BOSTONAccountability, not superior technology, has kept Apple’s iOS ecosystem free of viruses, even as the competing Android platform strains under the weight of repeated malicious code outbreaks, say researchers Dan Guido of the firm Trail of Bits and Michael Arpaia of iSEC Partners.

The two researchers said an empirical analysis of existing malicious programs for the Android and iOS platforms shows that Google is losing the mobile security contest badly – every piece of malicious code the two identified was for the company’s Android OS, which made up 50% of the U.S. smart phone market, while Apple’s iOS remained free of malware, despite accounting for more than 40% 30% of the same market.* Apple’s special sauce? Policies that demand accountability from iOS developers, and stricter controls on what applications can do once they are installed on Apple devices.

Guido, whose company Trail of Bits helps enterprises defend against targeted attacks, told Threatpost that mobile operating systems are far more secure than their desktop counterparts, forcing scammers to follow a well worn path to own mobile devices – what Guido refers to as the mobile “kill chain.” Mobile malware is delivered in a bundle with mobile applications, which are typically uploaded to and promoted from mobile marketplaces like Google’s Android Market. Once mobile attackers have a foothold on a device, they use vulnerabilities in the operating system or application permissions model to escalate their privileges on the device, connect to an Internet-based command and control network and then begin to siphon saleable data from the device, Guido said.

Guido and Arpaia’s survey of mobile malware identified 100 unique instances of mobile malware that were used in around 500 separate campaigns. Together the malware was downloaded hundreds of thousands of times by mobile device users. But even as Apple, Google and Microsoft battle it out for mobile market share, in the eyes of mobile malware authors, there’s no contest: all of the malware the two researchers identified was for Google’s Android operating system, they said.

“We looked for iOS malware, but there is none to collect,” he said. “It’s amazing that there’s just none out there.”

The reasons for that are complex, and don’t suggest that iOS has any technological superiority over Android. “This isn’t a technology issue or an application security thing,” Guido said. “It’s not like there are fewer vulnerabilities in iOS.”

The researchers findings are supported by other surveys of mobile malware. Juniper Networks’ 2011 Mobile Threats Report (PDF), for example, found 13,302 samples of malware targeting the Android platform between June and December, 2011 – a more than 3,000 percent increase over the period covering Android’s release in 2007, through May of 2011. During the same period, there were no examples of iOS-specific malware.

The key differences between Apple’s iOS and Google’s Android are what Guido termed “design decisions” that both platform makers made that have created incentives and disincentives for mobile malware writers and cybercriminals in the intervening years, he said.

Foremost among them is Apple’s insistence that mobile application developers verify their identity before they can introduce new applications. That includes submitting actual identifying documents like a Social Security Number or official articles of incorporation.

“There’s something that gets back to you,” Guido said. “That way, when Apple finds a malicious application, there’s the possibility that you could suffer real world punishment.”

In contrast, Google’s Android Marketplace and Google Play platforms have much more generous terms for developers, who must pay a small ($25) fee and agree to abide by the company’s Developer Distribution Agreement to begin publishing. That’s a low bar that makes it easy for malicious authors to get their wares out to hundreds of millions of Android users, according to Guido.

“You can upload dozens of applications at once. If any get banned, you can just resign, sign up under a new identity and resubmit them,” Guido said.

Beyond that, Guido said that Apple’s iOS ecosystem has put controls in place that squeeze malware authors in other ways. An automated and manual application vetting system includes static analysis of compiled binaries that make it very difficult for developers to merely repackage malicious or legitimate applications for sale on the AppStore. That prevents infections of Trojaned applications like the DroidDream malware, which frequently popped up on Google’s Android Market.

Further, Apple rejects applications that use self modifying code, which could appear legitimate or malicious depending on the context in which it was run. Apple’s decision to ban star researcher Charlie Miller from its Application Developer program for submitting an application that could dynamically update its runtime code was proof that the company takes that prohibition seriously, Guido said.

“Of course, they knew who Charlie was when he submitted that,” he said.

In contrast, Google’s decision early-on to allow self-modifying applications in the Android Marketplace means that attempts to spot malicious applications using its BOUNCER dynamic analysis technology will likely miss a healthy percentage of malicious applications, he said.

Despite the researchers’ dour views on the security of Android, both Guido and Arpaia said that -based on their survey – much of the coverage of mobile security issues and mobile malware is overblown, and misses the point.

“People blab about ‘there are so many vuln(erabilitie)s.’ It’s like the sky is falling,” Guido said. “The truth is that every piece of software we use is vulnerable. These things are a fact of life and we have to learn to live with them.”

