“Spotting malicious apps before they are offered for download and/or removing them is a tough challenge for every online Android app marketplace, including Google Play, but recent research by a group of scientists from several US and China universities offers considerable hope for improving the practice.
The researchers’ MassVet technique, for vetting apps at a massive scale, doesn’t rely on how an app behaves.
“Unlike existing detection mechanisms, which often utilize heavyweight program analysis techniques, our approach simply compares a submitted app with all those already on a market, focusing on the difference between those sharing a similar UI structure (indicating a possible repackaging relation), and the commonality among those seemingly unrelated. Once public libraries and other legitimate code reuse are removed, such diff/common program components become highly suspicious,” they explained in a paper.
The researchers boast that MassVet can analyze an app in less than 10 seconds, and that false positives are few.
The mechanism is also particularly effective at spotting malicious repackaged apps, which is the vast majority of Android malware. Also, it’s apparently well suited for detecting zero-day malware (they found over 20).
Their testing of over 1.2 million apps from 33 app markets around the world, including Google Play and Amazon Appstore, revealed over 127,429 malware.
“Our system captured tens of thousands of malware, including those slipping under the radar of most or all existing scanners, achieved a higher detection coverage than all popular malware scanners within VirusTotal and vetted new apps within ten seconds,” they noted. “Some malware have over millions of installs. 5,000 malware were installed over 10,000 times each, impacting hundreds of millions of mobile devices.”
Their research also showed the mechanisms that malware authors use to hide and distribute the malware, but also the mistakes the Google makes when vetting new and checking old apps on Google Play: banning the malicious developer, but not the app; not banning the same app under a different name, not banning the same app (same MD5 and same name) immediately after it’s uploaded again.
All in all, of the 127,429 malicious apps they found, 30,552 were on Google Play.”