In keeping with the Open Handset Alliance goals of Android being the first open, complete, and free platform created specifically for mobile devices, Google offers the Android Market. The Android Market offers the ability for developers to create any application they choose with the community regulating whether the application is appropriate and safe, as opposed to relying on a formal screening process. The pros and cons of this open approach to an application store have been discussed in great detail.
Notwithstanding, Spyware and other malicious applications have made their way onto even controlled application stores and these controls have not negated the need for mobile device security software, such as Anti-Malware applications. The desire for open source applications by mobile device owners on even strictly controlled operating systems is evidenced by the vast amount of iPhone devices that are jailbroken to allow for the running of out-of-market applications which have not been approved by Apple.
The Android Market offers flexibility that markets such as the Apple App Store do not by allowing anyone to develop and publish an application to the Market’s consumers. This presents the opportunity to easily defraud innocent consumers for financial gain. Financial gain drives the paradigm of information security and attackers now see consumer and enterprise smartphones as targets. Since today’s Smartphone devices are the equivalent of mobile computers, it is logical that attackers have expanded their focus from PC-based malware to Smartphone malware and an open application repository lends itself to these types of attackers.
ANDROID MARKET SECURITY MODEL The Android Market relies on the community to identify and flag applications that either malfunction or are malicious in nature. This would imply that there will always be a window where a number of consumers would need to use, test and determine if an application is malicious before it could be removed from the Market. This has already occurred in the instance of a bank phishing application that was published by an author by the name of Droid09.
The application created by Droid09 stated it would allow the user to conduct banking activities from the handset. All the user had to do was give the application the user’s account information and it would facilitate the communication tunnel to the bank in order to process transactions. In reality, the application only facilitated a web browser connection to the bank’sonline banking website, just as if the user opened Android’s browser and typed the bank’s URL into the address bar. What it actually did with the account credentials that the user provided is still unknown.
This bank phishing application is an excellent example of both how the Market lends itself to attackers, as well as how those types of malicious applications are supposed to be dealt with by the community. In this case, it is unclear exactly how long this application was in the Market or how many consumers actually installed it before it was removed from theMarket PERMISSION-BASED DETECTION To date, nearly every attempt at detecting malicious applications on a mobile device has relied upon the same signature-based methods that PC anti-virus vendors have been using for years.
In the PC world, anti-virus engines alone cannot handle the 10’s of thousands of signatures for malware that they must now detect. The same should be said about mobile anti-virus engines. Signature-based detection alone cannot be relied upon as the only means of identifying malicious applications on mobile devices. Smartphone anti-virus must also look for other means of determining malicious applications for platforms whose application repositories are ripe for attackers.
Android requires application developers to declare the permissions their application will need in order to interact with the system and its data. As a result, SMobile has incorporated patent pending technology to use application permissions and other identifying attributes to determine what an application can do and subsequently, identify Spyware and other malicious applications.. This provides a prime opportunity to identify an application that is trying to access sensitive data or communications and then assist the user in determining if this access is truly necessary for an application.
MARKET ANALYSIS AND METHODOLOGY SMobile has published two previous whitepapers on the Android Market that have documented specific types of malicious applications and threats. Those whitepapers can be found here and here. In this whitepaper, SMobile has taken a more inclusive look into the Android Market for applications that, based upon the aforementioned criteria, could be considered malicious or suspicious. To perform this task, SMobile needed to conduct an automated analysis to analyze thousands of applications.
Since it is possible to identify whether an application may be malicious by the permissions it requests, a large scale analysis of the Android Market was conducted to gain further insight into its applications. In order to perform large scale analysis of the Market, one would need to be able to interface with the Market to get application permission data. As of now, there is no downloadable repository of the Android Market that can be interfaced from a PC to directly download applications for analysis. A few websites, such as Androlib. om and Appbrain. com, have done a good job of keeping up to date with descriptions of apps that are being added to the Market. Androlib even provides a statistical analysis of how and when the Android Market is growing. Prior to this whitepaper, no other research has taken the step to analyze the Market for malicious content on a large scale. MARKET STATISTICS With application metadata being collected from the Android Market, SMobile began to query the application metadata and determined that there are some concerning statistics in play.
To date, metadata collection has netted information from 48,694 applications in the Android market, roughly 68% of all applications that are available for download. It is noted that one in every five applications request permissions to access private or sensitive information that an attacker could use for malicious purposes. One out of every twenty applications has the ability to place a call to any number without interaction or authority from the user. | | |