But Guido said that his study of the contemporary mobile malware scene revealed a shocking lack of sophistication. Every piece of malware for the Android platform relies on one of three OS exploits – all of them developed by those looking to jailbreak the platform, not by malware authors.

Rather than focusing on vulnerabilities in the underlying platform, enterprises and the security community should look for easy ways to break the mobile “kill chain” – for instance by limiting access to mobile stores and enforcing accountability for application developers and by limiting what applications can do after they are installed. Beyond that, the security community should start to rank mobile threats based on how difficult they would be to carry out, and the access they would provide to data that would be useful to attacks – in particular: data that could be resold. And, when it comes to thwarting attacks, both platform makers and the security community should focus on making the repercussions for writing mobile malware real by making it easy to get caught and punished, Guido said.

(*) comScore data

Editor’s note: This story originally included incorrect information on Apple’s smart phone market share in the U.S. The story has been updated with the correct market share data. (4/20/2012) 

Categories: Apple, Data Breaches, Hacks, Malware, Mobile Security, Vulnerabilities

Comments (33)

  1. Anonymous
    1

    Ios is safer?

    That’s begging the question.

     

    How many accounted cases of malware lying in the official android store do we have? cause if the user just used an alternate store to get software this is not about google’s management vs. apple’s anymore.

    It is not very appropriate to use malware rates to conclude something is safer than something else. Is outsourcing all control of software and content to a single company really going to make us safer? Dictartorships have reduced crime rates, but I don’t think I would ever feel safe in a dictartorship.

     

  2. Anonymous
    2

    is ios setting itself up for another flashback disaster? are people ignorantly assuming every ios app is safe because apple reviewed it? that would be bad.

  3. Dan Guido
    3

    I’m one of the author of the research reported in this article.

    We looked at rates of attack campaigns in the iOS App Store and Google Play as well as US-based 3rd party markets and China-based 3rd party markets. We found that all Android markets, regardless of origin, suffered from repeated malicious attack campaigns (100 unique malwares, 500+ attack campaigns, resulting in hundreds of thousands of malicious apps). We could not identify a single case of iOS malware in the iOS App Store or in any 3rd party iOS markets.

    I think it’s absolutely appropriate to look at evidence to determine which platform is more safer or more secure. If you’re not looking at actual attack data, then what *are* you using?

  4. Dan Guido
    4

    iOS is not setting itself up for a “FlashBack Disaster.” In the research, we found that real-world verification trumps all technical attacks and that the ability to enforce repercussions on someone who uploads malware to the app store increases the cost of a potential attack beyond the point that it would be feasible.

    There exists a large volume of jailbreak code that could be repurposed to attack iOS *right now*. The fact that this is not done speaks to other factors for why iOS is not attacked.

  5. Paul Roberts
    5

    Note: fixed iOS market share data (30% in US vs. 50% for Droid). Also fixed grievous “wait” vs. “weight” error. Ouch! Many apologies. – Paul

  6. anon
    6

    Guido is right. If you’re not looking at attack data, what are you looking at?

    Oh wait, Guido isn’t looking at attack data. He is looking at malware distribution data the AV vendors reported on Android malware in sideloader and Google markets. It’s like reporting on broken guns that are loaded in the US, and not murder rates – broken guns laying around in pawn shops don’t matter. Bodies matter.

    Who is going to report some real incident data? Whoops, there isn’t any accurate mobile “attack” data for either iOS or Android.

  7. Dan Guido
    7

    Hey anon, I’m looking at attack data. We built a comprehensive database of all mobile attack campaigns against iOS and Android that took place between 2011 and 2012. Much of the data was collected from the excellent references that AndroGuard and ContagioMiniDump provided, as well as our own research. From each attack campaign we identified roughly how many apps were infected, with what malware, whether it exploited the phone and how along many other details. This data is empirical, high-quality, reviewed and useful to draw trends and analysis from as we showed with our research.

  8. Dan Guido
    8

    I will offer that the one piece of data that I don’t have but would like to is relative rates of infection for each attack campaign / malware. Based on the infection stats that have been reported in the media, the attack campaigns that root the phone, like DroidDream, have compromised orders of magnitude more devices than attack campaigns that did not root the phone. It’s sort of a moot point though, since as an appdev or an enterprise, I’m primarily concerned with attacks that can access my data and attacks without some form of privilege escalation largely cannot.

