Android AirBag softens malware blow

Kills runtime risks

Researchers have developed an application that could significantly improve the malware defences of Android devices.

The application was found to have prevented damage from 20 different malware samples when a proof of concept of the software was loaded on a Google Nexus One, Nexus 7 and Samsung Galaxy S III.

AirBag worked as a client-side framework which authors claimed "significantly" boosted the ability of Android devices to defend against malware.

It worked by creating a separate app isolation runtime decoupled from native runtime and enforced through light OS (operating system) - level virtualisation.

This the authors said meant AirBag shone the spotlight on malware by giving transparency in the execution of untrusted applications and preventing the loss of sensitive data and damage by malware to the Android system.

Without AirBag, Android applications would share the same runtime and could communicate with all other apps, creating a large attack surface for hackers.

They claimed the application did not drain the limited compute resources available on tablets and phones.

An application downloaded or sideloaded by users onto their phones would be isolated within AirBag via a decoupled 'App Isolation Runtime' where it could interact with legitimate aspects of the device.

AirBag also provided a different namespace and filesystem that further restricted and isolated the capabilities of malware.

The damage incurred from malware on Android phones was difficult to quantify. Google's app store ran less vigorous security checks of applications than Apple did with its eponymous marketplace, yet most malware was downloaded from unofficial sources, notably Chinese app stores.

In 2011, the trojan known as DroidDream infected more than 260,000 Android phones within 48 hours, the authors pointed out in justifying the need for AirBag. Scores more malicious apps have surfaced since then that have turned phones into zombies for botnets and often signed users up to expensive premium SMS numbers.

"The fundamental openness design behind Android implies that any app is allowed to communicate with other apps or system daemons running in the phone. In other words, once a malicious app is installed, it has a wide attack surface to launch the attack," the researchers wrote in a paper (PDF).

Google's sandboxing of an app based on the permissions it requested and its marketplace vetting process were insufficient. This security shortfall gave rise to anti-virus offerings designed Android devices that aimed to fill this gap, but AirBag's authors point out that those solutions were also ineffective.

AirBag's approach to defending against malware was unique, according to the authors. They noted that anti-malware applications and techniques including TaintDroid, which extended the Android framework to monitor the flow of sensitive data, and Aurasium which repackaged untrusted apps and enforced runtime access control policies, assumed the Android framework was trustworthy when it could be compromised in advanced attacks if privileged system daemons such as init or zygote were targeted.

They also distinguished AirBag from tools such as Kirin and Saint which analysed and blocked certain permissions requested by apps if they were excessive or dangerous when used in combination.

"In contrast, our system assumes that the Android framework inside AirBag could be compromised (by untrusted apps) but the damages are still contained in AirBag to prevent the native runtime environment being affected," researchers Chiachih Wu; Yajin Zhou; Kunal Patel; Zhenkai Liang, and Xuxian Jiang of the unverisities of North Carolina State and Singapore wrote.

"We aim to mitigate the risks by proposing a separate runtime that is isolated and enforced through a lightweight OS (operating system) - level extension."

AirBag could further benefit from developments in so-called virtual machine introspection which could be applied to bolster monitoring capabilities and better integrate with anti-virus software to more reliably monitor runtime behaviour beyond mere statical scanning of untrusted apps.

Join the CSO newsletter!

Error: Please check your email address.

Tags Androidmalware

More about AppleGalaxyGoogleSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Sam Bells

Latest Videos

More videos

Blog Posts