The latest version of Android 4.2, code-named “Jelly Bean” has been released some time ago. While being just an incremental update to the major 4.0 release “Ice Cream Sandwich”, Google introduced some major new features within that update. While offering multi-user support and improved notifications, a new feature which is being promoted heavily, is the built-in app scanner which should protect Android devices from being infected by malware.
The client side app scanner of Android 4.2 is the next step in Google’s attempts to protect their Android ecosystem from malware threats, after introducing Bouncer, a server-side malware scanner used by Google to analyze apps that are being uploaded to Google Play Store. Bouncer was announced in February 2012 and is Google’s approach to prevent malware from being uploaded to the Google Play store as a first line of defense.
Now, some authors claim that third party mobile security tools are most likely not needed anymore, because Google now already pre-checks all mobile apps. I’ve been closely monitoring all those changes and improvements because I wanted to make my own mind on how successful these attempts by Google would be and to find out how our Android antivirus scanner delivered within our free avast! Mobile Security suite would stack up to what the operating system vendor itself would be able to provide.
Since months before the release of avast! Mobile Security in December 2011, our virus lab was working on setting up the initial state of our Android malware database. The database contains signatures of all the malicious files our virus lab guys find over time and is being extended day-by-day to contain definitions of the newest threats in real-time. Currently, tens of millions of Android devices owned by our users download those definitions every day to their avast! client side scanners. So I just went to our virus lab and asked the guys there to provide me with some statistics on the growth of our Android malware database.
As I already stated, Bouncer was thought to be the first line of defense, and tries to protect the main source of app downloads from malicious offerings. Could it be that as a result of introducing Bouncer, our malware database stopped growing or started to decline in size when Bouncer was introduced? Has Google been successful? See for yourself:
Android Malware Database History (Click to enlarge)
Obviously, since February 2012, our Android malware growth has not started to decline; it has not even stalled its growth, but has been continuously growing since that point in time. Now what? Why did Google’s attempts by introducing Bouncer not succeed? The question behind that is not to be answered reliably as Google does not want malware writers to understand the works of Bouncer and therefore does not provide much information about the logics of Bouncer. Maybe, and that’s just a guess, the reason is that Bouncer mainly operates automatically, and those automated checks are easily circumvented by malware authors. We’ll have to trust the numbers for now.
But one thing for sure, the Google Play Store is not the only source of Android application installations. Lots of users choose the freedom to download apps from alternate app stores like AndroidPIT or Amazon. This is the main reason why Google now tries to extend the malware protection to the client side as well.
"The server does all the hard work," Android VP of Engineering, Hiroshi Lockheimer, told Computerworld about the new protection mechanism. "The device sends only a signature of the APK so that the server can identify it rapidly."
On the server side, the signature of the app package seems to be matched against the Bouncer database and a red flag is being raised whenever it is identified as being malware.
Let’s compare that to the way how avast! Mobile Security works. It is already known that Bouncer has obvious flaws in malware detection, but just using signatures of complete app packages is always insecure. At AVAST, the client side scanner detects every app installation. It unpacks the app package, and looks into it. Whenever something suspicious is found or a user reports malware using our Community IQ network, the app package is being sent to our virus lab. Additionally our virus lab guys scan the web for new packages popping up and also put them to analysis.
Our definitions contain hand-made signatures that do not only apply to complete packages, but also define certain content pieces within those packages. That small pieces connected together build up a really strong detection mechanism that is able to detect hundreds, thousands and even more different malicious applications. So, it is self-evident that this way of analyzing for malware is much safer than just matching complete installations.
It is now time for a final statement. I think it is great that Google tries to prevent malware from getting to Android handsets and in any way it is better to have some protection than no protection at all. But it’s the same as in the PC world. The vendors perform basic protection steps to get to a base level of security.
However, as a responsible user it is necessary to add protection on top of that and I recommend you to use avast! Mobile Security as your trusted add-on protection on any Android device you use. On top of getting top-notch malware protection, it offers so much more in functionality and it is trusted by millions and millions of users. Get it now - for FREE!