  9. Alex W
    9

    This sounds a lot like the “Apple don’t have viruses” banner that’s been carried around by fanboys before it gained enough market share to get attacked. Dan Guido, are you by any chance an Apple fanboy? Just because a platform is closed, it doesn’t make it more secure – the only reason there is less malware for iOS *for now* is because Apple evangelizes security through obscurity. When Charlie Miller circumvented iOS code signing, did Apple thank him for pointing out how they could improve their device security? No they kicked him out of the dev program… Just like we have seen with the recent explosion of Mac trojans, the moment someone takes the time to poke through the obscurity of the iOS/App Store security, it will get raped three ways to Sunday… simply because Apple as a company is, to put it politely, very inexperienced when it comes to security… look up how many times iPhone had a lock screen bypass mechanism discovered since it came out. Yeah.

  10. Dan Guido
    10

    Hey Alex, we approached our analysis from an unbiased point of view entirely based on attacker economics and with empirical evidence of attacks in the wild. In terms of bias, I’ve made extensive use of both platforms in the past. I got a G1 within days after it came out and used a Nexus for almost two years. On the other hand, Principals at Trail of Bits have coauthored The Mac Hacker’s Handbook as well as the iOS Hacker’s Handbook and we’re fully aware of weaknesses in Apple products, but that’s not what this research is about.

    In our research, we approached the abuse of each platform from an attacker’s point of view and evaluated why we see certain attacks and why we don’t and won’t see others. Apple has, intentionally or unintentionally, created a platform where the incentives are stacked against attackers who would want to abuse it by implementing methods to reduce the potential revenue of such attacks as well as implementing methods that drastically increase their cost.

    I would encourage you to approach the topic with a more open mind and view the full slide deck on our website at trailofbits.com/research/#mobile-eip

  11. Dan Guido
    11

    Hey Derek, yes, it’s a nice piece of data to have but we have tons of information to point to that say all of these attacks are succeeding. In particular, many firms have published hard numbers related to the mobile attack campaigns like DroidDream, DroidKungfu, Zeahache and others that jailbreak victim phones. This information is typically collected through techniques like DNS sinkholing and some firms release their own statistics regarding phones cleaned of infections from them. At this point, we can say that roughly a million Android phones have been compromised as a result of such malware attacks.

  12. Victoria
    12

    With all due respect guys/fanboys of OS alike/ladies..

    You are arguing over the internet..

    *that’s like running in the special Olympics :D

  13. secreader
    13

    “We looked for iOS malware, but there is none to collect,” he said. “It’s amazing that there’s just none out there.”

    Ooops! They forgot about FinFisher, the publicly available targeted rootkit for iOS:

    krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/

  14. Dan Guido
    14

    Hey secreader, The FinFisher trojan described in that article is for OS X, not iOS.

  15. Anonymous
    15

    Thank you Dan Guido for shooting down many ignorant comments with your knowledgable research. 

  16. Nakarti
    16

    As an Android fan, I really wish the app store(s?) was more strictly policed. These are officially-accepted apps, they *should* be regulated to some degree, but the quantity of garbage has actually gotten so high that I can hardly find what I am looking for.

    They put enough effort, certainly, into preventing user rootkits, they should redirect that effort into preventing app-store rootkit exploits, then only people who rootkit their own phones and are dumb enough to not police their own apps.

  17. Tom Overlund
    17

    Dan, maybe you can comment on what I see as a gaping hole in the argument: How are you supposed to detect iOS malware? Android allows anti-malware applications that actively scan the device. Apple iOS does not.

    “Juniper’s database didn’t include malware samples for iOS, not necessarily because none exist, but because Apple doesn’t release such data or open its platform for such analysis.” (no link because I don’t have an account)

    “Lookout Mobile Security for iPhone was released today to match the company’s Android offerings except for one important difference – it does not detect and remove malware. The way Lookout sees it, for iOS, it does not need to.” (no link because I don’t have an account)

    More like they aren’t even allowed to by Apple.

    Also, maybe I’m blind, but I can’t find a link to the actual report.

  18. Dan Guido
    18

    Hey Tom Overlund, there is an entire industry of security product vendors that are salivating at the mouth for the first iOS malware to be discovered in the wild so they can use it as justification that a problem exists on that platform. In reality, Apple has mitigated the problem at a different and more effective layer in the mobile kill chain, rather then get into an untenable arms race by detecting individual malicious applications. The widespread impact that mass malware has is likely to make it readily apparent when such attacks do occur, since they need to compromise hundreds of thousands of devices in order to accumulate enough revenue to be profitable. In fact, the mass malware that we see developed on both desktop and mobiles are not meant to avoid detection but are rather engineered to frustrate analysis and delay their own removal.

    This research report is called the Mobile Exploit Intelligence Project and was presented at SOURCE Boston. The full briefing can be found on the Trail of Bits research page. As of today, it’s right at the top.

