Over 80% of smartphones today run Android. With such a large amount of phones using Google’s operating system, Android has become an ever more viable target for malware developers. The question is, are currently used antiviruses effective? The answer is more complex than yes or no, but is leaning ever closer to the latter.
Android as a platform has been a lucrative target since it started to gain more popularity amongst users. In 2010 one of Android’s first incidences of malware, the trojan SMS malware Fakeplayer, began exploiting Android users by sending text messages to premium numbers while the hacker received funds from the resulting charge. Users again were hit by a major attack when DroidDream made its debut on Google’s app store in 2011 and attempted to mass infect users with a root exploit by uploading applications infected by the malware.
How well do commonly used antiviruses truly do against these malicious programs?
The number of antivirus applications on the Google Play Store number in the hundreds, but only the top dozen or so have any meaningful market penetration. The top downloaded antiviruses such as Avast, AVG, or Norton boast claims of protecting wholly against malware, phishing attacks, virus removal/scanners, and much more.
We will be discussing the kind of malware commonly used against Android devices and how Android deals with such threats. How well do commonly used antiviruses truly do against these malicious programs?
The main source of testing information for this article comes from a report by Fraunhofer AISEC, a German security company that primarily deals with developing security technologies. Published in 2013, the report investigates the threat of malware on Android devices through real-world conditions instead of the typical detection tests used by other organizations such as AV-TEST. AISEC clearly states that you cannot use the same method to detect malware as you do on a platform like Windows, so in this report they decide to use an in-house method to uniquely test the most commonly used antiviruses.
How Android antivirus applications work
Before we discuss the results of AISEC’s tests, let’s see how Android’s antivirus apps work.
Android can become infected with malicious software that can steal your data, erase critical files, or worse. For an antivirus program, its duty is to detect, isolate, and eliminate malware from the system. Detection is the key to any successful antivirus program, and certain factors inherent to the Android operating system actually make antivirus programs a mixed bag when trying to perform its tasks.
The Android operating system deals with software packages by sandboxing them; this does not allow applications to list the directory contents of other apps to keep the system safe. By not allowing the antivirus to list the directories of other apps after installation, applications that show no inherent suspicious behavior when downloaded are cleared as safe. If then later on parts of the app are activated that turn out to be malicious, the antivirus will have no way to know since it is inside the app and out of the antivirus’ jurisdiction. Due to the sandboxed nature of Android’s app ecosystem, according to the AISEC’s report, “Android antivirus cannot monitor dynamic behavior of other apps and working directories’ contents, antivirus software is completely oblivious to such activities.” Therefore, it is very difficult for antiviruses to get the full coverage that is typically needed to be truly effective.
...it is very difficult for antiviruses to get the full coverage that is typically needed to be truly effective.
There are multiple vectors of attack on an Android device, and most of them are typically covered by Google’s Bouncer malware detection system. This service scans every app that is uploaded to the Play Store for malware infestation, although rarely, due to complexity in the Android operating system, some malicious apps manage to make it through.
Google’s Bouncer service attempts to eliminate the majority of obvious malware on the Play Store by testing applications in Google’s cloud infrastructure. When Google activated this service, the rates of malware in the app store decreased 40% between the first and second quarters of 2011.
Malware writers found a relatively simple way to avoid Bouncer altogether. A seemingly innocuous app using the ‘dropper’ technique can download malicious software after it is installed on the target phone. Using this technique renders almost all antivirus applications useless since the inherent Android feature of sandboxing rejects the antivirus’ ability to read the contents of other apps. This therefore allows the malware to get away with harming your Android system and stealing personal data.
Another popular attack vector is repackaged apps, which are commonly found on third party app stores that do not benefit from Google’s Bouncer system. Some of these third party app stores often feature malware laced apps disguised to appear legitimate. Rooting your device can further expose it to malware designed to look for root access to all parts of the OS. These are just a few of the challenges faced by AV apps. With this in mind, let’s see how effective they really are.
The tests done by AISEC shows that the majority of the antivirus apps that were tested scored abysmally in detecting unaltered malware, altered root exploits, dropper downloads, root exploits at runtime, and unknown malware. The only cases where most antiviruses was remotely effective were the tests involving unaltered root exploits and unaltered malware. Out of the six cases that were used, two entire cases yielded results that showed that all antiviruses had failed to detect any threat.
Some of the virus families that were used include ZitMo, Gingermaster, Plankton, JiFake, and others. These viruses were chosen based on variety and popularity.
According to AISEC, these tests showed that, “the tested antivirus apps do not provide protection against customized malware or targeted attacks.” That means that, if somebody were to deliberately target a user and had the capacity to slightly alter the malware source code, the chances that the device would be compromised would be very high, regardless of antivirus usage. AISEC also states that even minor changes to small, nonessential parts of malware can easily evade detection by the leading brand of antivirus. If the malware that is deployed is not 100% identical to the list the antivirus detects against, there is a strong chance it will not even be detected at all.
On top of that, according to AISEC, “the tested antivirus apps were also not able to detect malware which is completely unknown to date but does not make any efforts to hide its malignity.” Most antiviruses do not even attempt to detect suspicious behaviour of unknown malicious applications.
What can Google do to help
There are some things that Google could do to help alleviate the risk of accidentally installing malware applications. Countermeasures such as offloading malware scanning to the cloud (a more advanced version of Google’s Bouncer solution) and stricter controls on native code execution.
The authors of the report conclude that “users and administrators should not solely rely on antivirus software for malware protection.” In the end, common sense and critical thinking can probably provide more help at avoiding malicious software. Also important is to try and avoid third party app stores, which lack the protection offered by Google’s app scanning service and are usually rife with malware and spyware. The antivirus with the highest detection rate happened to be Lookout, which based on these test results, would be the top recommended antivirus for Android users.
Although AISEC says that its tests should not be taken as the end all to the question of antivirus effectiveness, it is not hard to see why there needs to be a more proactive solution to an ever increasing problem. Are these antiviruses such as AVG, Norton, and Avast effective against malware? For the majority of infections, the answer is sadly no. If your phone is infected by any malware that is not already known by these companies, or if the previously known malware is altered in any way, it will be very difficult not only to rid yourself of the virus, but even to detect it in some cases.