Writing Android malware and getting it approved in the app store is too easy these days.
It’s one of the main reasons that Allan and team started Trustlook. It’s just too easy to make an application that appears to do something legitimate while at the same time being spyware, adware or stealing identifying information behind the scenes. This is especially true for Android. Multiple app stores and a decidedly laissez faire philosophy from Google and other owners make it relatively easy. And the security companies simply aren’t allocating the resources to detecting this malicious code; all of the security software is old-style signature-based antivirus.
It’s the perfect situation to breed a lot of undetected malicious applications in the wild.
So, when we took a sampling of a few thousand recently uploaded apps to the Google Play store that we ran through the Trustlook behavior-analysis engine, we found that over 3% of them are malicious in some way.
Of course, not all of that 3% is stealing email or making calls to remote pay services numbers. Most of them are just stealing identifiable information about the phone and the user – the IMEI and IMSI (the same data stolen by the viruses announced yesterday) , the user’s location and other information about the platform and the device. These applications (some with downloads in the many millions according to their Play Store pages) are grabbing significant amounts of information that identifies the user, their phone, their software and hardware profile and their location and sending it to sites on the internet.
As an example of this type of data theft, the iFart application (yes, that’s a real application) is a 4 star-rated application that has been in the Google Play Store since September 8, 2011. It defines itself as an app that “collected a variety of fart sound (sic) which can be used to trick people”.
We don’t quite understand why such an application would need to gather a large amount of information about your phone, your carrier, your phone number and your location and upload it to a website under the guise of a “log” file. (Click on the image below to see the full Trustlook analysis for the iFart application).
According to it’s Google Play page, iFart has between 10,000 and 50,000 installs. That’s a LOT of location information sent overseas.
We Reported It to Google
This is the kind of malicious behavior we see over and over again in the thousands of malicious/suspicious applications we’ve found. So, we took a spreadsheet of a few hundred of these apps that had the most egregious behavior and sent them to the Google Team along with access to all of the Trustlook application risk reports for the apps. (Two more examples of the reports from the list we provided are here and here)
We thought they’d be excited to have a big security success near Blackhat. And we thought that Trustlook would get a rather public success in helping Google reduce the amount of malicious software in the Android app store. We’d work with the Google team to help them eliminate a huge number of malicious applications and we’d blog about it as a great proof of the Trustlook technology.
That’s not quite what happened.
In short, Google’s response was less than enthusiastic. Google’s Android Security Team pointed us at this document and told us that none of the applications that we sent had violations of the terms laid out there.
We attempted to get clarification by pointing out the the iFart example. We asked if the gathering of detailed information about the device, user, etc. and uploading it to the web was considered to be a “limited purpose for which the user has given permission” under section 4.3 of the agreement.
That question was met with…. nothing. Silence. I’m sure they’re probably just busy getting ready for Blackhat and Defcon next week.
Suffice it to say, all of those applications remain in place in the app store.
The Apps Remain Largely Undetectable
Worse than them just being in the app store is that there’s no good way to detect these applications yet. If this were a PC problem, I’d be writing about the need for everyone to update their anti-virus software.
Unfortunately, the anti-virus software vendors aren’t much more effective in detecting this type of behavior than Google has shown themselves to be. To figure out just how ineffective the other products seem to be, we randomly grabbed a small sample of the malicious code (that we 100% know to be malicious) and installed them on devices that had the major AV vendors installed.
As you can see, the results were less than promising.
Of course, this is how I ended up advising Trustlook in the first place – the platform’s backend ability to analyze behavior and detect malicious code is unlike anything else that exists, and it’s why I get excited to be helping Allan and the Trustlook team whenever I can.
The team at Trustlook is left with a conundrum. Do we simply publish the list of all of the malicious applications (even knowing that, as a new tool that’s still in beta, we’re likely to have a few false positives)? For what it’s worth, the 13 applications in the graphic above are definitely gathering more information than required. (Or, in the case of SMS Tracker, are simply designed to be trojan horse software that you can install if you steal someone’s phone to spy on them) If you have any of those installed, uninstall them immediately.
We had expected that by reporting the application list to Google, that they’d work with us to intercede with the application creators (since they have the relationship) and attempt to make sure that these applications aren’t malicious or that they’re gathering the data that they’re gathering with a legitimate reason. A small pre-venture startup doesn’t exactly have the resources to do that. Google does.
Since that didn’t work so well, we’re left to do the best we can. I’m going to jump in and help the team double and triple check that there aren’t any false-positives. We’ll release the full list in the next few days.
Until then, you might want to sign up for the Trustlook Beta Program. That’s not meant as a sales pitch – it’s just that the current security products don’t help much (though you should probably install one until you get your copy of Trustlook) and Google’s not going to protect you either.