What is mobile malware? The question may seem straightforward, but a new report sheds light on a growing debate among mobile security experts over how broadly to define malicious activity on mobile devices.
While HP found Android malware that had been downloaded millions of times, the number of adware downloads that it observed dwarfed those numbers, with the most popular samples downloaded hundreds of millions of times. Apple's App Store, in comparison, had few malicious apps make their way onto users' devices, which HP said is largely due to the computing giant's rigorous screening process.
But what really surprised HP was the vast differences it found in the performance of the technologies consumers and enterprise security professionals use to fend off mobile malware. HP used 36 different AV products to scan 7,000 of the most downloaded adware apps available on the Play Store, with the results showing dramatically different detection rates among even the most popular AV scanners available for the Android platform.
Android AV products from companies like AVG and Sophos topped the scale with thousands of detections, while scanners from Kaspersky Lab and Avast flagged fewer than 200 apps combined for malicious content.
Why did the results vary so greatly? Scott Lambert, director of threat research for HP's Enterprise Security business unit, pointed to the divergent opinions among AV vendors on what constitutes adware.
"Any time there's an app that has functionality that's potentially questionable and can be used for malicious means, they're more ready to label that as 'malicious,'" Lambert said. But each one has its own ways of making those determinations, "and so there's disagreement among the stakeholders on what constitutes malicious [intent], which certainly makes it difficult to charge forward."
Categorizing ad networks: Why vendors disagree
Joshua Wright, a senior instructor covering mobile device security for the SANS Institute, said there are some mobile apps that everyone can agree are malicious, such as those that attempt to gain privileged access by rooting the device, or try to configure the boot structure of an Android device so it can't be removed by conventional tools.
When it comes to apps that utilize ad networks though, Wright said the "immature" Android AV market struggles to determine whether those apps actually behave in a malicious manner.
For example, he pointed to Android apps that are designed to share a user's current location with friends. The user would understand the need to share location information with the developer of such an app and would provide that permission when downloading it from the Play Store. However, if that app inserts code from a mobile ad network, advertisers may be able to cull the user's location to serve location-based targeted ads. The user may not have realized his or her information would be provided to anyone beyond the provider of the app.
Should an app demonstrating such behavior be considered malicious? Wright believes so because users are not made aware of the implications when deciding to share info they may consider sensitive.
"So when we talk about the app, we have to consider all the pieces of the app," Wright said. "Not just the code written by the developers that we trust, but also all the other third-party organizations that link their code with the product."
Filip Chytrý, a virus analyst with antimalware vendor Avast, disagreed with Wright's assertion. The free version of Avast's Android AV product does not currently classify mobile ad networks as malware, according to Chytrý, which likely led to the small number of detections recorded by the product in HP's tests. Notably, the premium version of the same product includes what Avast refers to as "ad detector," which notifies Android users before they download an app linked to an ad network.
"We don't agree with antivirus [vendors] classifying mobile ad networks as malware, as 80% of free applications use ad kits like Airpush," Chytrý said via email. "These ad kits display ads within apps as a way of monetizing, just like online ads on most websites do."
Chester Wisniewski, senior security advisor for antivirus provider Sophos, said the current debate over mobile adware is just a repeat of the late 90's, early 00's arguments over the same topic in the PC arena. At the time, companies like McAfee Inc. and Symantec Corp. provided anti-adware products separately from AV suites, he noted, while companies like Sophos decided to include adware within the larger virus category and block it because users didn't want to deal with it.
Wisniewski said the adware companies threatened to sue AV providers that were of the same mind as Sophos. Legal wrangling resulted in the creation of the term "adware," and allowed AV companies to block adware for their corporate customers.
Mobile adware classification standard amid growing threat
Wisniewski's colleague Vanja Svajcer, a principal virus researcher for SophosLabs, recently called on AV providers and others in the security industry to standardize the classification of adware and the use of ad networks on Android. Until such categorizations are hardened, Wisniewski said his firm will continue to take a hardline stance against apps utilizing most ad networks.
