2012-04-01
Abstract
‘The industry seems to be surprised when old attacks are repurposed on new systems.’ Tim Armstrong, Kaspersky Lab
Copyright © 2012 Virus Bulletin
It has been very interesting to observe the meteoric rise of the Android operating system over the past few years. As we’ve seen in the past, the more popular a platform becomes, the more cybercrime and malicious activity target it. In 2011, the platform became the most popular target for cybercriminals, with attacks and exploits focusing on financial gain.
What is perhaps more interesting and unfortunate is that many of the attacks on the Android platform are not new – the technical nuances may be different, but the premise is the same. I’m not the first to note that successful Android attack techniques were first seen on Windows years earlier, but the problem continues to grow.
Let’s look at the differences. Early Windows malware was more of a disorganized nuisance than an effort to make money. This changed fundamentally once criminals released the profit potential. Android malware writers entered the field with this knowledge, and we see very little, if any, malware specifically designed to harm the device – there’s no money in that.
We have seen mobile malware that can exploit the operating system, gain administrator privileges, install remote access backdoors, install banking malware and join botnets. We’ve seen fake anti-virus, phishing, adware and spyware.
Yet, the industry seems to be surprised when these old attacks are repurposed on new systems. Why? Aren’t mobile devices just one more computer we use? Shouldn’t we all have seen this coming?
While some of these attacks are unavoidable, many could have been avoided with better design – design we should have learned about based on the mistakes made in our Windows past.
Let’s take root exploits for example. With the sheer amount of code involved in designing an operating system, it is impossible to avoid a mistake that could enable an escalation of privilege exploit. In the Windows (and Apple) world, the response is to provide an update as soon as possible to close the flaw that allowed the attack. It’s the same on Android, but there is a lack of consistent updates in a timely manner, and a lack of support for older platforms. We need a system of modular security patches for current and (especially) older systems. What we don’t need is a new version of the operating system running on shiny new hardware every six months. One could argue that it still takes Windows a long time to address such flaws, but they do get addressed eventually. In many cases, if your mobile device has lost support, the flaw will never be addressed.
Perhaps it’s the nature of the modern disposable mindset: if a device stops working, you don’t fix it, you replace it. Perhaps that’s what all the companies that sell Android hardware are banking on. However, you can’t expect everyone to upgrade to a new device every six months, and you certainly can’t do it in the name of security.
Android was designed with security in mind. But it was not designed with users in mind. Take the app permissions screen. Most people click past it as fast as their fingers will allow. While the idea of making permissions known to the end-user is a good idea, the Windows installer screen has taught users to click and click until they’re done. With the recent spate of adware arriving for Android, perhaps it would make more sense to warn users how much of their data is being sent to third parties. Google decided not to remove the apps containing the so-called ‘Counterclank’ advertising because it did not violate its terms of service. Perhaps this is because Google is primarily an advertising company. Didn’t we already hash out these overly aggressive advertising practices on Windows? Why has data leakage become ok just because we’re on a new platform?
So, is Android simply Windows all over again? In some ways, it’s worse. Companies are already aware of the threat, and have done little to protect against it. It is not in Google’s or the ISP’s or even the device manufacturer’s fiscal interest to release updates consistently at this point. It is important to sell new devices with new service plans. Until this situation changes (or becomes less profitable), we can expect nothing to change.
