Android malware hype

There is no better publicity for a security company than a good scare. Apparently, some guys at Smobile are taking publicity seriously. They have published a report entitled Threat Analysis of the Android Market, which got them some news coverage. The report includes some pretty scary statements, like:

3% of all of the Market submissions that have been analyzed could allow an application to send unknown premium SMS messages without the user’s interaction or authorization.

Premium messages, without the user’s authorization. That’s actually true, but not really scary about the applications. This corresponds to the number of applications that request the SEND_SMS privilege (1356 out of 48694). That’s the way Android works: once you have allowed an application to send SMS’s, the application can send any SMS, including premium ones, and this happens without any further user interaction. Abuse attempts are likely, but Google is likely to turn on the kill switch before the bad guy can make any real money.

Similarly, the guys at Smobile have identified real spyware, which actually fowards to another phone all the SMS’s sent and received from a given phone. This application actually describes itself as spyware (search for “spy” on Market, and you’ll find several). All the permissions is needs to do that are SEND_SMS, RECEIVE_SMS, and INTERNET. I am sure that you can do a few things using these permissions. When roaming, I could use a messaging application that uses Internet when available and reverts back to SMS when nothing else is available.

Enough of that. I think that Smobile is pointing at a real issue: once you authorize an Android application to do something (like sending SMS’s or recording audio), it can do it freely until uninstalled. Eventually, a smarter than average hacker will design a good Trojan horse and make some money.

The problem with these reports is that they mislead many people into believing that Android is full of malware. Of course, the reality is that the Android Market is full of apps that could be malware. They just aren’t.

I am a strong supporter of static code analysis, and I think that Android applications definitely are a good target for static analysis. However, the analysis must be much deeper that looking at the permissions requested by the application. For instance, identifying the numbers to which a SMS is sent is much more discriminating. If an application sends messages to a premium number without warning users, it is much closer to qualify as malware. Let’s get that working, and I am sure that we will learn interesting things.

3 Comments

  • Hi Eric,

    You might have heard of the ‘hole’ that would be apps allowed to execute native code which they would get somewhere on the net, sometime later than install.

    I use free apps and many have asked for auth. I do not see why they need it.
    However, it auth. them to use the apps.

    Somehow, it reminds me of the MS EULAs noone reads.

    Is there a rule to recognize premium numbers ?

    I don’t know how to put nets around those apps without doing a constant survey.

    Jerome

  • Axelle wrote:

    Hi Eric,

    I must add a comment on spyware. There are two different class of spyware: a) Trojan spyware, which are real malware and will for instance forward SMS without your being aware of it (I’m sure you wouldn’t like that) and b) border-line spyware, which do something potentially bad to your privacy but may be ok in some situations.
    Sending SMS without user interaction *is* a dangerous feature. It ought to be limited.

    Also, I do agree that Androids are not ‘full of malware’ and that such reports may scare users.
    But from what you quote of Smobile’s report, I wouldn’t disagree with them. And end-users are hardly ever aware that their phones are unsecure, so educating them can’t be a bad thing.

    Finally, I disagree on this point:

    “Google is likely to turn on the kill switch before the bad guy can make any real money.”

    You have absolutely no proof about that. And my experience (not with Google though) is that they are unlikely to be aware and that the bad guy WILL make money before the tap is closed…

  • Erwan wrote:

    This reminds me the warning you get when installing some ports under FreeBSD:
    the port foo installed /usr/local/libexec/barhelper and /usr/local/bin/bar whch can act as server and thus be a security breach…

Leave a Reply

Your email is never shared.Required fields are marked *