My Bitdefender
  • 0 Shopping Cart

Bitdefender Blog

Android "Bouncer" is a welcome step, but it may not keep users safe on its own

by Catalin Cosoi, on 03 February 2012

Securing the Android Market is a good idea. But it doesn’t eliminate the need for a security solution installed directly on the device. According to our stats, only 0.5% of known malicious apps were found on Google’s Android Market. Because people will always search for the best choice, they are likely to install applications from other third-party markets as well - which means they are still at risk from malware.

According to the latest post on Google’s Mobile Blog by Hiroshi Lockheimer, VP of Engineering on Android, Google will provide automated scanning of Android Market for potentially malicious software.

The new service, codenamed Bouncer, will perform a set of analyses on new applications, applications already in Android Market, and developer accounts. Once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect red flags. Bouncer will actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. It will also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.

As a security company, we welcome this step toward better security in the Android Market. While admitting that mobile malware is a problem will definitely raise awareness among users though, we strongly believe the phenomenon will not stop here. According to statistics provided by Bitdefender Mobile Security, we saw a serious increase in malware families in 2011. While in 2010 we had just 3-4 malware strains, in 2011 we discovered more than 100 malware families - a 4500% increase which generated close to 10 000 malicious applications.

Significantly, there are several other websites from where Android users can install applications. In fact, most malicious applications we discovered were actually hosted on third-party markets and not directly on Google’s Market.

Malware writers usually use the following three steps:

1. Download legit applications from Google’s Android Market

2. Embed the malicious code

3. Upload the freshly created malicious app to a different App Store

Securing the Android Market is definitely a good idea, but it doesn’t eliminate the need for a security solution installed directly on the device, as people want choices and will definitely install applications from other third party markets as well. According to our stats, only 0.5% of these malicious apps were found on Google’s Android Market.

Also, based on our experience with malware analysis, malware writers will seek a way around security. For instance, in the PC malware world, we use virtual machines to analyse behavior of different samples we discover. Obviously, in time, malware writers added different routines to detect if the virus runs in a real computer or in a virtual environment, and they modified their software to act legit when running in a control environment. We might see the same phenomenon here, as Bouncer is a service that will emulate all apps uploaded on the Android Market. Not to mention that the Android API offers the possibility to detect if the app runs in an emulator or directly on the devices. So there is a high chance that we’ll see apps behaving correctly when used on a simulator and turning malicious when used on the mobile device.

We congratulate Google for taking security one step further, but there is much more to be done in order to keep users safe.

Catalin Cosoi

Chief Security Researcher

On Feb.3.2012 10:21

Jenni said

Ohh great, now I need a police with me when I go to dubious markets to buy weed. please stop selling snake oil, people that download applications from other markets are responsible for what they do, and Antivirus only gave them a false sense of security, no antivirus could detect a carefully crafted malware until it is widespread and the virus database is updated with the malware signature, so people is not safe. Even people on closed markets like Apple walled garden, just write an applications that start acting as malware 6 months from now, Apple will not detect it

Daily "Did you know?"

On July 31, 2008, the Koobface computer worm started to target users of Facebook and MySpace; and new variants still constantly appear.

Authors

  • Bitdefender Security Specialists
    Bitdefender Labs
  • Catalin Cosoi
    Chief Security Researcher
  • Dan Lowe
    Dan Lowe, an OEM Senior Marketing Manager, has been working with Bitdefender for the last 3 ½ years. His familiarity with multiple security products from Firewalls to Antivirus has provided him a unique perspective on the security industry.
  • Ligia Adam
    Security Evangelist and Social Media Professional
  • Loredana Botezatu
    Loredana Botezatu – E-threat Analyst – Loredana has been writing about the IT world and e-security for well over five years. She has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

Categories

HOTforSecurity