by RSS Axelle Apvrille  |  Apr 17, 2015  |  Filed in: Industry Trends

If you haven't had time to read Google's 44 page Android security report, this is a quick recap of what they say, and what we think about it.

Globally, their report is consistent with our data, apart from a few glitches and a (not so surprising) trend to minimize security risks ;)

Infection rate

Google says:

  • Less than 1% of all devices have Potentially Harmful Applications (PHA ~ malware + riskware + adware)
  • Less than 0.15% of devices only downloading from Google Play had PHA
Having our products on the network above the devices, we are unable to comment prevalence on devices.
We do however have malware activity per FortiGates. They measure the number of detections for a given malware on the network traffic analyzed per FortiGate. For instance, Android/Agent.GZ!tr shows a malware activity of 1.03% in December 2014.

Geographical trends

Google says:

  • More infected devices in Russia
  • Rooting tools are common in China (3-4%)
The country of origin of a malware or its target is often difficult to assess.
Our own stats suggest that the most targeted countries are US, Russia and China.

Malicious trends

Google says:

  • An average of 0.5% devices use rooting tools
  • Growth in Ransomware - but still few data
  • Disclosed vulnerabilities very seldom exploited in malicious apps
  • Decline of Spyware & SMS Fraud  in 2014
Regarding the other points, we have computed statistics on 790k Android malware and found that:
  • 1.7% of malware use root / superuser / mods tools
  • 43% of malware send SMS messages. This includes cases of SMS Fraud, but also spyware which forward incoming SMS to another phone number.
  • 56% of malware implement a SMS receiver, i.e a mechanism notifying them when there is an incoming SMS message. This is typically how spyware read and process incoming SMS.
  • 20% actually retrieve the current geolocation. Note we rule out over 140 advertisement or development kits from our statistics. So, those 20% do not take into account geolocation retrieved by third party kits: the percentage would be far higher. Also, those 20% correspond to the exact cases where the malware calls functions like getLatitude(), get Longitude(). This is more precise than measuring the number of times coarse or fine permissions are requested as applications may request a permission and yet never use it.
  • 8.6% malware ask to be notified whenever an outgoing call is about to be placed...

Those percentages show that Spyware and SMS fraud - whether they are declining or not (to be proved) - are still a very important issue.
Besides malware, all adkits leak private data, and often through insecure channels: see the paper we presented at VB.

Enforced Security mechanisms

Google discusses the following mechanisms:

  • Verify Apps: scans apps on install, and since March 2014 also scans in background apps on the device
  • Safety Net: against network attacks
  • Developer Security Warnings e.g warning on dangerous storage of credentials, out of date libraries
  • Security features on the OS like Full Device Encryption (since 3.0 and improved in 5.0), SMS confirmation (>4.2), SELinux (since 4.4 and improved in 5.0), SmartLock (since 5.0)
  • It's surprising they don't mention Bouncer? (scanner for malware at app submission time)
  • SELinux was initiated by the NSA. In a post-Snowden era, the choice is strategically surprising.
  • It will be interesting to review the Verify Apps program...

-- the Crypto Girl

by RSS Axelle Apvrille  |  Apr 17, 2015  |  Filed in: Industry Trends