Endpoint

4/19/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Android Year In Review: No Successful Stagefright, Certifigate Exploits

Plus, Android users who install apps outside of Google Play are 10 times more likely to have installed a potentially harmful application, according to new Google Android Security Year in Review report.

Despite the size and complexity of the Android ecosystem, actual user devices escaped any attempts to exploit the StageFright and Certifigate vulnerabilities discovered in 2015, according to Google's new Android Security Year in Review

Improvements Google has made to its official Google Play app store, as well as to the Verify Apps service that warns users about Potentially Harmful Applications (PHAs) when they download them from outside Google Play, appear to be paying off. 

After Google added a red icon and exclamation mark to its Verify Apps warning dialog, 50% fewer users voluntarily installed PHAs. Google also added a new capability to Verify Apps, so that it can in very exceptional occasions remove applications that register as device administrators, as was the case when the Android team decided to take action to protect users against a Russian banking fraud scheme.

Nevertheless, it is inside Google Play where Android users are safest. Devices that allow apps downloaded from outside Google Play are 10 times more likely to have PHAs on them than those that do not. PHAs were found on less than 0.15% of devices that only get apps from Google Play; 0.5% of devices that get apps from Play and other sources. 

Although installation attempts by PHAs outside of Google Play increased, installation attempts within Play decreased by over 40%. The biggest increase in attempts was by hostile downloaders, from 0.06- to 2.60% of installation attempts.

Ghost Push

The spike in hostile downloaders was almost entirely due to a family of Trojan downloaders called Ghost Push, which boasted over 40,000 apps.

During a seven-week period in the summer of 2015, Ghost Push installation attempts contributed up to 30% of all attempts worldwide -- equalling 3.5 billion attempts in all. Upon further investigation, the Google Android team tracked back many of the attempts to an over-the-air update provider for device manufacturers and carriers in the Southeast Asia region. The OTA update provider also provides a remote application installation service, and apps in the Ghost Push family were among those the company was attempting to install. 

The number of affected devices was far lower than the number of attempts, since an unsuccessful attempt might be repeated hundreds of times; Google researchers estimate that there were only about 4 million affected devices, and their clean-up efforts working with the OTA provider reduced the impact by about 90%.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Google also reported that ransomware is "almost exclusively" distributed outside of Google Play, and only accounting for less than .01% of total app installs, mostly targeting Russian-speaking users via porn apps or fake media players. 

Through its bug bounty program, the Google Vulnerability Rewards Program, Google paid $210,161 for Android vulnerabilities, including 30 critical and 34 high-impact. 

Related Content:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
olivierl941
50%
50%
olivierl941,
User Rank: Apprentice
5/4/2016 | 9:23:06 PM
independent audit of more than 1 million Apps form Google Play
Hi Sarah

I enjoyed reading your article. 

If I may, I'd like to add my two cents here. We just performed a behavioral audit of more than 1.3 million Apps, 80% fromt the Google Play store. Audit are fairly recent and results were published in March.

We classify the Apps in three categories: Sage, Malicious and Suspicious. Suspicious Apps show undeclared behaviors that are not necessary to the purpose of the app. According to context, these behavior can be pefectly acceptable or rogue.

We classify the threats in three categories: Financial loss, Security threat and Privacy threat.

Here are few results only for Android Apps:

- 29.7% of Apps shows suspicious behaviors related to Privacy threat

- 1.4% are Malicious in the Financial Loss category!

- 16.5% are suspicious in the Security threat category and 4.9% are malicious in that same category.

Obviously these number are larger than the one published by Google, my guess is that our definition of Suspicious and malicious might be different.

If interested I'll be happy to share more results.

Olivier Lauzeral/ Pradeo
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1664
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
CVE-2018-1669
PUBLISHED: 2018-09-25
IBM DataPower Gateway 7.1.0.0 - 7.1.0.23, 7.2.0.0 - 7.2.0.21, 7.5.0.0 - 7.5.0.16, 7.5.1.0 - 7.5.1.15, 7.5.2.0 - 7.5.2.15, and 7.6.0.0 - 7.6.0.8 as well as IBM DataPower Gateway CD 7.7.0.0 - 7.7.1.2 are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
CVE-2018-1539
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.
CVE-2018-1560
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a tr...
CVE-2018-1588
PUBLISHED: 2018-09-25
IBM Jazz Foundation (IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6) is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resourc...