Google Android App Verification Service “Fragile,” Researcher Says

A security researcher at North Carolina University has found that the app verification service used by Google to determine whether a particular Android application is malicious is “fragile and can be easily bypassed.”

The study comes roughly a month after Google announced the inclusion of an application verification feature as part of Android 4.2, known as “Jelly Bean.” In Jelly Bean, users can choose to enable a “Verify Apps” feature that will screen an application prior to installation. In his report, Associate Professor Xuxian Jiang discovered that when he targeted Nexus 10 tablets running Android 4.2 with 1,260 malware samples, only 193 were detected by the service.  

“Specifically, our study indicates that the app verification service mainly uses an app’s SHA1 value and the package name to determine whether it is dangerous or potentially dangerous,” he writes. “This mechanism is fragile and can be easily bypassed. It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it).”

“To be more effective, additional information about the app may need to be collected,” he added. “However, how to determine the extra information for collection is still largely unknown — especially given user privacy concerns.”‘

Jiang is one of the minds behind the Android Malware Genome Project, which is an effort to catalog and analyze Android malware. According to Jiang, when an application is installed and the verification service is turned on, it will collect and send information about the app – its name, size, SHA1 value, etc – as well as information about the device to the Google cloud. Afterwards, the device will receive a respond back, and if the application is unsafe the user will see a warning declaring it either dangerous or potentially dangerous.

Jiang notes that the new service relies largely on the server component in the cloud to determine whether an app is malicious or not.  

“Unfortunately, it is not realistic to assume that the server side has all existing malware samples (especially with limited information such as app checksums and package names),” according to Jiang. “From another perspective, the client side, in the current implementation, does not have any detection capability, which suggests possible opportunity for enhancement. However, due to the limited processing and communication power on mobile devices, we need to strike a delicate balance on how much detection capability can and should be offloaded.”

Google did not respond to a request for comment before publication.

Jiang also found that the detection rates of antivirus engines were significantly higher than the service, with AV detection ranging from 51.02 percent to 100 percent and the service’s detection at 20.41 percent.

“Last but not least, we notice that VirusTotal (owned by Google) has not been integrated yet into this app verification service,” he writes. “From our measurement results, VirusTotal performs much better than this standalone service. For improved detection results, we expect such integration in the future will be helpful.”