  19. secreader
    19

    “Hey secreader, The FinFisher trojan described in that article is for OS X, not iOS.”

     

    Dan, thanks for your input. FinFisher ships for iPhone, which means Apple iOS is a premier host for malware. You may wish to update your presentation with this new information. I guess the takeaway is we don’t know how much malware is out there, but iPhone malware is vastly more sophisticated since we know it is being deployed in sufficient quantitity to fund multiple European VC-funded startups yet all of it has managed to elude detection by AV vendors.

     

    govinthelab.com/finfisher-for-all-your-intrusive-surveillance-needs :

     

    “A version of FinSpy also exists for mobiles, to help authorities “who do not have a telephone interception system” to spy on communications (voice, SMS, MMS, emails) coming from mobile phones (BlackBerry, iPhone, Android or Windows ), even if those communications are encrypted. FinSpy also allows the client to access data (contacts, calendars, photos, files) stored on the mobile devices, and to geolocate them in real time.”

     

    projects.wsj.com/surveillance-catalog/documents/267761-documents-265202-vupen-exploits/

     

    hackingteam.it/index.php/remote-control-system

     

    blogs.wsj.com/digits/2011/11/21/surveillance-company-says-it-sent-fake-itunes-flash-updates-documents-show/

     

    spiegel.de/international/germany/0,1518,799259,00.html

     

    cultofmac.com/132782/if-you-thought-carrier-iq-scandal-was-bad-wait-till-you-see-latest-wikileaks/

     

    “Your iPhone could be spying on you, according to the latest trove of documents from Wikileaks, which looks like it could be the biggest scandal yet.

     

    Called the Spyfiles, it’s a trove of documents about the “mass interception industry” — the massive post-9/11 surveillance community that electronically snoops on entire populations.”

     

    theinternetpatrol.com/itunes-update-said-to-plant-back-door-for-government-to-access-all-your-data-on-your-computer-or-smartphone/

     

    ” If you were one of an untold number of people who received a particular iTunes update, it will likely have planted a Trojan backdoor on your computer or smartphone (primarily iPhone or Blackberry) which allows government and law enforcement agencies access to your personal data. Let us be quick to add that this is a fake iTunes update. The malware (or “commercial software” depending on which side of this you are on) is sold primarily by three companies: Gamma FinFisher, Vupen Security, and HackingTeam. Gamma’s FinFisher product is from the UK, Vupen Security is out of France, and HackingTeam is in Italy, however all of the companies sell their software around the world.”                                          

  20. secreader
    20

    Here is a video of mobile malware “finspy” in action. iOS is a supported platform for finspy.

    ibtimes.co.uk/articles/264732/20111209/wikileaks-finspy-software-raid-blackberry.htm

    Here is a direct link to the manufacturer data sheet listing iOS as a supported malware platform:

    wikileaks.org/spyfiles/…/291_GAMMA-201110-FinSpy_Mobile.pdf

    With no way to detect FinSpy, we cannot say anything about malware infection rates on iOS other than “we don’t know”.  Apple’s strict policies have had an impact, it’s just not the impact you think. By locking AV vendors out of deploying detection sensors to iOS, they’ve made the problem impossible to measure. This is the presentation you SHOULD be giving. You should be talking about how the long arm of the DMCA has made securing iOS impossible and created a monoculture of internet connected microphones, easily compromised by the highest bidder, which the public belives to be secure. 

    I admire your research and I often cite it, but here you are helping to build myths. All talks evolve, I hope this one does.

  21. Derek Morr
    21

    Assuming for the sake of argument that there are roughly a million malware-infected Android devices out there, do we have any more detailed information about them? I’d be curious to know:

    * Geographic distribution of infected devices and how that distribution has changed over time

    * which exploits are most commonly used, and how that might have changed over time

    * source of infection (Play Store or third-party markets)

    * which version(s) of Android are most affected.

    Is there any public data on this?

  22. Dan Guido
    23

    Hey secreader, do you own a home buglary alarm? I’d like to report a vulnerability that I identified in it: it’s vulnerable to drone strikes. I verified this by launching a missile at the house next to yours and verified that it did, in fact, blow up despite the fact it had a security system.

    Far too often in information security, we preoccupy ourselves with possible vulnerabilities without considering the likelihood for them to be exploited. Just like your house is unlikely to be targeted for a drone strike, your phone is unlikely to ever come into contact with FinFisher. In our research, we did not identify a single attack that used FinFisher for Android or iOS. If such targeted attacks were to occur, they would behave according to the attacker economics we discussed.

