Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Android App Verification Service “Fragile,” Researcher Says

A security researcher at North Carolina University has found that the app verification service used by Google to determine whether a particular Android application is malicious is “fragile and can be easily bypassed.”

A security researcher at North Carolina University has found that the app verification service used by Google to determine whether a particular Android application is malicious is “fragile and can be easily bypassed.”

Android Malware Not Detected by GoogleThe study comes roughly a month after Google announced the inclusion of an application verification feature as part of Android 4.2, known as “Jelly Bean.” In Jelly Bean, users can choose to enable a “Verify Apps” feature that will screen an application prior to installation. In his report, Associate Professor Xuxian Jiang discovered that when he targeted Nexus 10 tablets running Android 4.2 with 1,260 malware samples, only 193 were detected by the service.  

“Specifically, our study indicates that the app verification service mainly uses an app’s SHA1 value and the package name to determine whether it is dangerous or potentially dangerous,” he writes. “This mechanism is fragile and can be easily bypassed. It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it).”

“To be more effective, additional information about the app may need to be collected,” he added. “However, how to determine the extra information for collection is still largely unknown — especially given user privacy concerns.”‘

Jiang is one of the minds behind the Android Malware Genome Project, which is an effort to catalog and analyze Android malware. According to Jiang, when an application is installed and the verification service is turned on, it will collect and send information about the app – its name, size, SHA1 value, etc – as well as information about the device to the Google cloud. Afterwards, the device will receive a respond back, and if the application is unsafe the user will see a warning declaring it either dangerous or potentially dangerous.

Advertisement. Scroll to continue reading.

Jiang notes that the new service relies largely on the server component in the cloud to determine whether an app is malicious or not.  

“Unfortunately, it is not realistic to assume that the server side has all existing malware samples (especially with limited information such as app checksums and package names),” according to Jiang. “From another perspective, the client side, in the current implementation, does not have any detection capability, which suggests possible opportunity for enhancement. However, due to the limited processing and communication power on mobile devices, we need to strike a delicate balance on how much detection capability can and should be offloaded.”

Google did not respond to a request for comment before publication.

Jiang also found that the detection rates of antivirus engines were significantly higher than the service, with AV detection ranging from 51.02 percent to 100 percent and the service’s detection at 20.41 percent.

“Last but not least, we notice that VirusTotal (owned by Google) has not been integrated yet into this app verification service,” he writes. “From our measurement results, VirusTotal performs much better than this standalone service. For improved detection results, we expect such integration in the future will be helpful.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.