Endpoint

4/19/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Android Year In Review: No Successful Stagefright, Certifigate Exploits

Plus, Android users who install apps outside of Google Play are 10 times more likely to have installed a potentially harmful application, according to new Google Android Security Year in Review report.

Despite the size and complexity of the Android ecosystem, actual user devices escaped any attempts to exploit the StageFright and Certifigate vulnerabilities discovered in 2015, according to Google's new Android Security Year in Review

Improvements Google has made to its official Google Play app store, as well as to the Verify Apps service that warns users about Potentially Harmful Applications (PHAs) when they download them from outside Google Play, appear to be paying off. 

After Google added a red icon and exclamation mark to its Verify Apps warning dialog, 50% fewer users voluntarily installed PHAs. Google also added a new capability to Verify Apps, so that it can in very exceptional occasions remove applications that register as device administrators, as was the case when the Android team decided to take action to protect users against a Russian banking fraud scheme.

Nevertheless, it is inside Google Play where Android users are safest. Devices that allow apps downloaded from outside Google Play are 10 times more likely to have PHAs on them than those that do not. PHAs were found on less than 0.15% of devices that only get apps from Google Play; 0.5% of devices that get apps from Play and other sources. 

Although installation attempts by PHAs outside of Google Play increased, installation attempts within Play decreased by over 40%. The biggest increase in attempts was by hostile downloaders, from 0.06- to 2.60% of installation attempts.

Ghost Push

The spike in hostile downloaders was almost entirely due to a family of Trojan downloaders called Ghost Push, which boasted over 40,000 apps.

During a seven-week period in the summer of 2015, Ghost Push installation attempts contributed up to 30% of all attempts worldwide -- equalling 3.5 billion attempts in all. Upon further investigation, the Google Android team tracked back many of the attempts to an over-the-air update provider for device manufacturers and carriers in the Southeast Asia region. The OTA update provider also provides a remote application installation service, and apps in the Ghost Push family were among those the company was attempting to install. 

The number of affected devices was far lower than the number of attempts, since an unsuccessful attempt might be repeated hundreds of times; Google researchers estimate that there were only about 4 million affected devices, and their clean-up efforts working with the OTA provider reduced the impact by about 90%.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Google also reported that ransomware is "almost exclusively" distributed outside of Google Play, and only accounting for less than .01% of total app installs, mostly targeting Russian-speaking users via porn apps or fake media players. 

Through its bug bounty program, the Google Vulnerability Rewards Program, Google paid $210,161 for Android vulnerabilities, including 30 critical and 34 high-impact. 

Related Content:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
olivierl941
50%
50%
olivierl941,
User Rank: Apprentice
5/4/2016 | 9:23:06 PM
independent audit of more than 1 million Apps form Google Play
Hi Sarah

I enjoyed reading your article. 

If I may, I'd like to add my two cents here. We just performed a behavioral audit of more than 1.3 million Apps, 80% fromt the Google Play store. Audit are fairly recent and results were published in March.

We classify the Apps in three categories: Sage, Malicious and Suspicious. Suspicious Apps show undeclared behaviors that are not necessary to the purpose of the app. According to context, these behavior can be pefectly acceptable or rogue.

We classify the threats in three categories: Financial loss, Security threat and Privacy threat.

Here are few results only for Android Apps:

- 29.7% of Apps shows suspicious behaviors related to Privacy threat

- 1.4% are Malicious in the Financial Loss category!

- 16.5% are suspicious in the Security threat category and 4.9% are malicious in that same category.

Obviously these number are larger than the one published by Google, my guess is that our definition of Suspicious and malicious might be different.

If interested I'll be happy to share more results.

Olivier Lauzeral/ Pradeo
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.