    From another angle, malware is only one piece of an attack that take places over many steps. The existence of FinFisher and then saying its a threat is a functionally equivelent argument to many of those made by other security researchers today: that the vulnerabilities they identified are serious without any holistic understanding of how attacks are performed in the wild. Many people would love to jump to conclusions about how such targeted malware might be used but until we see empirical evidence of it in the wild we’re going to consider it mostly noise.

  23. Dan Guido
    24

    Also, secreader, you’re still confusing OS X with iOS. All of the links you posted discuss MITM iTunes updates to install malware on OS X. None of them discuss whether these attacks are being performed and against who: they are preoccupied with the possible rather than the actual. The point of our research is that we describe how attackers take the realm of possibilities and distill repeatable kill chains out of them.

  24. Anonymous
    26

     

    As a serious researcher who uses scrubbed and carefully compiled data for statistical analysis in a setting that dictates accuracy, I challenge the challengers to Dan Guido’s report and efforts. Come up with your own accurate data and statistical analysis that results are contrary to what Dan has done here with his –> trailofbits.com/resources/mobile_eip-04-19-2012.pdf and make your case based on your research and report as Dan has here. Until then, all is just opinion and you know how that goes…

     

  25. Derek Morr
    27

    Dan, I’ve looked at the slides and have a few questions:

    I agree that the difficulty in patching the OS is a problem. But I still think that you’re overstating the problem. Most of the malware is in third-party markets, which are disallowed by default on most devices.

    On slides 31-34, you compare the iOS App Store to the Android Play Store. You seem to suggest that the Play Store’s security is poor because Bouncer performs dynamic analysis and developers can submit faked user data. But Google’s blog post on Bouncer (it’s the only official docs I know of) claims that Bouncer “analyze[s] new developer accounts to help prevent malicious and repeat-offending developers from coming back.” Doesn’t that mitigate your claims about blocking identies? Also, wouldn’t Bouncer’s dynamic analysis address your concerns on slide 33?

    On slide 42, you list common vulnerabilities. Based on the distribution data, it appears that we should be most concerned about GingerBreak, which is ineffective  in 2.3.5 and higher. Do we have good data on which phones run which versions of Gingerbread? Unfortunately, Google’s Android version chart is grouped by API level not version, so I think we’d have to manually check Android versions for current phones (and then weight this by phone popularity).

    On slide 51, you say that SE Android doesn’t protect against kernel exploits. Could you clarify what you mean by this? While an SE Linux machine is still susceptible to some kernel exploits, it’s much harder to reach those exploits since the attack surface is reduced (i.e., fewer processes can query /proc, /dev, etc).

    Also on slide 51, you mention the incomplete ASLR implementation on Android. On Jon Oberheide’s blog post about that, a Google engineer (Nick Kralevich) commented that the code to randomize the remaining components (the linker mapping and executable mapping) have been developed and will be shipping in a future version of Android (unfortunately they didn’t make it into 4.0.4).

  26. Derek Morr
    29

     the one piece of data that I don’t have but would like to is relative rates of infection for each attack campaign / malware”

    Isn’t that the single most important piece of data? I don’t so much care if people are trying to attack devices. I care if those attacks are succeeding.

  27. Anonymous
    30

    Google don’t police their marketplace – at all. So the question is “would you feel safer without a police force?”

    Your “dictatorship” jibe is somewhat off the money, Apple don’t dictate what you do with your device, they limit application availability to:

    1) Working

    2) Legal

    3) Ethical

    4) Non-Malware

    Now for the vast majority of users these limits are helpful. Now if you are a sociopath, who wants software that doesn’t work, or violates your privacy – well then it’s a bad thing.

  28. Anonymous
    31

    except flashback isn’t a virus.  For the most part there still are no viruses for osx.  If you’d actually looked into what you’re talking about you would discover that flashback is an trojan exploit in java.  Java no longer ships with osx as of lion.  So you have to go install it yourself seperately.  

  29. Anonymous
    32

    except flashback isn’t a virus.  For the most part there still are no viruses for osx.  If you’d actually looked into what you’re talking about you would discover that flashback is an trojan exploit in java.  Java no longer ships with osx as of lion.  So you have to go install it yourself seperately.  

  30. Anonymous
    33

    Flashback isn’t a virus, but it’s not a “trojan exploit in java”. The trojans were in the “Mach-O” binary format. Most of these trojans were delivered by tricking the user into thinking they were installing a Flash update. The remaining trojans were installed via one of a set of Java exploits.

    Native code ain’t Java. Check your own facts before you slam others.

Comments are closed.