It is more than 24 months since we released Trend Micro Mobile App Reputation Service. The number of malicious and high-risk mobile apps grew from a few thousand to now more than 1.4 million. The mobile security landscape continues to change. There are more than 80% of malicious mobile apps that belong to a premium service abuser and/or spyware that steal personal information. Plenty of these malicious and high-risk mobile apps are hosted on malicious sites or in the legitimate app stores.
One good example is the recent trojanized Flappy Bird. After the huge success of more than 50 million downloads of this very addictive game, the developer announced the plan to withdraw this app from the app stores. In less than 24 hours after the developer pulled the plug, the fake Flappy Bird mobile app began to spread out in the online app store. The fake Flappy Bird was simply repackaged and injected with malicious code.
The repackaging of mobile apps is nothing new. Lots of popular mobile apps have been unpackaged, de-compiled, inserted with new code and repackaged to create a new mobile app. The inserted code ranging from Premium Service Abuser code to 3rd party SDKs creates a malicious or potentially unwanted app.
Another example is the emerging mobile vulnerability problems. The Android “master key” vulnerability, which was found in July 2013, attracted huge media attention. This vulnerability allows attackers to update an installed app without the original developer’s signing key. So any installed app in theory can be updated with a malicious version.
To prevent the malicious mobile app from exploiting the operating system vulnerability usually requires an operating system update. But the complexity of the Android operating system version distribution and different Android OEM vendors makes the operating system update more difficult. We’d expect more malicious apps to arise this year exploiting operating systems and mobile app’s own vulnerability issues.
Trend Micro Mobile App Reputation Service now moves beyond anti-malware to solve these ever increasing mobile security issues. We implemented the static analyzer to dissect the mobile code and analyze both mobile APIs and personal data usage. We also implemented the most advanced dynamic sandbox environment to detect/analyze the mobile app runtime behavior. With these powerful analyzers, the service provides the following features:
Malicious and Privacy Leak App Detection
The service uses advance data tracking technology to track and monitor privacy data such as phone number, location, contacts, etc. in a runtime Android sandbox. We trace privacy data once the app accesses it. Even when the app tries to truncate, modify, encrypt the data, we still can track and monitor the data. If the app tries to send the data out by internet, SMS, etc, we will detect the app as privacy leak app, and report what/where the data is sent out. In the recent AV-Test’s January 2014 benchmarking of 30 mobile security solutions, the Trend Micro product rated high in protecting against both Android malware and potentially unwanted programs versus the average of all vendors in the test. (AV-test report) (see diagram 2)
Mobile App Repack Detection
We detect repacked mobile apps based on the app structure. We also are able to tell the original mobile app that the fake app is repackaged from.
Mobile App Third-party Advertisement SDK Detection
We detect and analyze aggressive mobile advertisement SDKs that are known to annoy users and collect their private information, identify sensitive SDK actions, such as reading user’s SMS/MMS, getting location, getting IMEI/phone number, etc.
Mobile App Vulnerability Detection
We detect mobile app vulnerabilities that can be leveraged by attackers for hacking, privacy, sensitive info gathering, etc. We also detect the malicious mobile apps try to exploit the system vulnerabilities.
Mobile App Categorization
We use advanced content inspection technology to classify the actual application category. For example, adult content mobile apps can hide themselves in an un-related category; our categorization feature inspects the content to put the app into right categorization. This enables advanced content protection for app stores and any mobile app content analysis service.