Millions of infected Android apps… or not?
Over the weekend, several websites picked up Symantec’s story about Trojanized apps on the official Android Market. This happens from time to time, but what got everyone’s attention was that they said the number appeared to be between one and five million downloads, which is a pretty big number.
Based on what we know at this point, I think they made a mistake, but if you’re looking for someone to criticize Symantec, you won’t find that person here. It seems to me that what they detected was a new release of an ad platform, developed to allow Android developers to monetize their apps-¦ not a Trojan, designed to steal information or turn the victim’s device into part of an Android botnet.
I think it is an easy mistake to make. The earlier version, which was probably also innocent, had a couple of extra features, such as, if I recall correctly, the ability to download extra modules. This was probably the behavior that got them labeled as Trojan in the first place, and I think that was removed in this release. The code, however, was likely similar enough that it triggered Symantec’s fuzzy signatures, and caused them to have a closer look.
A look at one of the allegedly Trojanized apps today shows this:
Symantec has also been criticized for exaggerating numbers, by claiming one to five million. They are just quoting the Android Market’s numbers. If you look at this app, it alone shows a range of one to five million.
Given that they found lots of apps using what they thought was a Trojan, the numbers could have been estimated much higher.
What this does is highlight the difficulty of determining what exactly are Trojans. Viruses and worms are easy, because they spread by themselves. If you observe code spreading by itself, it’s a virus. With a Trojan, however, there are only three ways to tell it is a Trojan:
1. You have to observe it doing something it shouldn’t, such as hooking keystrokes, sending premium SMS texts, or downloading other modules without asking permission, or
2. You have to reverse the code enough that you can see that it carries code that might do something it shouldn’t, or
3. Your antivirus scanner tells you it’s bad.
Number one is hard, and number two is really hard. Number three is easy, but it can easily be wrong.
When you have hundreds of thousands of apps, coming from all over the world, from any one of numerous and unknown developers, it’s just plain hard to figure out when something has crossed the line from aggressive advertising to outright maliciousness.
What this all means is that, on this occasion, there is probably nothing to worry about, but that doesn’t mean that nothing will ever happen.
Unlike iPhone and BlackBerry, Android is essentially a decentralized distribution model. Google tries to control the official marketplace, but users can download apps from anywhere. There are entirely too many “alternative” markets and warez sites (copyrighted works distributed without fees or royalties) that offer “free” versions of commercial software. What most people don’t realize is that Android apps are just zip files, and it is really easy to unzip, add some Trojan code, re-zip it, and stick it out on a warez site, masquerading as a legitimate copy of the original app.
On top of all that, the Android development platform is cheap and well understood. Twenty-five years of virus history has shown “cheap” and “well understood” are two of the necessary requirements for a platform to have viruses. Put another way, lots of computing platforms, including mainframes, could have had viruses, except that they didn’t fulfill those two requirements.
Android is a wonderful, useful and exciting platform, but it turns out that it’s a really good idea to only download your apps from well-known companies.
Author: Roger Thompson, chief emerging threats researcher at ICSA Labs.