Android has never been particularly well known for its security and a recent analysis of Android’s new in-built application verification service revealed that it had a shockingly low malware-detection rate, a bit less than 16%, and its detection system contained numerous loopholes ripe for malicious programs to exploit.
Google’s Bouncer service is an app introduced with the sole purpose of scanning for malware and is made available to its users on the Google Play store. However, users have a tendency of sideloading apps (directly copying them from another memory space that has already downloaded the app) and, as a result, they lose out on the protection offered by Bouncer. To tackle this issue, Google introduced an application verification service in Android 4.2 which provides a domain that collects data from users about the safety and stability of apps and further uses that compiled data to detect malicious software.
This service was tested by Xuxian Jiang, an associate professor from NSCU’s department of computer science, and his colleague, Yajin Zhou, and they discovered that it was considerably less than effective. The two started the Android Malware Genome Project, an initiative to compile a database and collect Android malware for the purpose of ethical hacking, and have received requests for information from several prominent organizations like Nokia, Samsung, AT&T, T-Mobile, GSM Association and Qualcomm.
The two used 1260 samples of malicious apps and tested Google’s service against them, only to discover that the service failed to detect 1064 of them and yielded an effective detection rate of 15.32%. Another set of random samples were then run through Virus Total to compare Google’s services against other antivirus engines like Avast, AVG, TrendMicro, Symantec, BitDefender, ClamAV, F-Secure, Fortinet, Kaspersky and Kingsoft. Seven out of these ten selected companies secured detection rates of above 90%, with two perfectly detecting every malware presented to it. Of the remaining three, two scored detection rates of 77.5% and the final one scored 51.02%. In comparison, Google had a detection rate of 20.41% which is less than half the detection rate of the lowest scorer on the list.
Their study also observed that the service identifies an app’s SHA1 value to determine whether the app is dangerous or potentially dangerous, which is an easy mechanism to bypass owing to the ease with which an attacker can modify or repackage malware and trick the system into identifying false non-threats. They also scrutinized Google for not fully utilizing VirusTotal’s malware-scanningcapabilities, which have been proven to be supremely better than Google’s standalone service. The researching duo has recommended that Google should look into tapping into VirusTotal’s potential in order to better future detection results.