I understand there's apps with malicious things buried in them, but how can an antivirus determine between something like that and something benign?
As far as i can tell, traditional viruses, the way the work on windows and dos systems, just wouldn't work on android.
I'm not sure if i'm just missing something, but this article kind of confirms my suspicions. It just seems like you'd have to be really fucking around, or just completely and utterly oblivious to some very obvious red flags, to install a straight up virus on android.
You might be interested in reading Google's guidelines on what they consider to be a "potentially harmful application" (PHA) .
> [..] anything you give specific access to system functions(like drawing over other apps) to, you have to go to a specific extra permission enabling screen full of warnings to enable it.
Oh despite the on-device on-use/first-use consent, the android app ecosystem was a big mess before Google started auto-detecting rouge apps and booting them out of play store.
Even today, despite GooglePlayProtect, I occasionally find my friends complaining about apps hijacking their phones to show ads and sometimes be very hard to dismiss, and they do not absolutely know what to do (disable/uninstall no longer used apps, revoke permissions, disable notifications). They'd install anti-viruses in hope that it would help fix that.
> how can an antivirus determine between something like that and something benign
Not sure what anti-viruses do, but some examples from Google's 2018 report on how they fished out PHAs using static/dynamic analysis of apks and machine learning :
1. Re-packaged game apps with data-hoarding/adware.
2. Click-fraud apps (see above).
3. Suspension of key device functionality (on a rooted device, esp).
> It just seems like you'd have to be really fucking around, [..] to install a straight up virus on android.
You might be right: A good percentage of 2bn active android users might be doing just that.
I don't think they do.
This is a different kind of malware.
Fortunately, you're probably not going to get 'infected' merely by being on the same network as someone with malware.
I think perhaps Google should take some API steps to help fix the problem. There are just some kinds of things that nary any app should be able to do anyhow.
AV has its uses, but imo only for tech illiterate people who tend to download random stuff and execute it without thinking about it.
I know people @ Google who worked on related technology, it's not all fraud and they took their jobs rather seriously.
But there is definitely some fraud going on. Virus scanners are necessarily positioned and privileged perfectly for exploitation. You definitely have to be careful with what you employ in this capacity.
Edit: Found this one: https://support.virustotal.com/hc/en-us/articles/11500214654...
But it's mostly a scam. Unless you really go for dodgy apps, it's all fine.
If 100% of iOS antivirus apps are fraud, that implies they do nothing (probably because of permissions) and/or there are no viruses on iOS to even find, no? If that's the case, that'd further imply those antivirus apps aren't, themselves, malware. Then... what's the point? Why would they exist as apps (and why would people download them) if they do nothing and gain nothing for the author or the user?
Because they think they need antivirus, they go searching on the App Store, and because Apple has totally failed in curation in this regard, they find them.
They subsequently don't get a virus, leave a five star review, and recommend it to their friends. See the Simpsons episode about the "anti-tiger rock".
If it's free it's probably making money from ads, or making money from your information. Or you paid for it and it's doing the above anyways. AV style apps can ask for a lot of permissions without raising as much as an eyebrow because they need them to 'protect' users, which puts them in a nice spot to data mine.
First, AV bake-offs are a racket that gets security companies to hand over their malware samples or pay to be "excluded," from the bake off. So anyone with advantageous data either gives that up, or pays to be left out of the test. There is nothing honest about their benchmarks or methods. Bake-off companies are scumbags, and this ZDNet reporter got taken.
Second: Hard problem with malware detection on mobile is that there is no privileged role to do analysis from. It's not like you can root the phone and do syscall interception. The best they can do is analysis of apps you can find, and to do automated software analysis at scale is some very interesting work.
However, If you are the target of a custom APT, there isn't a lot anyone can do.
There are a few startups who are doing automated dynamic analysis and working on symbolic execution problems to further this. That the industry has not solved it yet does not make them fraudulent.
Third, Android malware includes:
- fake repackaged apps with adware or spyware.
- spyware installed by 3rd party
- malware that roots the device
- whatever all those dodgy 2FA and password manager apps are.
- apps with libraries with known vulnerabilities (think image processing, overflows, etc)
- apps that hoover up your data (txts, contacts, browsing, etc) and send it to authors.
The security model of mobile devices (iOS and Android) enforce hard limits on what is possible in terms of security value add by a non-OEM vendor. OEMs are worse than useless, and so app vendors have moved into the game. The threat model apps mitigate is patchy, but it suffices for most consumer and enterprise use cases. However, if you antagonize a government and get targeted custom malware, it would seem naive to think an app vendor is going to protect you.
While I have no remaining affection for any vendors in that space, to call them fraudulent is sensational, if not obnoxious.
It seems to me that you've created your own conspiracy theory about the AV industry.
I don't see how this study can be disproven. "Security apps" detected themselves as malware. I'd say calling them "fraudulent" is quite accurate.
Just because you wrote along comment that doesn't make it right or accurate. You're way off base.
Can u mention some of the new technical directions? I used to work in security, did windows AV, kernel layer, code analysis, etc but i have been out of this game for a couple of years
Today I am more interested in compiler techniques and code synthesis.