SAN FRANCISCO – A pair of malware experts offered a glimpse into the complicated, duplicitous underworld of Android malware development and deployment, encouraging information security pros to help shine a spotlight on the problem by conducting their own Android malware research.
During a presentation Thursday at RSA Conference 2012, speakers Grayson Milbourne, manager of threat research for Broomfield, Colo.-based security vendor Webroot Inc., and Webroot senior threat research analyst Armando Orozco, illustrated a few of the many options available to aid attackers in exploiting Android-based devices and applications.
Attackers' method of choice, Milbourne said, is malicious apps spread via the Android Market or third-party app stores. In one example, he showed two identical-looking versions of a popular app called Jungle Shooter: one was a simple game, and the other was an altered version that silently steals users' online banking credentials.
Yet, in some cases, users don't even need to click "download" to expose themselves to dangerous apps. Milbourne said that, since pre-installed Android apps often come with unrestricted permissions, attackers have successfully exploited those apps to gain broader permissions to install malware.
Many of these and similar Android app security issues are caused by what Milbourne called operating system diversity. Google's latest Android OS series, 4.x, also known by its codename, Ice Cream Sandwich, was released in October and offers a variety of security improvements. However, most Android devices in use today still use a version 2.x operating system, Milbourne said, which is vulnerable to numerous exploits.
"Google does a good job patching these exploits, but the users of the devices don't have the latest upgrade path," Milbourne said. "That is a disservice to the customers, and the blame falls on the carriers and the device manufacturers. They don't want you to update; they want you to buy the next device with the new OS stock-installed."
However, Orozco said there are a number of solid Android malware defense tools and methods available that can help practitioners identify attack techniques and dangerous applications. For starters, he suggested checking out the various apps available in the official Android Market, as well as on forums, torrents and third-party markets, especially Russian markets.
Using free tools, it's possible to set up a system as an Android device emulator and then scrape various locations on the Internet to download and install apps to evaluate their behavior. From there, Orozco said it's simply a matter of gathering data on the methods, classes and services they use, since common ones are used repeatedly by malware authors.
"A lot of this [malware] is really lazy, and the malware authors just want to get stuff out," Orozco said.
For those interested in more in-depth, manual analysis of Android malware, Orozco said there are plenty of free tools for that, too. Dexdump, which comes with Android SDK, dumps dexcode and provides an output file that lists all the program's functions and strings. Related tools called Dedexer and Baksmali convert dex format files into bytecode or readable text.
He also noted a number of helpful dynamic analysis tools, including DroidBox, TaintDroid and ARE Virtual Machine. Network traffic analyzers are useful as well, Orozco said, recommending Wireshark, Tcpdump and Shark for Root. Amateur researchers have one advantage, Milbourne said, in that malware authors rarely use packers or obfuscators, often deferring to pure, decompiled Java.
For all organizations that use or allow Android-based devices, Orozco said that all devices should be protected with a PIN or password, have personal or confidential data encrypted and backed up, and have a tool to remotely disable or erase lost or stolen devices. When vetting Android apps, he said that apps should only be downloaded from trusted sources, and users should be encouraged to take the time to read reviews of the apps and research the ratings of app developers.
Milbourne said mobile device management products can help defend Android devices by enabling security teams to create group-based policies that prevent or restrict apps or features from running.
"The best thing to do is have an education plan and a smartphone policy," Milbourne said. "You can avoid simple mistakes like not having adequate device locks. Also have employees sign a document saying they understand the risks associated with smartphones."
View all of our RSA 2012 Conference coverage.