The Android malware war is heating up. On Wednesday, the mobile security firm TrustGo confirmed a new Trojan app, named Trojan!FakeLookout.A, hidden in what appeared to be an update
The two primary problems with Google owning the detection of malware are incentives and definition of risk.
Tyler Shields, senior security researcher, Veracode Inc.
While there have been less than 100 users infected with Trojan!FakeLookout.A, it shows the danger lurking in the Google Play store. While still a minuscule percentage of malware threats, the growth is accelerating according to McAfee which recently reported that mobile malware samples, primarily aimed at Android devices, grew from 2,000 in 2011 to more than 13,000 in 2012.
For its part, Google says it’s taking important steps to keep its systems secured, including scanning its store for malware and malicious app behaviors, sandboxing apps and software on Android devices, and removing malware (even remotely) if necessary. This past week, according to the website Android Police, which conducted an APK analysis of the newly minted 3.9.16 version of the Google Play Store, Google is developing what appears to be an antimalware scanner for the store that will be placed on users’ devices.
Android Police’s teardown revealed string commands in the code that indicated malware scan commands as well as malware warning messages such as “To protect you, Google has blocked the installation of this app.” This move comes weeks after Google acquired the free file scanning service VirusTotal.
Google did not respond to a request for comment for this story.
Security experts are divided as to what Google may have planned with the new functionality, or if scanning capabilities are related to the VirusTotal acquisition, or if the additional security will successfully help to suppress the rising malware tide. “As of today we have no concrete details on how this malware detector is supposed to work, therefore it's still hard to say how effective it will be,” said Vincenzo Iozzo, director of vulnerability intelligence at New York City-based Trail of Bits Inc. “Given the sad state of Android security and malware, any protection put in place to stop malware is definitely positive news. Nonetheless if the approach is signatures-based, like average antivirus products for PCs, what we will see is the usual rat race where malware authors will start mutate older samples or create new malware,” Iozzo says.
Graham Cluley, a senior technology consultant at Sophos, says that there’s no indication that these latest enhancements to the Play Store will be integrated with VirusTotal. “There are references to Google's SafeBrowsing API however,” says Cluley, who largely views the recent moves by Google as steps in the right direction. “Anything Google can do to help better protect Android users against the growing tide of malware on the platform has to be encouraged. Especially as people install apps from unauthorized sources,” he said.
Also, while Cluley doesn’t see a conflict in Google performing its own vetting, as many had cited in the days Microsoft first started providing security software and capabilities for its platform, others hold a different perspective. “The two primary problems with Google owning the detection of malware are incentives and definition of risk. Google is an advertising company at its core, not a security company,” said Tyler Shields, senior security researcher at Burlington, Mass.-based Veracode Inc. “Google is in the business of collecting data for advertising purposes and are incented by increasing application count and data collection. Additionally, an intrusive application collecting a lot of intelligence for advertising may not be considered malware by Google but may be considered too intrusive for acceptance into the enterprise,” said Shields.
Maybe so. But at least when it came to Trojan!FakeLookout.A, Google acted swiftly when the malware was brought to its attention, albeit after it made it into the store. This Trojan steals user SMS/MMS messages, video files, and files on a user’s SD card. It then attempts to transmit them to a remote FTP server operated by the attacker, according to TrustGo. TrustGo also said that it hides itself by removing its listing from the full Application List, with only a fake icon left in the Downloaded Apps list named “Updates.” The offending app was first seen on October 15, and within hours of notifying Google the malware was removed from the store, said Xuyang Li, TrustGo CEO.
About the author:
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.