Google’s brand new application verification service for Android, released in JellyBean 4.2, fails to measure up to its commercial counterparts, according to researchers from North Carolina State University.
The new service determines whether applications installed on Android devices are malicious, yet in comparisons with 10 leading antivirus engines, and even Google’s newly acquired VirusTotal scanner, the new service detects at best 20 percent of Android malware.
“By introducing this new app verification service in Android 4.2, Google has shown its commitment to continuously improve security on Android,” said Xuxian Jiang, associate professor in the department of computer science at N.C. State. “However, based on our evaluation results, we feel this service is still nascent and there exists room for improvement.”
Jiang ran 1,260 Android malware samples on Nexus 10 tablets running Android 4.2; the service detected 193 infections, a rate of 15.3 percent. In a separate experiment, comparing the service against leading commercial antivirus engines using a random sample of malware, the commercial products detected between 51 percent and 100 percent of the malware, compared to service’s detection rate of 20.41 percent.
The new service, which is not turned on by default, was released with JellyBean 4.2 on Nov. 13. It is implemented in the Google Play application, but will work with apps from the Google Play marketplace and other app stores. The service analyzes an application upon installation, sending the size, hash signature, version and URL from where it came, along with device information to the Google Cloud. A detection result is sent back; apps flagged as dangerous are blocked while those marked potentially dangerous send the user a warning and the option to proceed.
Jiang said the weakness in the service is in its reliance on the application’s SHA1 has value and package name as an indicator of whether it is dangerous.
“This mechanism is fragile and can be easily bypassed,” Jiang said. “It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it). To be more effective, additional information about the app may need to be collected. However, how to determine the extra information for collection is still largely unknown — especially given user privacy concerns.”
Another thing working against the service is that it also relies on Google’s cloud service to determine whether an application is malicious.
“Unfortunately, it is not realistic to assume that the server side has all existing malware samples (especially with limited information such as app checksums and package names),” Jiang said. “From another perspective, the client side, in the current implementation, does not have any detection capability, which suggests possible opportunity for enhancement. However, due to the limited processing and communication power on mobile devices, we need to strike a delicate balance on how much detection capability can and should be offloaded.”
Google, meanwhile, has apparently not yet integrated its VirusTotal acquisition into the service. Jiang did a separate evaluation using VirusTotal and learned it performed better than the new service.
This isn’t the first time Google’s security mechanisms for Android have come up short. Google Bouncer, introduced earlier this year into the Google Play marketplace, scans submitted applications for malware. By June, researchers Charlie Miller and Jon Oberheide had found a way to relatively easily bypass Bouncer.