Android is ‘low-hanging fruit’ for cyber-criminals
The rapid expansion of the Android operating system is being mirrored by an alarming increase in the amount of malware targeting it, according to a cyber-security expert.
In September Google announced that it had activated more than one billion Android devices throughout the world, and with more than one million installed apps and a market share of 35 per cent, Google Play has generated revenues exceeding $9bn (£5.6bn).
And while Apple’s iOS operating system is also beginning to be targeted, according to Dr Lorenzo Cavallaro from the Information Security Group at Royal Holloway University, Android’s ubiquity has made it a more tempting target for cyber-criminals.
“They both have issues, but the things people are now targeting are Android because it’s just easier. It’s the low-hanging fruit,” he said at an event organised by cyber-security vendor Sourcefire in London today.
“Google are really trying to detect malicious apps on their marketplace but of course the process, like everything else, is not perfect and stuff still slips through.”
Examples of privacy breaches, in which sensitive information such as contacts or GPS coordinates, have been extracted; malware that makes premium rate calls and SMS; and colluding malware to bypass two-factor authentication schemes used by online banking have all been documented by researchers.
According to Cavallaro a particular problem is the open nature of Google Play and other third-party Android marketplaces, which has allowed them to be abused to host malware or seemingly legitimate applications with malicious components embedded within.
Recent research by academics at North Carolina State University found Google’s app verification software had a detection rate of just 15 per cent on a set of 1,260 samples that had been widely shared within the research community.
And while Google has tried to establish a principle of ‘least authority’, by which apps request the fewest number of permissions necessary for the software to operate, developers do not always follow this rule and users are faced with either allowing all of the permissions requested or not having access to the app.
“Some developers don’t really understand the permissions very well and so end up requesting more permissions than the program needs to work,” said Cavallaro.
This combination of a poorly implemented permissions system, an under-regulated app market and a market-leading position means Android stands to become “the Windows of mobile” – the target of choice for hackers and cybercriminals.
But as the threat is still emerging researchers know little about mobile malware and how it behaves, which is why Cavallaro believes the first task facing the cyber-security community is one of analysis.
“It’s not clear yet whether we are just dealing with the same threat on a different device with a few more challenging elements or if it’s a completely new threat,” he said.
To this end Cavallaro’s team has created CopperDroid, an Android device emulator that performs dynamic behavioural analysis of Android malware by stimulating the programs in a manner similar to a smartphone user.
The emulator has so far been tested on 2,900 Android malware samples and has managed to stimulate suspicious behaviours in nearly 65 per cent of the sample set – a vast improvement on Google’s app verification software.
“We could see that 65 per cent of apps tried to create files, 40 per cent accessed personal information, 33 per cent performed network access tasks, 12 per cent executed external applications, 3 per cent of the apps sent SMS and 4 per cent tried to make or alter calls,” he said.
But despite the promising results, Cavallaro admits his research is a long way off being able to provide concrete protection for Android users.
And with Perkele – the first example of a developer kit designed to help wannabe hackers create malware for Android – discovered earlier this year, the race is on to get the defences up before a tide of less proficient cyber-criminals begin to take advantage of the Android environment’s vulnerabilities.
“What we want to do is slow down the second wave: the great unwashed who are using kits rather than working stuff out themselves. Those are the people we want to stop,” said Dominic Storey, EMEA technical director for Sourcefire.