English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Malware in the Android Market part 3

Tim
Kaspersky Lab Expert
Posted March 07, 17:24  GMT
Tags: Google
0.6
 

A new blog update from Google promises a response to deal with the outbreak of the so called “DroidDream” malware that went live on the Android Market last week:

Malware in the Android Market Part 1

Malware in the Android Market Part 2

According to the blog, Google will initiate its remote-removal process by pushing the installation of a new app called “Android Market Security Tool March 2011.” We’ve had a look at this app, and it does not fix the vulnerability, it simply removes the applications known to be malicious. Google further promises changes to the market to deal with this type of issue and claims to be “working with our partners to provide the fix for the underlying security issues.”

This part seems well and good with the exception of a few glaring issues:

The Google blog is confusing. In the blog Google states “the update will automatically undo the exploit.” However this does not make your phone any less vulnerable. On my first few readings I took this to mean that vulnerable phones were now protected from the exploits used in the DroidDream malware. This is not the case.

The implementation of the fix is incredibly curious; Google pushes an application to their users without user approval, the application launches without user consent (also known as remote code execution), the application then gains root privileges, removes other applications, and then deletes itself. Any of these steps could be acceptable if the user had any input whatsoever.

There is an inability to install security patches locally. Due to the nature of Android in its current state, it’s very difficult and expensive to push security updates as you would on a desktop operating system like Linux or Windows. Unlike iPhone, which installs patches via iTunes, or Windows Mobile which uses ActiveSync, Android works almost entirely via over the air (OTA) communication. This puts the burden on mobile service providers to push data updates to all their customers over their mobile data network. This is very expensive. If Android were able to install more granular patches, and if customers were able to install these through a desktop model, even optionally, this would go to great lengths to give both service providers, manufacturers, and customers the ability and initiative to install security updates more frequently.

Also at issue is the fact that device manufacturers themselves do not consistently maintain or update their existing platforms. Read any mobile forum and you’ll find a host of users begging for an update to their respective devices. According to Google’s own statistics, over 40% of Android users are using a version of the operating system prior to Android 2.2. Even some of the customers running 2.2 are vulnerable as the exploit works on 2.2.1 or earlier. Unfortunately Google doesn’t break its statistics down small enough to see this number. With the small exception of the customers who receive the Android Market Security Tool update, every other person running 2.2.1 or less remains vulnerable. This means that they could get exploited right now.

Google promises changes to the Android Market, and those changes are yet to be seen. We can only hope that they will react to the larger goals of keeping all of their customers up to date and patching quickly while offering multiple ways to do so. Google and its partners have an opportunity as well as a responsibility here, let’s hope they make good on both.


1 comments

Peter

2011 Mar 08, 23:51
0
 

a couple notes

"If Android were able to install more granular patches"

Google suggests that *is* possible:
"many Android devices have a facility for doing over-the-air update of the platform, which can update everything from the kernel to built-in apps."
and
"OTA updates have been delivered to many devices. Typically these are incremental updates (only having changed files and diffs from that is currently on the device) to reduce download size"
http://groups.google.com/group/android-security-discuss/browse_thread/thread/2d4dfada6a88ecae#

"Also at issue is the fact that device manufacturers themselves do not consistently maintain or update their existing platforms. Read any mobile forum and you’ll find a host of users begging for an update to their respective devices."

I don't understand why you and so many others accept the notion that Android device owners should have to install the latest version of Android to get a security fix. Imagine if Microsoft started only releasing security fixes for Windows 7 and Server 2008 R2. You'd crucify them, noting that many customers have computers that can't run the latest versions of Windows, or use software that doesn't run on the latest Windows. Same is true here -- a phone from late 2009 is unlikely to meet the requirements for Honeycomb, and even if older phones could run new Android OSes, it's not reasonable to expect vendors to port their custom Android apps (Sense UI, MotoBlur, etc.) to the latest Android release for every handset ASAP to keep things safe.

If Google treated Android OS the way Apple treats MacOS, or Microsoft treats Windows, or Ubuntu and other Linux vendors treat their OSes, then Google would "backport" security fixes to older versions of Android (hopefully for at least 2-3 years so US customers could safely make it all the way through a typical cell phone contract). They'd make it easy for Motorola to release s3curity fixes for all the phones they've announced won't move past Android 1.6 (https://supportforums.motorola.com/community/manager/softwareupgrades). They'd publish an official End Of Life schedule or policy. And, as part of their licensing deal with handset manufacturers, they'd require handset vendors and cell phone companies to do the same.

It's true that Apple requires its users to update iPhone and iPad to the latest release to get fixes, but it's also true that Apple takes responsibility both for producing updates for older devices and, equally important, actually getting updates all the way to end users.

Google is evading responsibility on many fronts. Their actions show that clearly they care more about making it easy for cell phone manufacturers to install Android than providing a good, safe experience for end users.

(Apple isn't perfect, either. It looks like they only release updates for about 2.5 years after an iPhone's launch, so if you buy an iPhone that was released more than 6 months earlier, Apple probably won't release security fixes for the entire two years that you're under contract. Even so, that's much better than the situation with Android and Google.)

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog