Total Pageviews

Tuesday, December 11, 2012

Study Finds Weakness in Google\'s Android Security Service

5:09 p.m. | Updated Adding comment from Google.

2:23 p.m. | Updated Adding comment from Lookout.

In the latest version of the Android operating system, Google added a security tool that is supposed to prevent users from installing harmful software. But an independent study suggests that the feature fails to detect large swaths of malware.

An Android user can turn on Google's new feature, called the “application verification service,” in settings. Once it is flipped on, whenever an app is being installed, the service sends information about the app to Google for verification, and Google responds with a result.

If the service detects a “potentially dangerous app,” it warns the user that the app may harm the device if installed. And if the service detects a “dangerous app,” it simply blocks it from being installed.

Xuxian Jiang, an associate professor of computer science at North Carolina State University, put Google's security service through some tests. He installed 1,260 samples of malware on Google Nexus tablets, and Google's service caught only 193 of them - a detection rate of 15 percent. Mr. Jiang concludes that the service is still immature and has lots of room to improve.

Google says that along with its verification service, it has a security system called Bouncer. Whenever an app is submitted to Google Play, the official Android app store, Bouncer puts it through a simulation on Google's servers to search for hidden malware, spyware and trojans.

Lookout, a mobile security company based in San Francisco, said it had also tested Google's verification service and its results were consistent with Mr. Jiang's. Derek Halliday, a product manager at Lookout, said Google's security tools were relatively new, so their imperfections were not surprising. He noted that Google also recently acquired VirusTotal, a company that offers an online service for detecting malware.

“It signals Google is taking the problem seriously,” Mr. Halliday said. “When Google makes these types of improvements, it's safe to say everyone wins.”

In a statement, a Google spokeswoman said that many of the apps in Mr. Jiang's test were samples used by security researchers, and they are not downloaded by Android users. The company said its application verification service focuses on catching malware that people will actually encounter.

“The Google Play application verification service uses real-world data and multiple detection techniques to protect against Android malware,” the company said in a statement. “We go after threats users are most likely to face, rather than just focusing on an AV test set which m ay not be representative of actual conditions.”

Google did not immediately respond to a request for comment. ZDNet first reported the study.