishes battery life but offers a second line of defense.

 

Conclusions

 

At the time of writing, there are fresh news reports on the things we warn about in this article; non-Play store apps (for now), spiked with code to commit mobile payment fraud and adding permanent back doors. The malware in question relies on the so called “Dirty COW” (CVE-2016-5195) bug, in the Linux kernel, thereby Android, and was disclosed to the public in October 2016.

What we see here ties together nicely with the first article in our Android series; keeping operating systems unpatched and vulnerable is a massive handout to malware developers. It speaks volumes about the manufacturer specific Android update ecosystems, that there’s an ample supply of handsets in China and India that aren’t patched to fix a critical vulnerability from 2016.

“Dirty COW” is a fine example of a case where poor operating system maintenance can’t be sufficiently supplemented with just anti-malware tools that rely on specific rulesets to recognize malware. Google is far along in improving isolation and sandboxing in Android. However, anyone can implement exploit bugs like “Dirty COW” in a new piece of software. In this case, not even hardening tools like SELinux, GRSecurity or Android Enterprise protect unpatched devices.

For phone manufacurers, there are no shortcuts to secure default configurations and software updates. Due to fragmented software development practices, this time is different from Microsoft’s journey towards responsible OS security after the onslaught of internet worms in the early 00s. The rest of the world, bad guys included, are certainly up to speed already.

As limiting as it may be for end user choice, device owners must look over what kinds of risks they’re willing to accept. Blocking non-Play store apps is a given, but it depends how much end user productivity and satisfaction are affected by allowing only whitelisted apps.

Luckily, the tools for taking control over phones and tablets are better and more readily available than ever before. The starting price for Miradore Online, our Mobile Device Management solution, is free — so it feels like the natural fit to encourage you to go see for yourself.

Title image by Nick Allen

Valtteri Kekki

Valtteri Kekki

CTO at Miradore Ltd
Valtteri Kekki is the CTO of Miradore. He has been with the company since 2011 and is also an experienced software developer. Valtteri holds an M.Sc. in computer science from Lappeenranta University of Technology.
Valtteri Kekki