Most Android malware samples can be found clinging to some sort of knockoff to a legitimate application. Hiding in plain sight like that, sometimes they find their way into Google Play or any one of the dozens of less-patrolled Android markets.
Researchers at Indiana University believe they’ve come up with an effective approach to ferreting out malicious Android apps from online stores. A scanner called MassVet that was unveiled during the recent USENIX Security Symposium does not rely on signatures or behavior-based detection, the researchers said. Instead, it compares methods in Android programming between known legitimate apps and potentially harmful ones to separate benign from malicious apps.
“What we can do is to simply compare the code of related apps (an app and its repackaged versions, or those repackaged from the same app) to check their different part, and unrelated apps (those of different origins, signed by different parties) to inspect their common part to identify suspicious code segments (at the method level),” wrote researchers Kai Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Nan Zhang, Heqing Huang, Wei Zou and Peng Liu, in their paper: “Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale.” “These segments, once found to be inexplicable (e.g., not common libraries), are almost certain to be malicious.”
Using their scanner, the researchers found potentially harmful apps in 33 Android markets worldwide including Google Play. More than one million apps were scanned and 100,000 potentially malicious apps were uncovered, the researchers said, including almost 20 containing exploits for zero-days.
“Unlike existing detection mechanisms, which often utilize heavyweight program analysis techniques, our approach simply compares a submitted app with all those already on a market, focusing on the difference between those sharing a similar UI structure (indicating a possible repackaging relation), and the commonality among those seemingly unrelated,” the researchers wrote. “Once public libraries and other legitimate code reuse are removed, such diff/common program components become highly suspicious.”
In Google Play, the researchers said 7.6 percent of the 400,000 apps they scanned in the market were malicious, a number that contradicts Google’s recent numbers in its Android Security Report that said 0.1 percent of apps were malicious. The biggest offenders were four Chinese Android marketplaces: Anzhi (39 percent of apps scanned were malicious); Yidong (36 percent); yy138 (28 percent); and Anfen (23 percent). Some of the malicious behaviors exhibited by some of the apps, the researchers said, put user privacy at risk or were profit-motivated, i.e., premium SMS scams.
The discrepancy between the researchers’ numbers and Google’s call into question the efficacy of Bouncer, or Google’s Verify Apps feature, which scans apps as they’re submitted to Google Play for known malicious code. The researchers said in their paper that they found 400 malicious apps in Google Play that had been downloaded more than one million times, and 2,000 others that had been downloaded at least 50,000 times—all of which have been uploaded in the last 14 months.
“Running MassVet over 400,000 Google Play apps, we found that on the Play Store, oftentimes, PHAs have been removed only after days (40 or even 90 days),” the researchers said. “Also, Google apparently only removed all the PHAs under the same authors when they share the same attack code but failed to do that across different authors: even after a PHA is removed, other apps with the same attack code can still be there.”
Many authors of malicious apps simply reload their apps to Google Play, the researchers said, sometimes just changing the name without modifying code; some authors, the paper said, registered more than 400 accounts and wrote over 1,500 harmful apps.
The researchers said MassVet can scan an application in 10 seconds and is a useful tool that moves away from signature-based detection and they hope would make attackers thing twice about piggy-backing onto seemingly legitimate apps.
“This practice makes such malware stand out from other repackaged apps, which typically incorporate nothing but advertising libraries,” the researchers wrote. “Also as a result of the approach, similar code (typically in terms of Java methods) shows up in unrelated apps that are not supposed to share anything except popular libraries.”