Only 15% of known malware caught by Android 4.2's verifier
Source: NCSU report One of the enhancements in Android 4.2 was a new app verification service that tested applications being installed against a Google service in the cloud to see whether the app was known to contain malware or not. If the results of Xuxian Jiang's research are correct, Google will need to do a lot more work on the feature to make it useful, as only 15 per cent of the known malware samples tested on the service were detected.
Jiang, an associate professor at NC State University, took Nexus 10 tablets running Android 4.2 and, using semi-automated installations, loaded 1260 malware samples from the Android Malware Genome Project onto the devices. Of the 1260 samples only 193 were detected as malware. The researcher also performed a test comparing Google's verification against a range of ten different existing anti-virus applications through VirusTotal, looking at randomly selected malware samples from each malware family. The anti-virus applications run by VirusTotal ranged in efficacy from 100% to 51%, but the Android App verification system scored only 20.4%; VirusTotal was acquired by Google in September 2012.
The researcher noted that the app verification service uses a fragile mechanism of verifying SHA1 values from the app and package name to determine whether a package is dangerous or potentially dangerous; they believe more information needs to be collected to give a more robust system, but cannot say what information should be or how it should be squared with user privacy concerns.
He also notes that the verification system relies on the server component, leaving the client-side of the system completely without detection capabilities; adding those abilities would though be a delicate balance for mobile devices. The researcher is more hopeful that the potential integration of the Google-owned VirusTotal service with the app verification service could provide much better detection results.