Android's built-in malware scanner gets a failing grade

Android logoA computer scientist has uncovered weaknesses in the application verification service Google recently rolled out to help users detect malicious apps on their Android smartphones and tablets.

"By introducing this new app verification service in Android 4.2, Google has shown its commitment to continuously improve security on Android," Xuxian Jiang, a professor of computer science at North Carolina State University, wrote in a brief report published Monday. "However, based on our evaluation results, we feel this service is still nascent and there exists room for improvement."

Jiang exposed Nexus 10 tablets running the Jelly Bean version of Android to 1,260 samples of malicious apps and found that the built-in scanner detected only 193 of them. That indicates a detection rate of just 15.32 percent.

Jiang also found the performance of Google's app verification lagged well behind the performance of 10 representative antivirus apps offered by third-party companies such as Avast, Symantec, and Kaspersky Lab. He did this by picking a pseudo random code sample from each of 49 malware families. Overall, the detection rates of the AV packages was 51 percent to 100 percent, compared with 20 percent for the Google service, which is included with the Google Play app. The scanning service, which examines apps downloaded from Google Play as well as alternate sources, is optional, although it's on by default. Jiang's report didn't rank the specific AV apps or list the detection rates for each one by name.

Android's built-in malware scanner gets a failing grade

A chief reason the app verification service misses so much malware is its reliance on cryptographic hash signatures to identify apps known to be malicious.

"This mechanism is fragile and can be easily bypassed," Jiang wrote. "It is already known that attackers can change with ease the checksums of existing malware (e.g., by repackaging or mutating it). To be more effective, additional information about the app may need to be collected. However, how to determine the extra information for collection is still largely unknown—especially given user privacy concerns."

Jiang also faulted the service for hosting the scanner solely in the cloud rather than using some sort of client-side solution.

"Unfortunately, it is not realistic to assume that the server side has all existing malware samples (especially with limited information such as app checksums and package names)," he wrote. "From another perspective, the client side, in the current implementation, does not have any detection capability, which suggests possible opportunity for enhancement. However, due to the limited processing and communication power on mobile devices, we need to strike a delicate balance on how much detection capability can and should be offloaded."

Jiang said VirusTotal, the free app-scanning website recently acquired by Google, also outperformed the app verification service. He said the service is likely to improve if it integrates VirusTotal.

Jiang's findings are sure to be hailed by makers of standalone apps that detect Android malware, like Lookout. On Friday, the company said an update it had pushed out mistakenly flagged legitimate apps, including one offered by Movie service Fandango, as malicious. The mistake was detected and fixed about an hour later.

Source: Ars Technica

Tags: Android, viruses

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Galaxy Note10 really is built around a 6.7-inch display
You may still be able to download your content
Facebook, Messenger and Instagram are all going away
Minimize apps to a floating, always-on-top bubble
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apple’s 2018 line-up
The 2001 operating system has reached its lowest share level
The entire TSMC 5nm design infrastructure is available now from TSMC
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (16)