Raimund Genes - CTOSecurity under AndroidCopyright 2013 Trend Micro Inc.
Android has beendesigned with security inmind!
Security in Mind?Android is a privilege-separatedoperating system. Each applicationruns through a unique Linux user ID.No application has permission toimpact other applications.Applications can‘t access the networkwithout prior consent
Security in Mind?When installing anapplication, theuser is requestedby the apppackage installerto grantpermission(s)
But!Then, before or while running theapplication, it is never checked againby the user. If the permission wasgranted, the app can then use thedesired features without prompting theuser – forever!
SoWith clever social engineering the badguys convince the users to install a„useful“ application, the user willinglygives permission, and bingo – devicecould be misused
Industry Trends Malware increasing on “App Stores”
Android Malware• 10K: Middle of 2012!• 100K: End of 2012!http://blog.trendmicro.com/how-big-will-the-android-malware-threat-be-in-2012/
Chris Di Bona from Google, November 2011:”virus companies are playing on your fears to try to sell you bs protectionsoftware for Android, RIM and IOS. They are charlatans and scammers. IFyou work for a company selling virus protection for android, rim or IOSyou should be ashamed of yourself.”“The barriers to spreading such a program from phone to phone are largeand difficult enough to traverse when you have legitimate access to thephone, but this isn’t independence day, a virus that might work on onedevice won’t magically spread to the other.”All the major vendors have app markets, and all the major vendors haveapps that do bad things, are discovered, and are dropped from themarkets.
Industry Trends Google’s Bouncer
Google Bouncer: “Gone to the Gym”Slide 13 -‐ TREND MICRO CONFIDENTIAL
Extended Network: The App MarketsUse Case: Personal data exfiltration via an Android MarketApp MarketInfiltration Exfiltration &Exploits
Android Malware120,000 300,000+
ANDROIDOS_JIGENSHA.AImpact Scope:760,000 users data leaked online in Japan Malicious Behavior:The malware collect Users contact listincludes phone number and names, thensends them to a remote server.
Your phone as your wallet
Samsung’s Knox software
Types of ThreatsSpying ToolsTrack user data like GPSand send to a 3rd partyRooterHacks phone to takecontrolPremium ServiceSecretly subscribesuser to paid servicesData StealerSteals personalinformationMaliciousDownloaderDownloads new appswithout user consentClick FraudTriggers pay-per-clickactivity on the device
Viruses for Android
Where’s the problem?
That’s why don‘t we see this underIOS
Mobile App Reputation• Mobile App Reputation is a cloud-basedtechnology that automatically identifiesmobile threats based on app behavior– Crawl & collect huge number of Android appsfrom various Android Markets– Identifies existing and brand new mobilemalware– Identifies apps that may abuse privacy / deviceresources– World’s first automatic mobile app evaluationservice • Malware?• Privacy Risk?• High ResourceConsumption?Mobile App Reputa<on Apps No Issues Issue Iden<ﬁed
Mobile App ReputationGeneratesreputationscores anddetailed reportCollects Apps andscans them in thecloud1.Static Analysis:Dissects app codeand private dataaccess.2.Correlates webqueries with SmartProtection Network3.Dynamic Analysis:Activates app toanalyze actualbehaviour4.
Mobile Application Reputation Architecture Data Bus / Control BusMSR (Mobile Sourcing)MPAFI (Mobile PAFI)MSA (Mobile StaDc Analyzer)MDA (Mobile Dynamic Analyzer)MSE (Mobile Scoring Engine)MDS (Mobile Data Store) SPN (Smart Protec<on Network) WRS/FRS Correlate Services PAFI: Pre-‐Analysis File Interscan
The ServiceAppstoresubmitsnew appsFTPCrawlerWebUploadApps arescannedReport isprovidedHTMLXMLEMAILAppstore removesbad apps andadds detailedinfo to app listings
Information provided by MARSMARS Sample Report
Developers! • Ensure what public libraries do, before you use them!• Corporate customers are very sensitive regarding DataLeakage!• CPU load and Battery impact plays a bigger and biggerrole in App selection!• Quick and Dirty might not be the way to go for asustainable business!• If you write Apps for a 3rd party, expect that the App willbe tested not only for functionality but also for potentialrisks, negative impacts
Mid of May mars.trendmicro.comto check the rating of your App