Android AirBag softens malware blow

Kills runtime risks

Researchers have developed an application that could significantly improve the malware defences of Android devices.

The application was found to have prevented damage from 20 different malware samples when a proof of concept of the software was loaded on a Google Nexus One, Nexus 7 and Samsung Galaxy S III.

AirBag worked as a client-side framework which authors claimed "significantly" boosted the ability of Android devices to defend against malware.

It worked by creating a separate app isolation runtime decoupled from native runtime and enforced through light OS (operating system) - level virtualisation.

This the authors said meant AirBag shone the spotlight on malware by giving transparency in the execution of untrusted applications and preventing the loss of sensitive data and damage by malware to the Android system.

Without AirBag, Android applications would share the same runtime and could communicate with all other apps, creating a large attack surface for hackers.

They claimed the application did not drain the limited compute resources available on tablets and phones.

An application downloaded or sideloaded by users onto their phones would be isolated within AirBag via a decoupled 'App Isolation Runtime' where it could interact with legitimate aspects of the device.

AirBag also provided a different namespace and filesystem that further restricted and isolated the capabilities of malware.

The damage incurred from malware on Android phones was difficult to quantify. Google's app store ran less vigorous security checks of applications than Apple did with its eponymous marketplace, yet most malware was downloaded from unofficial sources, notably Chinese app stores.

In 2011, the trojan known as DroidDream infected more than 260,000 Android phones within 48 hours, the authors pointed out in justifying the need for AirBag. Scores more malicious apps have surfaced since then that have turned phones into zombies for botnets and often signed users up to expensive premium SMS numbers.

"The fundamental openness design behind Android implies that any app is allowed to communicate with other apps or system daemons running in the phone. In other words, once a malicious app is installed, it has a wide attack surface to launch the attack," the researchers wrote in a paper (PDF).

Google's sandboxing of an app based on the permissions it requested and its marketplace vetting process were insufficient. This security shortfall gave rise to anti-virus offerings designed Android devices that aimed to fill this gap, but AirBag's authors point out that those solutions were also ineffective.

AirBag's approach to defending against malware was unique, according to the authors. They noted that anti-malware applications and techniques including TaintDroid, which extended the Android framework to monitor the flow of sensitive data, and Aurasium which repackaged untrusted apps and enforced runtime access control policies, assumed the Android framework was trustworthy when it could be compromised in advanced attacks if privileged system daemons such as init or zygote were targeted.

They also distinguished AirBag from tools such as Kirin and Saint which analysed and blocked certain permissions requested by apps if they were excessive or dangerous when used in combination.

"In contrast, our system assumes that the Android framework inside AirBag could be compromised (by untrusted apps) but the damages are still contained in AirBag to prevent the native runtime environment being affected," researchers Chiachih Wu; Yajin Zhou; Kunal Patel; Zhenkai Liang, and Xuxian Jiang of the unverisities of North Carolina State and Singapore wrote.

"We aim to mitigate the risks by proposing a separate runtime that is isolated and enforced through a lightweight OS (operating system) - level extension."

AirBag could further benefit from developments in so-called virtual machine introspection which could be applied to bolster monitoring capabilities and better integrate with anti-virus software to more reliably monitor runtime behaviour beyond mere statical scanning of untrusted apps.

Join the CSO newsletter!

Error: Please check your email address.

Tags Androidmalware

More about AppleGalaxyGoogleSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sam Bells

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place