

An Evaluation of the Application Verification Service in Android 4.2 - natefriedman
http://www.cs.ncsu.edu/faculty/jiang/appverify/

======
daeken
Quite interesting and using hashes to identify malware is just not effective
in the least. However...

> Last but not least, we notice that VirusTotal (owned by Google) has not been
> integrated yet into this app verification service.

This strikes me as a bit odd. While I do think Google is likely to use
VirusTotal for this sort of thing in the future: 1) They just bought
VirusTotal 2 months before 4.2 was released, so them not having integrated it
yet is not at all surprising, and 2) The binary itself isn't uploaded to the
app verification server, just some info about it, so running VirusTotal
against the binary isn't viable, severely limiting the integration
possibilities.

~~~
FreakLegion
Never use VirusTotal in its current form on sensitive files. Everything
uploaded goes to their subscription feed. I see corporate documents that
should not be out in the open, for example, pass through every day.

Anyway, do any of the AV scanners VirusTotal wraps around even handle Android
malware?

~~~
daeken
> Anyway, do any of the AV scanners VirusTotal wraps around even handle
> Android malware?

The submission has a table showing which malware was picked up by which AVs,
and quite a few of them did a good job with it.

~~~
FreakLegion
Ah, thanks! I glanced through and only saw AV1, AV2, etc. The paragraph above
puts names to them, and at least some of those are indeed in VirusTotal.

One thing I forgot to mention before:

 _using hashes to identify malware is just not effective in the least_

Absolutely true, but VirusTotal is only using hashing to determine if it's
already scanned a particular file (and even if it has, you can still force a
re-scan). Most of the individual AV engines have at least basic heuristics,
so, for example, you can detonate a piece of malware in a VM, dump the memory,
carve out the offending module[1], upload it to VirusTotal, and still get a
positive hit.

1\. It may need to be remapped to virtual address order and PE-formatted. I've
never tried it with raw pages.

~~~
daeken
> Absolutely true, but VirusTotal is only using hashing to determine if it's
> already scanned a particular file (and even if it has, you can still force a
> re-scan). Most of the individual AV engines have at least basic heuristics,
> so, for example, you can detonate a piece of malware in a VM, dump the
> memory, carve out the offending module[1], upload it to VirusTotal, and
> still get a positive hit.

I was referring to the method they currently use, which is just matching
hashes, not VirusTotal. No matter what, you need to somehow run the code
through an antivirus at some point, so the files need to go up to the server
or you need to run the AV locally.

------
polshaw
Interesting the post about google's tax avoidance[0] is the same age, with
twice as many points. [88/44 at time of posting]

Yet that has now slipped off the front page, and this is at the top of it!

0: <http://news.ycombinator.com/item?id=4899236>

~~~
eitland
Interesting observation. I can only guess someone flagged it for being
irrelevant.

------
capo
OP ought to restore the original title because it better represents the
content of that study seeing as it's clearly about the mechanism for verifying
side-loaded apps (introduced in 4.2) and not the Play store bouncer.

