OPSWAT Blog

‹ Blog

Scanning for Malware in Android Applications

Posted by Dan Lanir / April 14, 2014

Android applications are available through a number of different stores and sites. At some stores, you can even download the app file to your PC and apply it directly to your Android device. This diversity in stores and download mechanisms is an attractive aspect of Android to consumers, but a less restrictive marketplace eco-system brings risks along with freedom. Are these apps safe for your Android and what is the chance they contain malware that could infect your Android OS?

At OPSWAT, we collected almost 12,000 Android app files (which are called APKs because of the .apk file extension) from third-party app stores (other than the Google Play Store) and scanned them using the fastest cloud-based multi-scanning solution Metascan Online. Utilizing 40 commercial anti-malware engines, almost a third of the files were flagged as suspicious (i.e. having some kind of potential threat detected) by at least one anti-malware engine. While that is a very high percentage, there are several items to consider when drawing conclusions from these findings.

How many anti-malware engines detect a file as malicious?

In our test sample, 74% of the “malicious” files were caught by only one of the engines. In most cases, it was the same engine flagging these files. With only one anti-malware engine detecting the threat, it could mean that it is the first to detect an advance threat or perhaps that it has a superior threat detector for the Android operating system. On the other hand, the detection could potentially be a "false positive".

68% of files deemed suspicious

A general rule of thumb is that the more anti-malware engines flag a file, the higher the likelihood that the file is malicious. Of the remaining 26% of the suspicious files, 9% were caught by two engines, 4% were caught by three anti-malware engines, and the trend continues down from there. 26 files, slightly less than 1% of the malicious file-set, were detected by ten or more anti-malware engines (as seen below).

Number of engines detecting a threat

How is the anti-malware engine classifying the suspicious file?

In our test sample, 76% of the suspicious files were classified as adware which is not universally considered malware. It is up to each individual to determine whether adware is an acceptable byproduct of a desirable app. 

How can I protect my Android device?

Even if you discount the adware as true malware and the cases where only one of forty engines detected a file as suspicious, there is still an 8% rate of suspicious APKs in our sample set. Regardless of your definition of suspicious file types, you should be vigilant in scanning APKs before you install them. Since there is always a risk when you download an application through an App store or website, it's important to take the correct protective measures to secure your Android device. Scanning with multiple anti-malware engines increases the chances that you can catch a malicious Android application before you install it on your Android device!

*Note, below is a list of 26 applications from the sample set that were detected as a threat by 10 or more anti-malware engines from Metascan Online:

Angrybirdspremium.apk

Dead Space 2_apkfiles.com.apk

Locate Me PRO (1.4)_apkfiles.com.apk

Toca Builders_apkfiles.com.apk

Youtube Downloader Pro_apkfiles.com.apk

army.apk

avatar.apk

farm_frenzy_3.apk

TwitterApp.apk

beautiful-heart.apk

bengal-tiger.apk

com.MySchool_SQLIntro-1.5.apk

com.accutracking-3.3.1.apk

com.baby.fruit.flash.cards-1.1.apk

com.demansol.blueassasin.views-1.0.apk

com.djd.purefmradio-1.0.4.apk

com.scottmcfurry.n64-0.14.apk

com.tndev.collageart.appota-1.2.4.apk

heart.apk

screen-crack.apk

com.demansol.santaescape.free-1.1.apk

201110101916308149.apk

com.nqmobile.antivirus20_132024.apk

com.onebkjoy.readytyxc_163331.apk

com.phundroid.duck.dayazi_160714.apk

com.sunfred.privacyprotect_222441.apk

Tags: Android Assessing Device Risk IT Infrastructure malware Multi-scanning