"We decided that any of these ad networks that cause an undesirable function on your phone, which we think are things like changing your homepage, flashing things in the toolbar like the status alert at the top of the screen, placing unwanted shortcuts all over your phone that lead back to the thing -- anything like that -- we just drew a line in the sand and call it malware because the user didn't really want [any of] that," Wisniewski said. "And that's probably why we ended up at the higher end of the detections … we threw one or two of the major ad networks in the malware bucket."
While AV vendors will likely continue to disagree over whether ties to an ad network are enough to classify a mobile app as malicious, Wright said the threat posed by third-party advertising libraries is growing.
In October 2013, researchers at security vendor FireEye Inc. discovered an unnamed, "aggressive" ad network, code named "Vulna," that was included in apps that had been downloaded more than 200 million times on the Play Store. According to FireEye, Vulna is capable of collecting sensitive information such as email addresses, text messages and contacts, and if an attacker were to take advantage of the many security vulnerabilities present in Vulna, he or she would be able to take pictures via a mobile device's camera without the knowledge of the user, steal two-factor authentication tokens sent through SMS messages, and utilize an infected device as part of a botnet.
There is also a known vulnerability found in WebView in all versions of the Android OS, Wright noted, which allows an attacker to run arbitrary commands on the Android device. He said commercial exploit kits are now being written for such vulnerabilities, potentially putting millions of ad-supported mobile app users at risk.
This volume and array of Android mobile malware may be a product of economics. A recent estimate by VentureBeat showed that 75% of all downloaded mobile applications were for the Android OS, compared to 18% for Apple's iOS. When it comes to revenue generated through those apps though, the numbers reverse. Apple pulls in approximately $5.1 million per day through its App Store, while Google earns just $1.1 million per day directly through the Play Store. The unwillingness of Android device owners to pay for apps has forced developers to rely on ad networks like StartApp and AdMob for monetization.
Defending against mobile malware
Several experts agreed that the most import advice for fending off mobile malware and adware attacks on Android is to stick to the official Google Play Store, which, despite misgivings over Google Bouncer's effectiveness, has proven to be safer than any outside alternative. Experts also recommend using a mobile antivirus product that provides frequently updated signatures.
Experts from several mobile AV vendors chided mobile carriers for not providing users with timely OS updates for the Android platform. Wright said Android version 4.4 includes an app verification service, which checks apps both downloaded outside the Play Store and after the initial download for signs of malicious content, but an overwhelming majority of device users will not have the security tool anytime soon because mobile carriers aren't updating to 4.4, the newest version of Android.
Opinions differed among experts on how enterprises can best take action to secure mobile devices against such threats. HP's Lambert said enterprise app stores may make sense for organizations with a mature IT infrastructure, but with many companies unable to secure desktops after two decades of developments in the industry, he believes many will continue to struggle with mobile device security regardless.
Wright was sour on the enterprise app store option when dealing with bring your own device (BYOD), instead favoring the containerization model forged by Good Technology. Containerization essentially enables an organization to separate corporate content from a user's personal content on a mobile device through the use of a secure application, which provides encryption, authentication and SSL transport protection between the Android device and the enterprise server.
"[If] I have control and confidence over that level of information," Wright said, "then what happens on the rest of the device is really an irrelevant concept to the enterprise for BYOD."
For BYOD programs, Wisniewski said enterprises should use mobile device management technology and restrict Android app downloads to the Play Store, but such measures still leave organizations vulnerable unless they take the further step of restricting the information on employee- or corporate-owned mobile devices.
"If you're going to do BYOD … then you really need to make sure those phones, when they access your network, are limited to that narrow slice of things you want your employees to do. [And that's] calendaring and corporate contacts and email," Wisniewski said. "Don't let them access your SAP server; don't let them access your Salesforce [system] without credentials; don't let them do all this stuff from their phone. Because you really don't know what these apps are going to do."